Fault Localization for Firewall Policies

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming.To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

[1]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[2]  Steven P. Reiss,et al.  Fault localization with nearest neighbor queries , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[3]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[4]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[5]  H. Cleve,et al.  Locating causes of program failures , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[6]  Robert M. Marmorstein,et al.  Assisted Firewall Policy Repair Using Examples and History , 2007, LISA.

[7]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[8]  Mary Jean Harrold,et al.  Empirical evaluation of the tarantula automatic fault-localization technique , 2005, ASE.