The Experts below are selected from a list of 2346 Experts worldwide ranked by ideXlab platform
Naohisa Takahashi - One of the best experts on this subject based on the ideXlab platform.
-
a conflict detection method for ipv6 time based Firewall Policy
IEEE International Conference on Cloud Computing Technology and Science, 2019Co-Authors: Xue Zhang, Yi Yin, Yuichiro Tateiwa, Yun Wang, Guoqiang Zhang, Wei Liu, Zhizhen Peng, Naohisa TakahashiAbstract:Firewalls have been a very important secure tool to protect networks against attacks, which usually filter the unauthorized traffic entering the secured network. The packet filtering based on a predefined collection of ordered rules. Along with the IPv6 protocol is widely used, and the security issues comes with it. Firewall for IPv6 network, as an important element to protect network security, it will be not able to filter packets correctly if there are conflicts that caused by the same packet matching two or more rules. In addition, a new kind of Firewall with time constraint is used more and more widely by different Firewall company, such as, ACLs of Cisco, Iptalbes of Linux, and the like. It is a hard work to manage the rules in IPv4 Firewall Policy, not to mention the rules in IPv6 time-based Firewall Policy. Many methods have been proposed to analyze and detect the conflicts of individual or distributed Firewall policies. However, very few of them can deal with the time constraint of rules. Therefore, it is an urgent problem to detect the conflicts of the IPv6 time-based Firewall Policy. In order to solve this problem, we describe a method, which can analyze the IPv6 time-based Firewall Policy. We use a formal method to analyze the meaning of IPv6 time-based Firewall Policy. Next, we take the formal validation tool (SMT solver Z3) to detect all the possible conflicts between every two rules. Lastly, we developed an experimental system to evaluate the performance of our method.
-
an analysis method for ipv6 Firewall Policy
High Performance Computing and Communications, 2019Co-Authors: Yi Yin, Yoshiaki Katayama, Naohisa Takahashi, Yuichiro Tateiwa, Yun Wang, Guoqiang Zhang, Chao ZhangAbstract:Firewalls play a vitally important role to network security. Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined rules called Firewall Policy. Management of Firewall Policy is a boring task and is always prone to error. There have been a lot of analysis methods for anomalies detection of IPv4 Firewall Policy. But, for the reason of enormous address space, these methods either could not be used to deal with IPv6 Firewall Policy directly, or have low effectiveness. In this work, we propose a method by using a formal method that can analyze the inclusion relations between every two IPv6 Firewall rules and detect their anomalies. We have implemented a prototype system to verify our proposed method, experimental results show the effectiveness.
-
inconsistency analysis of time based security Policy and Firewall Policy
International Conference on Formal Engineering Methods, 2017Co-Authors: Yoshiaki Katayama, Yi Yin, Yuichiro Tateiwa, Yun Wang, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies packets based upon a set of predefined rules called Firewall Policy. In recent years, time-based Firewall policies are widely used in many Firewalls such as CISCO ACLs. Firewall Policy is always designed under the instruction of security Policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal Firewall Policy and security Policy, not to mention time-based Firewall Policy and security Policy. Even though there are many analysis methods for security Policy and Firewall Policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security Policy and Firewall Policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.
-
an inconsistency detection method for security Policy and Firewall Policy based on csp solver
International Conference on Cloud Computing, 2017Co-Authors: Yoshiaki Katayama, Yi Yin, Yuichiro Tateiwa, Yun Wang, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined rules called Firewall Policy. Firewall Policy always designed under the instruction of security Policy, which is a generic document that outlines the needs for network access permissions. The design of Firewall Policy should be consistent with security Policy.
-
verifying consistency between security Policy and Firewall Policy by using a constraint satisfaction problem server
2012Co-Authors: Yi Yin, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined filters called Firewall Policy. Firewall Policy is designed under the instruction of security Policy. A network security Policy is a generic document that outlines the needs for network access permissions. And it determines how Firewall filters are designed. If inconsistencies exist between security Policy and Firewall Policy, Firewall Policy could not filter packets exactly, and the network protected by the Firewall will be affected. To resolve this problem, we propose a method that represents security Policy and Firewall Policy as Constraint Satisfaction Problem and constructs a consistency verification model, then uses a CSP solver to verify their consistency. We did some experiments to verify our proposed method, experimental results showed the effectiveness.
