Conflict classification and analysis of distributed firewall policies

Ehab Al-Shaer; Hazem Hamed; Raouf Boutaba; Masum Hasan

doi:10.1109/JSAC.2005.854119

Conflict classification and analysis of distributed firewall policies

Ehab Al-Shaer^*
, Hazem Hamed
, Raouf Boutaba
, Masum Hasan

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

269 Scopus citations

Abstract

Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

Original language	English
Pages (from-to)	2069-2083
Number of pages	15
Journal	IEEE Journal on Selected Areas in Communications
Volume	23
Issue number	10
DOIs	https://doi.org/10.1109/JSAC.2005.854119
State	Published - Oct 2005
Externally published	Yes

Bibliographical note

Funding Information:
Manuscript received May 1, 2004; revised December 4, 2004. This work was supported in part by the National Science Foundation under Grant DAS-0353168 and in part by Cisco Systems. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the fundings sources.

Keywords

Firewall
Packet filter
Policy analysis
Policy conflict
Policy management
Security management

ASJC Scopus subject areas

Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/JSAC.2005.854119

Cite this

@article{94172e5113544f65adba36b1bdf733f6,

title = "Conflict classification and analysis of distributed firewall policies",

abstract = "Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the {"}Firewall Policy Advisor{"} that simplifies the management of filtering rules and maintains the security of next-generation firewalls.",

keywords = "Firewall, Packet filter, Policy analysis, Policy conflict, Policy management, Security management",

author = "Ehab Al-Shaer and Hazem Hamed and Raouf Boutaba and Masum Hasan",

note = "Funding Information: Manuscript received May 1, 2004; revised December 4, 2004. This work was supported in part by the National Science Foundation under Grant DAS-0353168 and in part by Cisco Systems. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the fundings sources.",

year = "2005",

month = oct,

doi = "10.1109/JSAC.2005.854119",

language = "English",

volume = "23",

pages = "2069--2083",

journal = "IEEE Journal on Selected Areas in Communications",

issn = "0733-8716",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "10",

}

TY - JOUR

T1 - Conflict classification and analysis of distributed firewall policies

AU - Al-Shaer, Ehab

AU - Hamed, Hazem

AU - Boutaba, Raouf

AU - Hasan, Masum

N1 - Funding Information: Manuscript received May 1, 2004; revised December 4, 2004. This work was supported in part by the National Science Foundation under Grant DAS-0353168 and in part by Cisco Systems. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the fundings sources.

PY - 2005/10

Y1 - 2005/10

N2 - Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

AB - Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

KW - Firewall

KW - Packet filter

KW - Policy analysis

KW - Policy conflict

KW - Policy management

KW - Security management

UR - https://www.scopus.com/pages/publications/27644451689

U2 - 10.1109/JSAC.2005.854119

DO - 10.1109/JSAC.2005.854119

M3 - Article

AN - SCOPUS:27644451689

SN - 0733-8716

VL - 23

SP - 2069

EP - 2083

JO - IEEE Journal on Selected Areas in Communications

JF - IEEE Journal on Selected Areas in Communications

IS - 10

ER -

Conflict classification and analysis of distributed firewall policies

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this