Title :
Conflict classification and analysis of distributed firewall policies
Author :
Al-Shaer, Ehab ; Hamed, Hazem ; Boutaba, Raouf ; Hasan, Masum
Author_Institution :
Telecommun. & Inf. Syst., DePaul Univ., Chicago, IL, USA
Abstract :
Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.
Keywords :
authorisation; business communication; computer network management; information filters; software tools; telecommunication security; centralized firewall; conflict classification; distributed firewall policy anomaly; firewall filtering rule; firewall policy advisor; multifirewall enterprise network; network security management; packet filter; policy anomaly; Computer science; Defense industry; Home automation; IP networks; Information filtering; Information filters; Matched filters; Software tools; Technology management; Telecommunication traffic; Firewall; packet filter; policy analysis; policy conflict; policy management; security management;
Journal_Title :
Selected Areas in Communications, IEEE Journal on
DOI :
10.1109/JSAC.2005.854119