Yi Yin - One of the best experts on this subject based on the ideXlab platform.
-
a conflict detection method for ipv6 time based Firewall Policy
IEEE International Conference on Cloud Computing Technology and Science, 2019Co-Authors: Xue Zhang, Yi Yin, Yuichiro Tateiwa, Yun Wang, Guoqiang Zhang, Wei Liu, Zhizhen Peng, Naohisa TakahashiAbstract:Firewalls have been a very important secure tool to protect networks against attacks, which usually filter the unauthorized traffic entering the secured network. The packet filtering based on a predefined collection of ordered rules. Along with the IPv6 protocol is widely used, and the security issues comes with it. Firewall for IPv6 network, as an important element to protect network security, it will be not able to filter packets correctly if there are conflicts that caused by the same packet matching two or more rules. In addition, a new kind of Firewall with time constraint is used more and more widely by different Firewall company, such as, ACLs of Cisco, Iptalbes of Linux, and the like. It is a hard work to manage the rules in IPv4 Firewall Policy, not to mention the rules in IPv6 time-based Firewall Policy. Many methods have been proposed to analyze and detect the conflicts of individual or distributed Firewall policies. However, very few of them can deal with the time constraint of rules. Therefore, it is an urgent problem to detect the conflicts of the IPv6 time-based Firewall Policy. In order to solve this problem, we describe a method, which can analyze the IPv6 time-based Firewall Policy. We use a formal method to analyze the meaning of IPv6 time-based Firewall Policy. Next, we take the formal validation tool (SMT solver Z3) to detect all the possible conflicts between every two rules. Lastly, we developed an experimental system to evaluate the performance of our method.
-
an analysis method for ipv6 Firewall Policy
High Performance Computing and Communications, 2019Co-Authors: Yi Yin, Yoshiaki Katayama, Naohisa Takahashi, Yuichiro Tateiwa, Yun Wang, Guoqiang Zhang, Chao ZhangAbstract:Firewalls play a vitally important role to network security. Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined rules called Firewall Policy. Management of Firewall Policy is a boring task and is always prone to error. There have been a lot of analysis methods for anomalies detection of IPv4 Firewall Policy. But, for the reason of enormous address space, these methods either could not be used to deal with IPv6 Firewall Policy directly, or have low effectiveness. In this work, we propose a method by using a formal method that can analyze the inclusion relations between every two IPv6 Firewall rules and detect their anomalies. We have implemented a prototype system to verify our proposed method, experimental results show the effectiveness.
-
inconsistency analysis of time based security Policy and Firewall Policy
International Conference on Formal Engineering Methods, 2017Co-Authors: Yoshiaki Katayama, Yi Yin, Yuichiro Tateiwa, Yun Wang, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies packets based upon a set of predefined rules called Firewall Policy. In recent years, time-based Firewall policies are widely used in many Firewalls such as CISCO ACLs. Firewall Policy is always designed under the instruction of security Policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal Firewall Policy and security Policy, not to mention time-based Firewall Policy and security Policy. Even though there are many analysis methods for security Policy and Firewall Policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security Policy and Firewall Policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.
-
an inconsistency detection method for security Policy and Firewall Policy based on csp solver
International Conference on Cloud Computing, 2017Co-Authors: Yoshiaki Katayama, Yi Yin, Yuichiro Tateiwa, Yun Wang, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined rules called Firewall Policy. Firewall Policy always designed under the instruction of security Policy, which is a generic document that outlines the needs for network access permissions. The design of Firewall Policy should be consistent with security Policy.
