Management of stateful firewall misconfiguration

“…A limitation of the approach is that their model does not distinguish rules with different state information, that is, for example, there is no differentiation between the establishment and termination phase of a given stateful protocol, and as a consequence, they do not consider more complex anomalies that may occur specifically in the stateful case. Cuppens et al [11] and García-Alfaro et al [23] propose an algorithmic approach to detect and resolve anomalies in a stateful firewall policy. A connection-oriented protocol is modelled using general automata, whereby the permitted protocol states and transitions are encoded.…”

Reasoning about firewall policies through refinement and composition

“…A limitation of the approach is that their model does not distinguish rules with different state information, that is, for example, there is no differentiation between the establishment and termination phase of a given stateful protocol, and as a consequence, they do not consider more complex anomalies that may occur specifically in the stateful case. Cuppens et al [11] and García-Alfaro et al [23] propose an algorithmic approach to detect and resolve anomalies in a stateful firewall policy. A connection-oriented protocol is modelled using general automata, whereby the permitted protocol states and transitions are encoded.…”

Reasoning about firewall policies through refinement and composition

“…There exist in the literature many proposals to resolve these problems [25]. We consider that developing new algorithms is out of the scope of this paper.…”

Attribute-Based Mining Process for the Organization-Based Access Control Model

“…QueryInterval ← Exclusion for all r ∈ Rules do 18: if Decision = ∅ then Output ← Output ∪ {Interval, Rules, Decision} 25: return Output False (lines [8][9][10]), then the corresponding rule is stored added to Rules, meaning that the predicate of such a rule matches the query interval. Similarly, the non-overlapping portion of the query interval with P redicate r is stored in Exclusion (line 7), representing portions in QueryInterval unmatched by rule r. If Exclusion is not False, then some more portions in QueryInterval still require being processed.…”

“…Algorithm 1, lines [8][9][10][11]), it is computed the query space Q B . Using Q B , decision spaces D AB and D BB (associated to Q B ) are obtained by applying, respectively, ACLs A and B.…”

“…Within the outer loop of Algorithm 3 (lines ), each query interval in set QuerySpace is processed. A first nested loop (lines [5][6][7][8][9][10][11][12][13][14][15]) parses the ACL rules, and stores in Inclusion (line 6) the overlapping portion of the query interval with P redicate r . If Inclusion is not for all r ∈ ACL do 6:…”

On the Isofunctionality of Network Access Control Lists