Simultaneous Analysis of Time and Space for Conflict Detection in Time-Based Firewall Policies

Firewalls are one of the most deployed mechanisms to protect the network from unauthorized access and security threats. However, maintenance of firewall policy is an error-prone and complicated task for a dynamic network environment. Conflict is a misconfiguration that happens when a packet matches two or more filters resulting in shadowing and redundancy of the filters. Network administrators reconfigure the filters to minimize the effect of conflicts, as the filters do not reflect for what it was intended. Nowadays, time-based filters are used in CISCO firewalls and LINUX Iptables to control network traffic in time. Conflict occurs when a packet matches two or more time-based filters active in the same timing. Detection of conflicts in time-based filters is necessary, because the existing conflict detection techniques turns ineffective, as analysis of filters in time is not considered. This problem is not been addressed in research regardless of its significance. To resolve it, in this paper, we propose an n+1 dimensional approach (n refers the number of key fields in a packet header) to detect conflicts by analyzing time and space simultaneously. We compute characterization vectors to detect the conflicting filters which discards the non-conflicting filters in the initial stage of computation and remove the unnecessary steps. Further, we implemented a prototype system and conducted experiments on time-based filters with and without considering time. We found that approximately 50% of conflicting filters becomes non-conflicting when time is considered. Hence, our conflict detection system for time-based filters reduces the workload of the administrator as the filters for reconfiguration is considerably reduced.