A Fully Automatic Approach for Fixing Firewall Misconfigurations

Souayeh, Nihel Ben Youssef Ben; Bouhoula, Adel

doi:10.1109/cit.2011.84

Cited by 9 publications

(7 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Souayeh and Bouhoula [15] and Alsaleh [16] proposed methods for verifying that a firewall configuration respects the security policy it implements. Khorchani et al [17] used a modal logic, called Visibility Logic, to define arbitrary patterns between rules inside a firewall and verify any formula expressed in visibility logic using model checking.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence

Gawanmeh

2014

2014 11th International Conference on Information Technology: New Generations

View full text Add to dashboard Cite

Security policies play an important role in the security of communication networks. They are normally defined at a high level of abstraction and implemented in firewalls, which are the first defense to secure networks against attacks and unauthorized access. When security policies are implemented in firewalls, anomalities and conflicts that may arise from different policies should be taken into consideration. On the other hand, Firewalls conduct random sequence order shuffling during their operation to prevent certain security attacks. This may result in an incorrect implementation of high level policies that depend on the order of rules inspection in the firewall. This paper presents a formal model of firewall rules sequence and a novel method that verifies the set of security policies when rules sequence changes. The method is tested on synthetic firewall of practical size, where the obtained results demonstrate the ability of firewalls to maintain the functional behavior of security policies during their runtime operation. The detailed analysis shows that the proposed method can be applied on firewalls with dynamic rule sequence in real time.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Finally, Kotenko and Polubelova [19] used model checking for the verification of firewall security policy. The approaches in [15], [18], and [19] only check for conflicts between rules which are obtained by inspecting some fields in the policy at high level of abstraction.…”

Section: Related Workmentioning

confidence: 99%

Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence

Gawanmeh

2014

2014 11th International Conference on Information Technology: New Generations

View full text Add to dashboard Cite

show abstract

“…Formal verification has been introduced in this field by some subsequent articles ( [11], [15], [16], [17], [18]), which underlined the importance of formal correctness assurance for the automatically computed configurations. Formal verification of firewall configurations has recently become a vital requirement for critical environments, as underlined in [6].…”

Section: Automatic Firewall Configurationmentioning

confidence: 99%

“…Moreover, a further limitation of [15] is that, differently from our approach, it cannot configure generic firewall implementations, but only firewalls based on IPChains and Cisco's PIX syntax. For what concerns the other three articles ( [17], [18] and [11]), their main limitation is that they cannot configure firewalls from scratch, since they are approaches for fixing firewall misconfigurations. For this reason, they do not achieve full automation, but they require that someone provides an initial rule set.…”

Section: Automatic Firewall Configurationmentioning

confidence: 99%

“…For this reason, they do not achieve full automation, but they require that someone provides an initial rule set. Moreover, they achieve less optimization goals than our approach: [17] and [18] only minimize rule set cardinality, while [11] only minimizes the number of functions to be updated. Additionally, [17] and [18] focus on traditional networks only, while [11] works at a higher level of abstraction, neglecting full low-level configuration information.…”

Section: Automatic Firewall Configurationmentioning

confidence: 99%

See 1 more Smart Citation

Automated Firewall Configuration in Virtual Networks

Bringhenti

Marchetto

Sisto

et al. 2023

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

The configuration of security functions in computer networks is still typically performed manually, which likely leads to security breaches and long re-configuration times. This problem is exacerbated for modern networks based on network virtualization, because their complexity and dynamics make a correct manual configuration practically unfeasible. This article focuses on packet filters, i.e., the most common firewall technology used in computer networks, and it proposes a new methodology to automatically define the allocation scheme and configuration of packet filters in the logical topology of a virtual network. The proposed method is based on solving a carefully designed partial weighted Maximum Satisfiability Modulo Theories problem by means of a state-of-the-art solver. This approach formally guarantees the correctness of the solution, i.e., that all security requirements are satisfied, and it minimizes the number of needed firewalls and firewall rules. This methodology is extensively evaluated using different metrics and tests on both synthetic and real use cases, and compared to the state-of-the-art solutions, showing its superiority.

show abstract

Autonomous Attack Mitigation Through Firewall Reconfiguration

Bringhenti,

Pizzato,

Sisto

et al. 2024

Int J Network Mgmt

View full text Add to dashboard Cite

Packet filtering firewalls represent a main defense line against cyber attacks that target computer networks daily. However, the traditional manual approaches for their configuration are no longer applicable to next‐generation networks, which have become much more complex after the introduction of virtualization paradigms. Some automatic strategies have been investigated in the literature to change that old‐fashioned configuration approach, but they are not fully autonomous and still require several human interventions. In order to overcome these limitations, this paper proposes an autonomous approach for firewall reconfiguration where all steps are automated, from the derivation of the security requirements coming from the logs of IDSs to the deployment of the automatically computed configurations. A core component of this process is React‐VEREFOO, which models the firewall reconfiguration problem as a Maximum Satisfiability Modulo Theories problem, allowing the combination of full automation, formal verification, and optimization in a single technique. An implementation of this proposal has undergone experimental validation to show its effectiveness and performance.

show abstract

A Fully Automatic Approach for Fixing Firewall Misconfigurations

Cited by 9 publications

References 6 publications

Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence

Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence

Automated Firewall Configuration in Virtual Networks

Autonomous Attack Mitigation Through Firewall Reconfiguration

Contact Info

Product

Resources

About