EFFICIENT DATA STRUCTURES FOR LOCAL INCONSISTENCY DETECTION IN FIREWALL ACL UPDATES

S. Pozo, R. M. Gasca, F. de la Rosa T.

Abstract

Filtering is a very important issue in next generation networks. These networks consist of a relatively high number of resource constrained devices and have special features, such as management of frequent topology changes. At each topology change, the access control policy of all nodes of the network must be automatically modified. In order to manage these access control requirements, Firewalls have been proposed by several researchers. However, many of the problems of traditional firewalls are aggravated due to these networks particularities, as is the case of ACL consistency. A firewall ACL with inconsistencies implies in general design errors, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. Detecting inconsistencies is of extreme importance in the context of highly sensitive applications (e.g. health care). We propose a local inconsistency detection algorithm and data structures to prevent automatic rule updates that can cause inconsistencies. The proposal has very low computational complexity as both theoretical and experimental results will show, and thus can be used in real time environments.

References

  1. Al-Shaer, E., Hamed, H. Modeling and Management of Firewall Policies". IEEE eTransactions on Network and Service Management (eTNSM) Vol.1, No.1, 2004.
  2. Baboescu, F., Varguese, G. “Fast and Scalable Conflict Detection for Packet Classifiers.” Elsevier Computers Networks (42-6) (2003) 717-735.
  3. Cormen, T., Leiserson, C., Rivest, R., Stein, C. Introduction to Algorithms, McGraw-Hill, 2001.
  4. Edelsbrunner, H. A new approach to rectangle intersections, Part II. International Journal on Computational Mathematics. Vol.13, pp. 221-229, 1983.
  5. Fantacci, R., Maccari, L., Neira, P., Gasca, R. M. “Efficient Packet Filtering in Wireless Ad Hoc Networks”. IEEE Communications Magazine Vol.46, No.2, 2008.
  6. Pozo1, S., Ceballos, R., Gasca, R.M. "AFPL, An Abstract Language Model for Firewall ACLs". 8th International Conference on Computational Science and Its Applications (ICCSA). Perugia, Italy. SpringerVerlag, 2008.
  7. Pozo2, S., Ceballos, R., Gasca, R.M. "Improving Computational Complexity of the Inconsistency Characterization Problem in Firewall Rule Sets". International Conference on Security and Cryptography (SECRYPT). Porto, Portugal. INSTICC Press, 2008.
  8. Pozo3, S., Ceballos, R., Gasca, R.M. "Fast Algorithms for Local Inconsistency Detection in Firewall ACL Updates". 1st International Workshop on Dependability and Security in Complex and Critical Information Systems (DEPEND). Cap Esterel, France. IEEE Computer Society Press, 2008.
  9. Srinivasan, V., Varguese, G, Suri, S., Waldvogel, M. “Fast and Scalable Layer Four Switching.” Proceedings of the ACM SIGCOMM conference on Applications, Technologies, Architectures and Protocols for Computer Communication, Vancouver, British Columbia, Canada, ACM Press, 1998.
  10. Taylor, David E. Survey and taxonomy of packet classification techniques. ACM Computing Surveys, Vol. 37, No. 3, 2005. Pages 238 - 275.
Download


Paper Citation


in Harvard Style

Pozo S., M. Gasca R. and de la Rosa T. F. (2009). EFFICIENT DATA STRUCTURES FOR LOCAL INCONSISTENCY DETECTION IN FIREWALL ACL UPDATES . In Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-989-8111-86-9, pages 176-181. DOI: 10.5220/0001996001760181


in Bibtex Style

@conference{iceis09,
author={S. Pozo and R. M. Gasca and F. de la Rosa T.},
title={EFFICIENT DATA STRUCTURES FOR LOCAL INCONSISTENCY DETECTION IN FIREWALL ACL UPDATES},
booktitle={Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2009},
pages={176-181},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001996001760181},
isbn={978-989-8111-86-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - EFFICIENT DATA STRUCTURES FOR LOCAL INCONSISTENCY DETECTION IN FIREWALL ACL UPDATES
SN - 978-989-8111-86-9
AU - Pozo S.
AU - M. Gasca R.
AU - de la Rosa T. F.
PY - 2009
SP - 176
EP - 181
DO - 10.5220/0001996001760181