Definition
A network access control list or ACL, \(\mathcal{P}\), is a set of ordered rules, \({\mathcal{R}}_{i}\), the defines the transformation actions, \({\mathcal{A}}_{i}\), (e.g., such as accept or deny in firewalls, and ESP for encryption and AH for authenticate in IPSec) that are performed on matched traffic flows, \({\mathcal{C}}_{i}\), defined using header information. A conflict exists in ACL policies if there are two (or more) different rules (\({\mathcal{R}}_{i}\) and \({\mathcal{R}}_{j}\)) that match the same traffic flow partially or complectly (i.e., \({\mathcal{C}}_{i} \bigcap \nolimits {\mathcal{C}}_{j}\neq \emptyset \)). If the two rules existing in the same firewall or IPSec device, it is called intra-policy conflict. However, if they exist in two different devices across the network, it is called intra-policy conflict.
Background
Complexity of Managing Network...
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Recommended Reading
Al-Shaer ES, Hamed HH (2004) Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOM’04, Hong Kong, Mar 2004, pp 2605–2626
Al-Shaer E, Marrero W, El-Atway A, AlBadawi K (2009) Network configuration in a box: towards end-to-end verification of network reachability and security. In: Proceedings of 17th international conference on network communications and protocol (ICNP’09), Princeton, pp 123–132
Configuring IPSec Network Security. Cisco IOS security configuration guide, Release 12.2, Cisco Systems, San Jose
Gouda MG, Liu AX, Jafry M (2008) Verification of distributed firewalls. In: Proceedings of IEEE GLOBECOM, New Orleans, Nov 2008, pp 1–5
Hamed H, Al-Shaer E, Marrero W (2005) Modeling and verification of IPSec and VPN security policies. In: Proceedings of international conference on netwrok communications and protocol (ICNP’05), Boston
Kent S, Atkinson R (1998) Security architecture for the internet protocol. RFC-2401, IETF, Nov 1998
Narain S, Levin G, Malik S, Kaul V (2008) Declarative infrastructure configuration synthesis and debugging. J Netw Syst Manag 16:235–258
Yuan L, Mai J, Su Z, Chen H, Chuah C, Mohapatra P (2006) FIREMAN: A frameworkkit for firewall modeling and analysis. In: 27th IEEE symposium on security and privacy, Oakland, May 2006
Zhang B, Al-Shaer ES, Jagadeesan R, Riely J, Pitcher C (2007) Specifications of a high-level conflict-free firewall policy language for multidomain networks. In: 12th ACM symposium on access control models and technologies (SACMAT 2007), France, June 2007, pp 185–194
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer Science+Business Media, LLC
About this entry
Cite this entry
Al-Shaer, E. (2011). Firewalls. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_911
Download citation
DOI: https://doi.org/10.1007/978-1-4419-5906-5_911
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-5905-8
Online ISBN: 978-1-4419-5906-5
eBook Packages: Computer ScienceReference Module Computer Science and Engineering