Abstract
Due to the large size and complex structure of modern networks, firewall policies can contain several thousand rules. The size and complexity of these policies require automated tools providing a user-friendly environment to specify, configure and safely deploy a target policy. When activated in online mode, a firewall policy deployment is a very difficult and error-prone task. Indeed, it may result in self-Denial of Service (self-DoS) and/or temporary security breaches. In this paper, we provide correct, efficient and safe algorithms for two important classes of policy editing. Our experimental results show that these algorithms are fast and can be used safely even for deploying large policies.
This work has been supported by the INRIA ARC 2010 ACCESS and FP7-ICT-2007-1 Project No.216471 AVANTSSAR.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Cisco Security Manager, http://www.cisco.com/en/US/products/ps6498/index.html
Entrasys Matrix X Core Router, http://www.entrasys.com/products/routing/x/
F-Secure. Malware information pages: Slammer, http://www.f-secure.com/v-descs/mssqlm.shtml
F-Secure. Malware information pages: Worm:w32/downadup.al, http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
Juniper Network and Security Manager, http://www.juniper.net/us/en/local/pdf/datasheets/1100018-en.pdf
Ahmed, Z., Imine, A., Rusinowitch, M.: Safe and Efficient Strategies for Updating Firewall Policies. Research Report RR-6940, INRIA (2009), http://webloria.loria.fr/~imine/rep2009.pdf
Al-Shaer, E., Hamed, H.: Modeling and Management of Firewall Policies. IEEE Transactions on Network and Service Management 1(1), 2–10 (2004)
Anwar, M., Zafar, M., Ahmed, Z.: A Proposed Preventive Information Security System. In: International Conference on Electrical Engineering, ICEE ’07, pp. 1–6 (2007)
Baboescu, F., Varghese, G.: Fast and Scalable Conflict Detection for Packet Classifiers. In: ICNP, pp. 270–279 (2002)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31 (1999)
Cobb, S.: ICSA Firewall Policy Guide v2.0. Technical report. NCSA Security White Paper Series (1997)
Cormode, G., Muthukrishnan, S., Sahinalp, S.C.: Permutation Editing and Matching via Embeddings. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 481–492. Springer, Heidelberg (2001)
Englund, M.: Securing systems with host-based firewalls. In: Sun BluePrints Online (September 2001)
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 39–56. Springer, Heidelberg (2001)
Gouda, M.G., Liu, A.X.: Firewall Design: Consistency, Completeness, and Compactness. In: ICDCS, pp. 320–327 (2004)
Hamed, H., Al-Shaer, E.: Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS, pp. 332–342 (2006)
Karen, S., Paul, H.: Guidelines on Firewalls and Firewall Policy. NIST Recommendations, SP 800-41 (July 2008)
Liu, A.X.: Change-impact analysis of firewall policies. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 155–170. Springer, Heidelberg (2007)
Myers, E.W.: An o(nd) difference algorithm and its variations. Algorithmica 1(2), 251–266 (1986)
Qian, J.: ACLA: A framework for Access Control List (ACL) Analysis and Optimization. In: Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, Deventer, The Netherlands, p. 4. Kluwer, B.V. (2001)
Qiu, L., Varghese, G., Suri, S.: Fast firewall implementations for software and hardware-based routers. In: International Conference on Network Protocols, pp. 155–170 (2001)
Zhang, C.C., Winslett, M., Gunter, C.A.: On the Safety and Efficiency of Firewall Policy Deployment. In: SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 33–50. IEEE Computer Society, Los Alamitos (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ahmed, Z., Imine, A., Rusinowitch, M. (2010). Safe and Efficient Strategies for Updating Firewall Policies. In: Katsikas, S., Lopez, J., Soriano, M. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2010. Lecture Notes in Computer Science, vol 6264. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15152-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-15152-1_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15151-4
Online ISBN: 978-3-642-15152-1
eBook Packages: Computer ScienceComputer Science (R0)