-
verifying consistency between security Policy and Firewall Policy by using a constraint satisfaction problem server
2012Co-Authors: Yi Yin, Naohisa TakahashiAbstract:Packet filtering in Firewall either accepts or denies network packets based upon a set of pre-defined filters called Firewall Policy. Firewall Policy is designed under the instruction of security Policy. A network security Policy is a generic document that outlines the needs for network access permissions. And it determines how Firewall filters are designed. If inconsistencies exist between security Policy and Firewall Policy, Firewall Policy could not filter packets exactly, and the network protected by the Firewall will be affected. To resolve this problem, we propose a method that represents security Policy and Firewall Policy as Constraint Satisfaction Problem and constructs a consistency verification model, then uses a CSP solver to verify their consistency. We did some experiments to verify our proposed method, experimental results showed the effectiveness.
Fei Chen - One of the best experts on this subject based on the ideXlab platform.
-
Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks
2013Co-Authors: Alex X. Liu, Fei Chen, Student MemberAbstract:Abstract—The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which, henceforth, allows roaming users to access some resources as if that computer were residing on their home organization’s network. Although VPN technology is very useful, it imposes security threats on the remote network because its Firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a Policy owner and a request owner to collaboratively determine whether the request satisfies the Policy without the Policy owner knowing the request and the request owner knowing the Policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a Firewall Policy to nonoverlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-theart, VGuard is not only more secure but also orders of magnitude more efficient. On real-life Firewall policies, for processing packets, our experimental results show that VGuard is three to four orders of magnitude faster than CDCF. Index Terms—Virtual private networks, privacy, network security.
-
first step towards automatic correction of Firewall Policy faults
ACM Transactions on Autonomous and Adaptive Systems, 2012Co-Authors: Fei Chen, Alex X. Liu, Jeehyun Hwang, Tao XieAbstract:Firewalls are critical components of network security and have been widely deployed for protecting private networks. A Firewall determines whether to accept or discard a packet that passes through it based on its Policy. However, most real-life Firewalls have been plagued with Policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of Firewall policies, manually locating the faults of a Firewall Policy and further correcting them are difficult. Automatically correcting the faults of a Firewall Policy is an important and challenging problem. In this article, we first propose a fault model for Firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty Firewall Policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty Firewall Policy with three of these types of faults.
-
privacy preserving collaborative enforcement of Firewall policies in virtual private networks
IEEE Transactions on Parallel and Distributed Systems, 2011Co-Authors: Fei ChenAbstract:The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which, henceforth, allows roaming users to access some resources as if that computer were residing on their home organization's network. Although VPN technology is very useful, it imposes security threats on the remote network because its Firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a Policy owner and a request owner to collaboratively determine whether the request satisfies the Policy without the Policy owner knowing the request and the request owner knowing the Policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a Firewall Policy to nonoverlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of magnitude more efficient. On real-life Firewall policies, for processing packets, our experimental results show that VGuard is three to four orders of magnitude faster than CDCF.
-
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 1 Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks 1
2011Co-Authors: Alex X. Liu, Fei ChenAbstract:Abstract—The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which henceforth allows roaming users to access some resources as if that computer were residing on their home organization’s network. Although VPN technology is very useful, it imposes security threats on the remote network because its Firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a Policy owner and a request owner to collaboratively determine whether the request satisfies the Policy without the Policy owner knowing the request and the request owner knowing the Policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a Firewall Policy to non-overlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of magnitude more efficient. On real-life Firewall policies, for processing packets, our experimental results show that VGuard is three to four orders of magnitude faster than CDCF
-
first step towards automatic correction of Firewall Policy faults
USENIX Large Installation Systems Administration Conference, 2010Co-Authors: Fei Chen, Alex X. Liu, Jeehyun Hwang, Tao XieAbstract:Firewalls are critical components of network security and have been widely deployed for protecting private networks. A Firewall determines whether to accept or discard a packet that passes through it based on its Policy. However, most real-life Firewalls have been plagued with Policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of Firewall policies, manually locating the faults of a Firewall Policy and further correcting them are difficult. Automatically correcting the faults of a Firewall Policy is an important and challenging problem. In this paper, we make three major contributions. First, we propose the first comprehensive fault model for Firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty Firewall Policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty Firewall Policy with three of these types of faults.
