Reducing the Size of Rule Set in a Firewall

A firewall's complexity is known to increase with the size of its rule set. Complex firewalls are more likely to have configuration errors which cause security loopholes. Until now, two rules can be merged into one only when they are exactly same for all the dimensions except one for which each value of two rules should be adjacent to each other. In this paper, we propose a new and aggressive reduction algorithm which finds a group of rules and replace it with a smaller new group so that the total size of rule set can be reduced. This can not be achievable by any previous work because all of them eliminate rules only when these rules are redundant by other rules in the same rule set. The proposed algorithm is also orthogonal to the previous works so that it can be used to supplement them.

[1]  Karen A. Scarfone,et al.  Guidelines on Firewalls and Firewall Policy , 2009 .

[2]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[3]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[4]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[5]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[6]  Angelos D. Keromytis,et al.  Transparent Network Security Policy Enforcement , 2000, USENIX Annual Technical Conference, FREENIX Track.

[7]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[8]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[9]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[10]  Mohamed G. Gouda,et al.  Removing Redundancy from Packet Classifiers , 2004 .

[11]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[12]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[13]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[14]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[15]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[16]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[17]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[18]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[19]  Yu Chen,et al.  Cascade of Distributed and Cooperating Firewalls in a Secure Data Network , 2003, IEEE Trans. Knowl. Data Eng..

[20]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[21]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .