Security Policies Tuning Among IP Devices

Journal of Computer Networks and Communications

Maiolini²,

Mingo³

et al. 2015

Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices.

Section: Related Workmentioning

confidence: 99%

Section: Traffic Driven Adaptation Of Acomentioning

confidence: 99%

See 1 more Smart Citation

Adaptive Conflict-Free Optimization of Rule Sets for Network Security Packet Filtering Devices

Journal of Computer Networks and Communications

Maiolini²,

Mingo³

et al. 2015

“…In [1] the Authors only aim at detecting if firewall rules are correlated to each other, while in [2][3][4] a set of techniques and algorithms are defined to discover all of the possible policy conflicts. Along this line, [5] and [6] provide an automatic conflict resolution algorithm in single firewall environment and tuning algorithm in multi-firewall environment respectively. Recently great emphasis has been placed on how to optimize firewall performance.…”

Section: Related Workmentioning

confidence: 99%

“…Our analysis shows how shaping access list based on network traffic can often results in conflicts between policies. As reported by many authors [1][2][3][4][5][6], conflicts in a policy can cause holes in security, and often they can be hard to find when performing only visual or manual inspection. In this paper we propose architecture based on our algorithm to automatically adapt packet filtering devices configuration to traffic behavior achieving the best performance ensuring conflict-free solution.…”

Section: Introductionmentioning

confidence: 99%

Automated Framework for Policy Optimization in Firewalls and Security Gateways

Maiolini

Cignini

Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08

The challenge to address in multi-firewall and security gateway environment is to implement conflict-free policies, necessary to avoid security inconsistency, and to optimize, at the same time, performances in term of average filtering time, in order to make firewalls stronger against DoS and DDoS attacks. Additionally the approach should be real time, based on the characteristics of network traffic. Our work defines an algorithm to find conflict free optimized device rule sets in real time, by relying on information gathered from traffic analysis. We show results obtained from our test environment demonstrating for computational power savings up to 24% with fully conflict free device policies.

Adaptive Optimization of Packet Filtering Devices Performance Ensuring a Conflict-free Network Configuration

Maiolini

Cignini

IEEE INFOCOM Workshops 2008

2008

Security rules management in firewall and security gateway is a hard and error prone task as administrators must correctly implement and update a large amount of policies especially when rapid changing occurs due to new security needs. The challenge to address in multi-firewall and security gateway environment is to implement conflict-free policies, necessary to avoid security inconsistency, and to optimize, at the same time, performances in term of average filtering time, in order to make firewalls stronger against DoS and DDoS attacks. Additionally the approach should be real time, based on the characteristics of network traffic. There is a vast amount of literature on security policy conflict detection and resolution and on device rule set shaping to improve policy implementation performance. Our work defines an algorithm to find conflict free optimized device rule sets in real time, by relying on information gathered from traffic analysis. We show results obtained from our test environment confirming that operational costs of devices could be improved based on traffic analysis via log files of the security device. We demonstrate computational power savings up to 24% with fully conflict free device policies. ©2008 IEEE