ProgME: towards programmable network measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Formal correctness of conflict detection for firewalls
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
Inferring higher level policies from firewall rules
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
An inference system for detecting firewall filtering rules anomalies
Proceedings of the 2008 ACM symposium on Applied computing
Detecting and resolving policy misconfigurations in access-control systems
Proceedings of the 13th ACM symposium on Access control models and technologies
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
Information and Software Technology
Proceedings of the eighteenth international symposium on Software testing and analysis
Modeling and understanding end-to-end class of service policies in operational networks
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Practical declarative network management
Proceedings of the 1st ACM workshop on Research on enterprise networking
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Integrating static analysis and testing for firewall policies
Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications
NetPiler: detection of ineffective router configurations
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Towards network security policy generation for configuration analysis and testing
Proceedings of the 2nd ACM workshop on Assurable and usable security configuration
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Formal Verification of Security Policy Implementations in Enterprise Networks
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Managing intrusion detection rule sets
Proceedings of the Third European Workshop on System Security
Analysis of firewall policy rules using traffic mining techniques
International Journal of Internet Protocol Technology
Model checking firewall policy configurations
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Automated method for constructing of network traffic filtering rules
Proceedings of the 3rd international conference on Security of information and networks
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
Generating policy based security implementation in enterprise network: a formal framework
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
FAME: a firewall anomaly management environment
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
FlowChecker: configuration analysis and verification of federated openflow infrastructures
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
The margrave tool for firewall analysis
LISA'10 Proceedings of the 24th international conference on Large installation system administration
First step towards automatic correction of firewall policy faults
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Automating security configuration and administration: an access control perspective
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Baaz: a system for detecting access control misconfigurations
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Detecting and resolving policy misconfigurations in access-control systems
ACM Transactions on Information and System Security (TISSEC)
ProgME: towards programmable network measurement
IEEE/ACM Transactions on Networking (TON)
MIRAGE: a management tool for the analysis and deployment of network security policies
DPM'10/SETOP'10 Proceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security
Anomaly discovery and resolution in web access control policies
Proceedings of the 16th ACM symposium on Access control models and technologies
Debugging the data plane with anteater
Proceedings of the ACM SIGCOMM 2011 conference
Fast, memory-efficient regular expression matching with NFA-OBDDs
Computer Networks: The International Journal of Computer and Telecommunications Networking
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
Corporate networks security evaluation based on attack graphs
Proceedings of the 4th international conference on Security of information and networks
Using argumentation logic for firewall policy specification and analysis
DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
Journal of Systems and Software
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
Discovering access-control misconfigurations: new approaches and evaluation methodologies
Proceedings of the second ACM conference on Data and Application Security and Privacy
Packet flow analysis in IP networks using data-flow analysis
Proceedings of the 5th India Software Engineering Conference
Integrated management of network and security devices in IT infrastructures
Proceedings of the 7th International Conference on Network and Services Management
Header space analysis: static checking for networks
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
First step towards automatic correction of firewall policy faults
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Policy transformation in software defined networks
Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
VeriFlow: verifying network-wide invariants in real time
Proceedings of the first workshop on Hot topics in software defined networks
Improving manageability through reorganization of routing-policy configurations
Computer Networks: The International Journal of Computer and Telecommunications Networking
Policy transformation in software defined networks
ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
Veriflow: verifying network-wide invariants in real time
ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Formal verification of security preservation for migrating virtual machines in the cloud
SSS'12 Proceedings of the 14th international conference on Stabilization, Safety, and Security of Distributed Systems
A model-driven approach for the extraction of network access-control policies
Proceedings of the Workshop on Model-Driven Security
Limitation of listed-rule firewall and the design of tree-rule firewall
IDCS'12 Proceedings of the 5th international conference on Internet and Distributed Computing Systems
On the notion of redundancy in access control policies
Proceedings of the 18th ACM symposium on Access control models and technologies
VeriFlow: verifying network-wide invariants in real time
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
Towards an efficient verification approach on network configuration
Proceedings of the 8th International Conference on Network and Service Management
Cross-domain privacy-preserving cooperative firewall optimization
IEEE/ACM Transactions on Networking (TON)
Optimizing the "one big switch" abstraction in software-defined networks
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
Improving cloud network security using the Tree-Rule firewall
Future Generation Computer Systems
Hi-index | 0.00 |
Security concerns are becoming increasingly critical in networked systems. Firewalls provide important defense for network security. However, misconfigurations in firewalls are very common and significantly weaken the desired security. This paper introduces FIREMAN, a static analysis toolkit for firewall modeling and analysis. By treating firewall configurations as specialized programs, FIREMAN applies static analysis techniques to check misconfigurations, such as policy violations, inconsistencies, and inefficiencies, in individual firewalls as well as among distributed firewalls. FIREMAN performs symbolic model checking of the firewall configurations for all possible IP packets and along all possible data paths. It is both sound and complete because of the finite state nature of firewall configurations. FIREMAN is implemented by modeling firewall rules using binary decision diagrams (BDDs), which have been used successfully in hardware verification and model checking. We have experimented with FIREMAN and used it to uncover several real misconfigurations in enterprise networks, some of which have been subsequently confirmed and corrected by the administrators of these networks.