EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS

S. Pozo, A. J. Varela-Vaca, R. M. Gasca, R. Ceballos

2009

Abstract

Writing and managing firewall ACLs are hard, tedious, time-consuming and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to detect and manage inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding different aspects of the consistency diagnosis problem, which can prevent their use in a wide range of real-life situations. In this paper, we review these algorithms along with their drawbacks, and propose a new divide and conquer based algorithm, which uses specialized abstract data types. The proposed algorithm returns consistency results over the original ACL. Its computational complexity is better than the current best algorithm for inconsistency isolation, as experimental results will also show

References

  1. Al-Shaer, E., Hamed, H. Modeling and Management of Firewall Policies. IEEE eTransactions on Network and Service Management (eTNSM) Vol.1, No.1, 2004.
  2. Baboescu, F., Varguese, G. Fast and Scalable Conflict Detection for Packet Classifiers. Computers & Networks Vol.42, No.6, Elsevier 2003.
  3. Bollig, B., Wegener, I. Improving the Variable Ordering of OBDDs is NP-Complete. IEEE Transactions on Computers, Vol.45 No.9, September 1996.
  4. Cormen, T., Leiserson, C., Rivest, R., Stein, C. Introduction to Algorithms, 2nd Ed. McGraw-Hill, 2001.
  5. Chiang, Y., Tamassia, R. Dynamic Algorithms in Computational Geometry. Technical Report CS-91-24. Brown University, Providence, RI, USA, 1991.
  6. de Berg, M., van Kreveld, M., Overmars, M., Schwarzkopf, O. Computational Geometry: Algorithms and Applications. Springer-Verlag, Berling, 1997.
  7. Edelsbrunner, H. A new approach to rectangle intersections, Part II. International Journal on Computational Mathematics. Vol.13, pp. 221-229, 1983.
  8. Edelsbrunner2, H. A new approach to rectangle intersections, Part I. International Journal on Computational Mathematics. Vol.13, pp. 209-219, 1983.
  9. Eppstein, D., Muthukrishnan, S. Internet Packet Filter Management and Rectangle Geometry. Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), January 2001.
  10. GarcĂ­a-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F. Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies, Springer-Verlag International Journal of Information Security. Vol.7, No.2, 2008.
  11. Gupta, P., McKcown, N. Packet classification on multiple fields. Proceedings of the ACM SIGCOMM. Cambridge, MA, USA. September 1999.
  12. Hamed, H., Al-Shaer, E. Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine Vol.44, No.3, 2006.
  13. Hari, B., Suri, S., Parulkar, G. Detecting and Resolving Packet Filter Conflicts. Proceedings of IEEE INFOCOM, March 2000.
  14. Liu, Alex X., Gouda, Mohamed G., "Complete Redundancy Removal for Packet Classifiers in TCAMs," IEEE Transactions on Parallel and Distributed Systems, 24 Sept. 2008. IEEE computer Society Digital Library. IEEE Computer Society.
  15. Luis, S., Condell, M. Security policy protocol. IETF Internet Draft IPSPSPP-01, 2002.
  16. Pozo1, S., Ceballos, R., Gasca, R.M. Model Based Development of Firewall Rule Sets: Diagnosing Model Faults. Information and Software Technology Journal, No. 51, Issue 5, pp. 894-915. Elsevier, 2009.
  17. Pozo2, S., Ceballos, R., Gasca, R.M.. A Heuristic Polynomial Algorithm for Local Inconsistecy Diagnosis in Firewall Rule Sets. 3rd International Conference on Security and Cryptography (SECRYPT), in International Conference on e-Business and Telecommunications (ICETE). Porto, Portugal. INSTICC Press, 2008.
  18. Srinivasan, V., Varguese, G, Suri, S., Waldvogel, M. Fast and Scalable Layer Four Switching. Proceedings of the ACM SIGCOMM conference on Applications, Technologies, Architectures and Protocols for Computer Communication, Vancouver, British Columbia, Canada, ACM Press, 1998.
  19. Taylor, David E. Survey and taxonomy of packet classification techniques. ACM Computing Surveys, Vol.37, No.3, 2005.
  20. Wool, A. A quantitative study of firewall configuration errors. IEEE Computer, Vol.37, No.6, 2004.
  21. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah,, C. Mohapatra, P. FIREMAN: A Toolkit for FIREwall Modelling and ANalysis. IEEE Symposium on Security and Privacy (S&P'06). Oakland, CA, USA. May 2006.
Download


Paper Citation


in Harvard Style

Pozo S., J. Varela-Vaca A., M. Gasca R. and Ceballos R. (2009). EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 42-53. DOI: 10.5220/0002233100420053


in Bibtex Style

@conference{secrypt09,
author={S. Pozo and A. J. Varela-Vaca and R. M. Gasca and R. Ceballos},
title={EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={42-53},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002233100420053},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS
SN - 978-989-674-005-4
AU - Pozo S.
AU - J. Varela-Vaca A.
AU - M. Gasca R.
AU - Ceballos R.
PY - 2009
SP - 42
EP - 53
DO - 10.5220/0002233100420053