Detecting and resolving inconsistencies in firewalls

Firewalls are a defense mechanism for network security. Today, firewalls have played a pivotal role in a wide spectrum of circumstances, from enterprise networks to home networks. Firewall rules have their execution semantics. Firewalls are often networked to establish perimeters for different parts of an enterprise with differing security policy requirements. Hence, rules in intra-firewall and inter-firewall settings interact, sometimes creating unintended side-effects. The complexity in utilizing firewalls to implement consistent and coherent security policies to safeguard enterprise networks poses great challenges to the network security as a whole. A major challenge is firewall inconsistencies that compromise the effectiveness of firewall protection. In this paper, we propose an approach to detecting and resolving major types of firewall inconsistencies. We describe our detection algorithms and resolution strategies to firewall inconsistencies, and report some initial results of a tool implementing the proposed approach. The main contribution of our work lies in the fact that our approach takes advantage of two necessary conditions in firewall inconsistencies, resulting in a more effective detection method.