Modeling and Management of Firewall Policies

Al-Shaer, Ehab; Hamed, H.

doi:10.1109/tnsm.2004.4623689

Cited by 156 publications

(144 citation statements)

References 8 publications

Supporting

Mentioning

130

Contrasting

Unclassified

Order By: Relevance

“…Other research woks (Al-Shaer, 2004) (Pozo2, 2008 complemented the diagnosis process with a characterization of the faults. However, minimal diagnosis and characterization is NP.…”

Section: Related Workmentioning

confidence: 99%

“…These operations need an analysis in order to know if they can cause an inconsistency. This analysis has been provided in other works (Al-Shaer, 2004) (Pozo3, 2008). It is assumed in the paper that a collection of these operations over an ACL is always executed in sequence.…”

Section: Introductionmentioning

confidence: 99%

“…In layer 3 firewall domain, the condition set is typically composed of five elements, which correspond to five fields of a packet header (Taylor, 2003). In this paper, we are interested in consistency problems in next generation networks (Al-Shaer, 2004) (Pozo2, 2008. Due to real-time frequent ACL updates, inconsistencies must be detected and automatically managed very fast.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient Data Structures for Local Inconsistency Detection in Firewall Acl Updates

Pozo

Gasca

2009

Proceedings of the 11th International Conference on Enterprise Information

View full text Add to dashboard Cite

Abstract:Filtering is a very important issue in next generation networks. These networks consist of a relatively high number of resource constrained devices and have special features, such as management of frequent topology changes. At each topology change, the access control policy of all nodes of the network must be automatically modified. In order to manage these access control requirements, Firewalls have been proposed by several researchers. However, many of the problems of traditional firewalls are aggravated due to these networks particularities, as is the case of ACL consistency. A firewall ACL with inconsistencies implies in general design errors, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. Detecting inconsistencies is of extreme importance in the context of highly sensitive applications (e.g. health care). We propose a local inconsistency detection algorithm and data structures to prevent automatic rule updates that can cause inconsistencies. The proposal has very low computational complexity as both theoretical and experimental results will show, and thus can be used in real time environments.

show abstract

“…Other research woks (Al-Shaer, 2004) (Pozo2, 2008 complemented the diagnosis process with a characterization of the faults. However, minimal diagnosis and characterization is NP.…”

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Data Structures for Local Inconsistency Detection in Firewall Acl Updates

Pozo

Gasca

2009

Proceedings of the 11th International Conference on Enterprise Information

View full text Add to dashboard Cite

show abstract

“…Let ACL f be a firewall ACL consisting of f+1 rules, Firewalls have to face many problems in modern networks. Two of the most important ones are the high complexity of ACL design [1] and ACL consistency diagnosis [2,3]. Networks have different access control requirements which must be translated by a network administrator into firewall ACLs.…”

Section: Introductionmentioning

confidence: 99%

“…Changing from one firewall platform to another often means a complete rewrite of the ACL. In this translation process, inconsistencies and redundancies can be introduced [2,3]. Figs.…”

Section: Introductionmentioning

confidence: 99%

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Pozo

Varela-Vaca

Gasca

2009

Computational Science and Its Applications – ICCSA 2009

View full text Add to dashboard Cite

Abstract. The design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although several high-level languages have been proposed to model firewall access control policies, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, no common development process, etc. In this paper, a development process for Firewall ACLs based on the Model Driven Architecture (MDA) framework is proposed. The framework supports the market leaders firewall platforms and is user-extensible. The most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis a new DSL language for firewall ACLs, AFPL2, covering most features other languages do not cover, is proposed. The language is then used as the platform independent metamodel, the first part of the MDA-based framework.

show abstract

Inter‐function anomaly analysis for correct SDN/NFV deployment

et al. 2015

View full text Add to dashboard Cite

Implementing the security of a network consists in individually configuring several network functions. Network functions are configured by means of a policy composed of a set of rules, but their actual behaviour is influenced by the other policies implemented by all the other network functions around them. This paper proposes a formal model that can be used to detect inter-function anomalies, which are defined as the interferences between two or more functions deployed in the same network. We have proved with experiments that the proposed model is fast and scalable.However, unless a system is really simple, an administrator cannot actually evaluate the global effect of the enforced security policy, which is obtained by the configuration of all the functions deployed in the network. In other words, this important task is performed without a holistic view of the overall security requirements, and this increases the chance of misconfigurations. In addition, the security administrators must deal with the highly dynamic nature of these deployments, hence worsening the problem even further. Indeed, VNFs can run on a range of industry standard server hardware and can be moved and instantiated at any locations in the network, without the need of new equipment installation [5].The typical approach is trial and error. When one or more misconfigurations are reported, the administrators correct them by creating ad hoc rules and repeat the process until no more errors are present. This methodology, although simple, is only a temporary palliative because it can produce serious maintenance problems in the future. Guaranteeing the absence of misconfigurations is however nearly impossible without an appropriate software tool. It is therefore highly desirable to have a practical solution to evaluate the policy actually enforced, which is based on sound theoretical foundations.In the last few years, several authors have tried to identify potential misconfigurations by detecting and resolving policy conflicts. These works have classified and detected conflicts in the same device (intra-policy) or conflicts between homogeneous devices, for example, two firewalls or two cascading IPsec devices (inter-policy) [6,7]. Nevertheless, the complexity of real systems is not self-contained, as each network function may affect the behaviour of other functions in the same network. For instance, a firewall may block some encrypted communication channels or a NAT may alter the decision of several packet filters. For this reason, it is indispensable to help the administrators by supporting, in a general analysis framework, different types of functions (e.g. firewalls, content filters, channel protection devices, logging, monitoring, and so on) and their interactions.In this paper, we propose a novel approach that is able to analyse an SDN/NFV scenario when heterogeneous networking devices and technologies are used. Our approach also works if different types of policy-enabled VNFs are deployed. Our solution is both easy to extend to other function t...

show abstract

Modeling and Management of Firewall Policies

Cited by 156 publications

References 8 publications

Efficient Data Structures for Local Inconsistency Detection in Firewall Acl Updates

Efficient Data Structures for Local Inconsistency Detection in Firewall Acl Updates

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Inter‐function anomaly analysis for correct SDN/NFV deployment

Contact Info

Product

Resources

About