Ehab Alshaer - One of the best experts on this subject based on the ideXlab platform.
-
Firewall Policy reconnaissance techniques and analysis
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Muhammad Qasim Ali, Ehab Alshaer, Taghrid SamakAbstract:In the past decade, scanning has been widely used as a reconnaissance technique to gather critical network information to launch a follow up attack. To combat, numerous intrusion detectors have been proposed. However, scanning methodologies have shifted to the next-generation paradigm to be evasive. The next-generation reconnaissance techniques are intelligent and stealthy. These techniques use a low volume packet sequence and intelligent calculation for the victim selection to be more evasive. Previously, we proposed models for Firewall Policy reconnaissance that are used to set bound for learning accuracy as well as to put minimum requirements on the number of probes. We presented techniques for reconstructing the Firewall Policy by intelligently choosing the probing packets based on the responses of previous probes. In this paper, we show the statistical analysis of these techniques and discuss their evasiveness along with the improvement. First, we present the previously proposed two techniques followed by the statistical analysis and their evasiveness to current detectors. Based on the statistical analysis, we show that these techniques still exhibit a pattern and thus can be detected. We then develop a hybrid approach to maximize the benefit by combining the two heuristics.
-
analysis of Firewall Policy rules using traffic mining techniques
International Journal of Internet Protocol Technology, 2010Co-Authors: Muhammad Arshad Ul Abedin, Ehab Alshaer, Latifur Khan, Syeda Nessa, Mamoun AwadAbstract:The Firewall is usually the first line of defence in ensuring network security. However, the management of manually configured Firewall rules has proven to be complex, error-prone and costly for large networks. Even with error-free rules, presence of defects in the Firewall implementation or device may make the network insecure. Evaluation of effectiveness of Policy and correctness of implementation requires a thorough analysis of network traffic data. We present a set of algorithms that simplify this analysis. By analysing only the Firewall log files using aggregation and heuristics, we regenerate the effective Firewall rules, i.e., what the Firewall is really doing. By comparing these with the original rules, we can easily find if there is any anomaly in the original rules, and if there is any defect in the implementation. Our experiments show that the effective Firewall rules can be regenerated to a high degree of accuracy from a small amount of data.
-
specifications of a high level conflict free Firewall Policy language for multi domain networks
Symposium on Access Control Models and Technologies, 2007Co-Authors: Bin Zhang, Ehab Alshaer, Radha Jagadeesan, James Riely, Corin PitcherAbstract:Multiple Firewalls typically cooperate to provide security properties for a network, despite the fact that these Firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities. We propose FLIP, a high-level Firewall configuration Policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, Firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual Firewall and between Firewalls. We prove that the translation algorithm is both sound and complete. FLIP supports Policy inheritance and customization features that enable defining a global Firewall Policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that Firewall Policy management for large-scale networks is efficient and accurate using FLIP.
-
an automated framework for validating Firewall Policy enforcement
IEEE International Workshop on Policies for Distributed Systems and Networks, 2007Co-Authors: Adel Elatawy, T Samak, Z Wali, Ehab AlshaerAbstract:The implementation of network security devices such as Firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of Firewall devices particularly after new filtering implementation or optimization becomes necessary to assure required security. Generating random traffic to test the functionality of Firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed Policy profiles. In this paper, we present a framework for automatic testing of the Firewall Policy enforcement or implementation using efficient random traffic and Policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the Firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the Firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the Policy generation, test cases generation, capturing and analyzing Firewall out put, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing.
-
Firewall Policy reconstruction by active probing an attacker s view
2006 2nd IEEE Workshop on Secure Network Protocols, 2006Co-Authors: T Samak, Adel Elatawy, Ehab AlshaerAbstract:Having a Firewall Policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the Policy or its semantics. In this paper we show how an attacker can reconstruct a Firewall's Policy by probing the Firewall by sending tailored packets into a network and forming an idea of what the Policy looks like. We present two approaches of compiling this information into a Policy that can be arbitrary close to the original one used in the deployed Firewall. The first approach is based on region growing from single Firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the Firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.
