Novel algorithm for detecting conflicts in firewall rules

Firewalls are widely adopted for protecting private networks by filtering out undesired network traffic in and out of secured networks. Therefore, they play an important role in the security of communication systems. The verification of firewalls is a great challenge because of the dynamic characteristics of their operation, their configuration is highly error prone, and finally, they are considered the first defense to secure networks against attacks and unauthorized access. In this paper, we present a formal model for firewalls rulebase and a novel algorithm for detecting and identifying conflicts in firewalls rulebase. Our algorithm is based on calculating the conflict set of firewall configurations using the domain restriction. We show that the algorithm terminates, then we apply it on a firewall rulebase example.

[1]  Florent Jacquemard,et al.  Automatic verification of conformance of firewall configurations to security policies , 2009, 2009 IEEE Symposium on Computers and Communications.

[2]  Jean-Raymond Abrial,et al.  Faultless Systems: Yes We Can! , 2009, Computer.

[3]  Miroslav Svéda,et al.  A Formal Model for Network-Wide Security Analysis , 2008, 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems (ecbs 2008).

[4]  Michaël Rusinowitch,et al.  An inference system for detecting firewall filtering rules anomalies , 2008, SAC '08.

[5]  Sofiène Tahar,et al.  Modeling and verification of firewall configurations using domain restriction method , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[6]  Jonathan P. Bowen,et al.  Formal Methods: State of the Art and New Directions , 2009 .

[7]  Igor V. Kotenko,et al.  Verification of security policy filtering rules by Model Checking , 2011, Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems.

[8]  Achim D. Brucker,et al.  Model-Based Firewall Conformance Testing , 2008, TestCom/FATES.

[9]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[10]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[11]  Hrishikesh B. Acharya,et al.  Projection and Division: Linear-Space Verification of Firewalls , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[12]  Alan Jeffrey,et al.  Model Checking Firewall Policy Configurations , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[13]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.