Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
BPF+: exploiting global data-flow optimization in a generalized packet filter architecture
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Letters to the editor: go to statement considered harmful
Communications of the ACM
Internet packet filter management and rectangle geometry
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
Machine Learning
Fast and Scalable Conflict Detection for Packet Classifiers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A Model of Stateful Firewalls and Its Properties
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
Conflict classification and analysis of distributed firewall policies
IEEE Journal on Selected Areas in Communications
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Information Systems Security
Collaborative enforcement of firewall policies in virtual private networks
Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing
Analysis of Rewrite-Based Access Control Policies
Electronic Notes in Theoretical Computer Science (ENTCS)
A specification language for information security policies
CIS'09 Proceedings of the international conference on Computational and information science 2009
Design of the host guard firewall for network protection
ISP'08 Proceedings of the 7th WSEAS international conference on Information security and privacy
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Towards network security policy generation for configuration analysis and testing
Proceedings of the 2nd ACM workshop on Assurable and usable security configuration
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs
IEEE/ACM Transactions on Networking (TON)
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
Towards high performance security policy evaluation
The Journal of Supercomputing
SyFi: a systematic approach for estimating stateful firewall performance
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Could firewall rules be public – a game theoretical perspective
Security and Communication Networks
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Towards an efficient verification approach on network configuration
Proceedings of the 8th International Conference on Network and Service Management
Quantifying and verifying reachability for access controlled networks
IEEE/ACM Transactions on Networking (TON)
Cross-domain privacy-preserving cooperative firewall optimization
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
A firewall is a security guard placed at the point of entry between a private network and the outside Internet such that all incoming and outgoing packets have to pass through it. The function of a firewall is to examine every incoming or outgoing packet and decide whether to accept or discard it. This function is conventionally specified by a sequence of rules, where rules often conflict. To resolve conflicts, the decision for each packet is the decision of the first rule that the packet matches. The current practice of designing a firewall directly as a sequence of rules suffers from three types of major problems: (1) the consistency problem, which means that it is difficult to order the rules correctly; (2) the completeness problem, which means that it is difficult to ensure thorough consideration for all types of traffic; (3) the compactness problem, which means that it is difficult to keep the number of rules small (because some rules may be redundant and some rules may be combined into one rule). To achieve consistency, completeness, and compactness, we propose a new method called structured firewall design, which consists of two steps. First, one designs a firewall using a firewall decision diagram instead of a sequence of often conflicting rules. Second, a program converts the firewall decision diagram into a compact, yet functionally equivalent, sequence of rules. This method addresses the consistency problem because a firewall decision diagram is conflict-free. It addresses the completeness problem because the syntactic requirements of a firewall decision diagram force the designer to consider all types of traffic. It also addresses the compactness problem because in the second step we use two algorithms (namely FDD reduction and FDD marking) to combine rules together, and one algorithm (namely firewall compaction) to remove redundant rules. Moreover, the techniques and algorithms presented in this paper are extensible to other rule-based systems such as IPsec rules.