Firewall Rule Set Inconsistency Characterization by Clustering

Sergio Pozo; Rafael Ceballos; Rafael M. Gasca

doi:10.5220/0001730701380144

Firewall Rule Set Inconsistency Characterization by Clustering

Sergio Pozo, Rafael Ceballos, Rafael M. Gasca

2008

Abstract

Firewall ACLs could have inconsistencies, allowing traffic that should be denied or vice-versa. In this paper, we analyze the inconsistency characterization problem as a separate problem of the diagnosis one, and propose definitions to characterize one-to-many inconsistencies. We identify the combinatorial part of the problem that causes exponential complexity in combined diagnosis and characterization algorithms proposed by other researchers. The problem is divided in several smaller combinatorial ones, which effectively reduces its complexity. Finally, we propose a heuristic to solve the problem in worst case polynomial time as a proof of concept.

References

S. Pozo, R. Ceballos, R. M. Gasca. “Model Based Development of Firewall Rule Sets: Detecting and Diagnosing Errors.” Information and Software Technology Journal, Elsevier, Spring 2008. Accepted, to appear.
S. Luis, M. Condell. "Security policy protocol." IETF Internet Draft IPSPSPP-01, 2002.
H. Hamed, E. Al-Shaer. "Taxonomy of Conflicts in Network Security Policies." IEEE Communications Magazine Vol.44, No.3, 2006.
E. Al-Shaer, Hazem H. Hamed. Modeling and Management of Firewall Policies". IEEE eTransactions on Network and Service Management (eTNSM) Vol.1, No.1, 2004.
J. García-Alfaro, N. Boulahia-Cuppens, F. Cuppens, Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies, Springer-Verlag International Journal of Information Security (Online) (2007) 1615-5262.
S. Pozo, R. Ceballos, R. M. Gasca, “Fast Algorithms for Consistency-Based Diagnosis of Firewalls Rule Sets.” International Conference on Availability, Reliability and Security (ARES), Barcelona, Spain. IEEE Computer Society Press, March 2008.
L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, P. Mohapatra. FIREMAN: A Toolkit for FIREwall Modelling and ANalysis. IEEE Symposium on Security and Privacy (S&P'06). Oakland, CA, USA. May 2006.

Download

Paper Citation

in Harvard Style

Pozo S., Ceballos R. and M. Gasca R. (2008). Firewall Rule Set Inconsistency Characterization by Clustering . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 138-144. DOI: 10.5220/0001730701380144

in Bibtex Style

@conference{wosis08,
author={Sergio Pozo and Rafael Ceballos and Rafael M. Gasca},
title={Firewall Rule Set Inconsistency Characterization by Clustering},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},
year={2008},
pages={138-144},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001730701380144},
isbn={978-989-8111-44-9},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - Firewall Rule Set Inconsistency Characterization by Clustering
SN - 978-989-8111-44-9
AU - Pozo S.
AU - Ceballos R.
AU - M. Gasca R.
PY - 2008
SP - 138
EP - 144
DO - 10.5220/0001730701380144