Firewall Policy Modeling , Analysis and Simulation : a Survey

Computer firewalls are widely used for security policy enforcement and access control. Current firewalls use various processing models and are configured using their own policy description languages. In this paper we will try to survey research efforts in the area of formalization of firwall operational sematnics and policy description languages and applications of such formal models and languages for firewall simulation, policy optimization, detection of configuration errors and enterprise security policy comliance testing.

[1]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[2]  J. Qian,et al.  ACLA: A framework for Access Control List (ACL) Analysis and Optimization , 2001, Communications and Multimedia Security.

[3]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[4]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[5]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[6]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[7]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[8]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[9]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[10]  Bassem Nasser,et al.  Network Security Management: A Formal Evaluation Tool Based on RBAC Policies , 2004, Net-Con.

[11]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[12]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[13]  Stan Matwin,et al.  Formal correctness of conflict detection for firewalls , 2007, FMSE '07.

[14]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[15]  Y. Ebihara Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[16]  Giovanni Vigna,et al.  A Formal Model for Firewall Testing , 2007 .

[17]  N. Cuppens,et al.  Detection and Removal of Firewall Misconfiguration , 2019 .

[18]  Ming C. Lin,et al.  Collision Detection between Geometric Models: A Survey , 1998 .

[19]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[20]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[21]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[22]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[23]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[24]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[25]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[26]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[27]  H. Edelsbrunner A new approach to rectangle intersections part I , 1983 .

[28]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .