TY - GEN
T1 - Measuring firewall security
AU - Al-Haj, Saeed
AU - Al-Shaer, Ehab
PY - 2011
Y1 - 2011
N2 - In the recent years, more attention is given to firewalls as they are considered the corner stone in Cyber defense perimeters. The ability to measure the quality of protection of a firewall policy is a key step to assess the defense level for any network. To accomplish this task, it is important to define objective metrics that are formally provable and practically useful. In this work, we propose a set of metrics that can objectively evaluate and compare the hardness and similarities of access policies of single firewalls based on rules tightness, the distribution of the allowed traffic, and security requirements. In order to analyze firewall polices based on the policy semantic, we used a canonical representation of firewall rules using Binary Decision Diagrams (BDDs) regardless of the rules format and representation. The contribution of this work comes in measuring and comparing firewall security deterministically in term of security compliance and weakness in order to optimize security policy and engineering.
AB - In the recent years, more attention is given to firewalls as they are considered the corner stone in Cyber defense perimeters. The ability to measure the quality of protection of a firewall policy is a key step to assess the defense level for any network. To accomplish this task, it is important to define objective metrics that are formally provable and practically useful. In this work, we propose a set of metrics that can objectively evaluate and compare the hardness and similarities of access policies of single firewalls based on rules tightness, the distribution of the allowed traffic, and security requirements. In order to analyze firewall polices based on the policy semantic, we used a canonical representation of firewall rules using Binary Decision Diagrams (BDDs) regardless of the rules format and representation. The contribution of this work comes in measuring and comparing firewall security deterministically in term of security compliance and weakness in order to optimize security policy and engineering.
UR - https://www.scopus.com/pages/publications/84855862400
U2 - 10.1109/SafeConfig.2011.6111669
DO - 10.1109/SafeConfig.2011.6111669
M3 - Conference contribution
AN - SCOPUS:84855862400
SN - 9781467304016
T3 - 2011 4th Symposium on Configuration Analytics and Automation, SAFECONFIG 2011
BT - 2011 4th Symposium on Configuration Analytics and Automation, SAFECONFIG 2011
T2 - IEEE 4th Symposium on Configuration Analytics and Automation, SAFECONFIG 2011
Y2 - 31 October 2011 through 1 November 2011
ER -