Inconsistency Detection System for Security Policy and Firewall Policy

Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document that outlines the needs for computer network access permissions. And it determines how firewall filters are designed. If inconsistencies, such as redundant filters, insufficient filters or contradict filters, exist between security policy and firewall policy, firewall policy could not filter packets exactly, and the network protected by the firewall will be affected. To resolve this problem, we propose an inconsistency detection system to detect the inconsistencies between the security policy and firewall policy. When the administrator could not get host IP addresses, port number and other specific values, according to the network configurations, our proposed system could transform the network security policy and firewall policy to the same range value, represent and analyze their spatial relationships to detect their inconsistencies. The proposed system has been successfully implemented in a prototype system. We have been confirmed the effectiveness of the proposed system.