Packet classifiers in ternary CAMs can be smaller
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Symerton--using virtualization to accelerate packet processing
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
A tool for automated iptables firewall analysis
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
An open source solution for testing NAT'd and nested iptables firewalls
LISA '05 Proceedings of the 19th conference on Large Installation System Administration Conference - Volume 19
Inferring higher level policies from firewall rules
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Assisted firewall policy repair using examples and history
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
An inference system for detecting firewall filtering rules anomalies
Proceedings of the 2008 ACM symposium on Applied computing
Xengine: a fast and scalable XACML policy evaluation engine
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Fast, cheap, and in control: a step towards pain free security!
LISA'08 Proceedings of the 22nd conference on Large installation system administration conference
Topological transformation approaches to optimizing TCAM-based packet classification systems
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Bit vector algorithms enabling high-speed and memory-efficient firewall blacklisting
Proceedings of the 47th Annual Southeast Regional Conference
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Intrusion prevention systems: data mining approach
Proceedings of the International Conference and Workshop on Emerging Trends in Technology
Managing intrusion detection rule sets
Proceedings of the Third European Workshop on System Security
LOPSTR'06 Proceedings of the 16th international conference on Logic-based program synthesis and transformation
Analysis of firewall policy rules using traffic mining techniques
International Journal of Internet Protocol Technology
Model checking firewall policy configurations
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
On constructing efficient shared decision trees for multiple packet filters
INFOCOM'10 Proceedings of the 29th conference on Information communications
SPAN: a unified framework and toolkit for querying heterogeneous access policies
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
FAME: a firewall anomaly management environment
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
FlowChecker: configuration analysis and verification of federated openflow infrastructures
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Comparison model and algorithm for distributed firewall policy
ICIC'06 Proceedings of the 2006 international conference on Intelligent computing: Part II
Safe and efficient strategies for updating firewall policies
TrustBus'10 Proceedings of the 7th international conference on Trust, privacy and security in digital business
Topological transformation approaches to TCAM-based packet classification
IEEE/ACM Transactions on Networking (TON)
Symbolic analysis of network security policies using rewrite systems
Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming
Fast, memory-efficient regular expression matching with NFA-OBDDs
Computer Networks: The International Journal of Computer and Telecommunications Networking
Cooperative data access in multi-cloud environments
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
An executable object-oriented semantics and its application to firewall verification
Software and Systems Modeling (SoSyM)
Towards high performance security policy evaluation
The Journal of Supercomputing
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
Analysis of policy anomalies on distributed network security setups
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
AEGIS: a lightweight firewall for wireless sensor networks
DCOSS'10 Proceedings of the 6th IEEE international conference on Distributed Computing in Sensor Systems
Cross-domain privacy-preserving cooperative firewall optimization
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
A firewall is often placed at the entrance of each private network in the Internet. The function of a firewall is to examine each packet that passes through the entrance and decide whether to accept the packet and allow it to proceed or to discard the packet. A firewall is usually designed as a sequence of rules. To make a decision concerning some packets, the firewall rules are compared, one by one, with the packet until one rule is found to be satisfied by the packet: this rule determines the fate of the packet. In this paper, we present the first ever method for designing the sequence of rules in a firewall to be consistent, complete, and compact. Consistency means that the rules are ordered correctly, completeness means that every packet satisfies at least one rule in the firewall, and compactness means that the firewall has no redundant rules. Our method starts by designing a firewall decision diagram (FDD, for short) whose consistency and completeness can be checked systematically (by an algorithm). We then apply a sequence of five algorithms to this FDD to generate, reduce and simplify the target firewall rules while maintaining the consistency and completeness of the original FDD.