Ehab Al-shaer - One of the best experts on this subject based on the ideXlab platform.
-
Automated Firewall Analytics: Design, Configuration and Optimization
2014Co-Authors: Ehab Al-shaerAbstract:This book provides a comprehensive and in-depth study of automated Firewall Policy analysis for designing, configuring and managing distributed Firewalls in large-scale enterpriser networks. It presents methodologies, techniques and tools for researchers as well as professionals to understand the challenges and improve the state-of-the-art of managing Firewalls systematically in both research and application domains. Chapters explore set-theory, managing Firewall configuration globally and consistently, access control list with encryption, and authentication such as IPSec policies. The author also reveals a high-level service-oriented Firewall configuration language (called FLIP) and a methodology and framework for designing optimal distributed Firewall architecture. The chapters illustrate the concepts, algorithms, implementations and case studies for each technique. Automated Firewall Analytics: Design, Configuration and Optimization is appropriate for researchers and professionals working with Firewalls. Advanced-level students in computer science will find this material suitable as a secondary textbook or reference.
-
Specification and Refinement of a Conflict-Free Distributed Firewall Configuration Language
Automated Firewall Analytics, 2014Co-Authors: Ehab Al-shaerAbstract:Multiple Firewalls typically cooperate to provide security properties for a network, despite the fact that these Firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities. We propose FLIP, a high-level Firewall configuration Policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, Firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual Firewall and between Firewalls. We prove that the translation algorithm is both sound and complete. FLIP supports Policy inheritance and customization features that enable defining a global Firewall Policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that Firewall Policy management for large-scale networks is efficient and accurate using FLIP.
-
Traffic-aware dynamic Firewall Policy management: Techniques and applications
IEEE Communications Magazine, 2013Co-Authors: Qi Duan, Ehab Al-shaerAbstract:Firewalls are important network security devices that protect networks by blocking unwanted traffic based on filtering policies. However, the structure of Firewall policies has a major impact on Firewall security and performance. In this article, we classify, describe, and compare traffic-aware Firewall Policy management techniques based on their objectives, schemes, complexity, applicability, and limitations. We classify traffic-aware Firewall Policy techniques into two categories based on their goals: matching optimization and early rejection optimization schemes. Matching optimization techniques try to minimize the matching time of normal network traffic. Early rejection techniques create a minimum set of Policy preamble rules (constraints) that can potentially filter out the maximum amount of denied traffic. Both categories are self-adaptive to ensure that the performance gain will always supersede the dynamic management maintenance overhead. We believe that our work provides important insights on the operation and use of trafficaware filtering.
-
Abstract
2008Co-Authors: Ehab Al-shaer, H Hamed, Raouf Boutaba, Masum HasanAbstract:Firewalls are core elements in network security. However, managing Firewall rules, particularly in multi-Firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid Firewall Policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any Firewall requires thorough intra- and inter-Firewall analysis to determine the proper rule placement and ordering in the Firewalls. In this paper, we identify all anomalies that could exist in a single- or multi-Firewall environment. We also present a set of techniques and algorithms to automatically discover Policy anomalies in centralized and distributed Firewalls. These techniques are implemented in a software tool called the “Firewall Policy Advisor ” that simplifies the management of filtering rules and maintains the security of next-generation Firewalls. I
-
Conflict classification and analysis of distributed Firewall policies
IEEE Journal on Selected Areas in Communications, 2005Co-Authors: Ehab Al-shaer, H Hamed, Raouf Boutaba, Masum HasanAbstract:Firewalls are core elements in network security. However, managing Firewall rules, particularly, in multiFirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid Firewall Policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any Firewall requires thorough intraFirewall and interFirewall analysis to determine the proper rule placement and ordering in the Firewalls. In this paper, we identify all anomalies that could exist in a single- or multiFirewall environment. We also present a set of techniques and algorithms to automatically discover Policy anomalies in centralized and distributed Firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation Firewalls.
