Title :
Analysis of Application-Layer Filtering Policies With Application to HTTP
Author :
Basile, Cataldo ; Lioy, Antonio
Author_Institution :
Dip. Autom. e Inf., Politec. di Torino, Turin, Italy
Abstract :
Application firewalls are increasingly used to inspect upper-layer protocols (as HTTP) that are the target or vehicle of several attacks and are not properly addressed by network firewalls. Like other security controls, application firewalls need to be carefully configured, as errors have a significant impact on service security and availability. However, currently no technique is available to analyze their configuration for correctness and consistency. This paper extends a previous model for analysis of packet filters to the policy anomaly analysis in application firewalls. Both rule-pair and multirule anomalies are detected, hence reducing the likelihood of conflicting and suboptimal configurations. The expressiveness of this model has been successfully tested against the features of Squid, a popular Web caching proxy offering various access control capabilities. The tool implementing this model has been tested on various scenarios and exhibits good performance.
Keywords :
Internet; authorisation; firewalls; transport protocols; HTTP; Squid Web caching proxy; access control capabilities; application firewalls; application-layer filtering policies; multirule anomalies; packet filters; policy anomaly analysis; rule-pair anomalies; service security; upper-layer protocols; Access control; Analytical models; IEEE transactions; IP networks; Logic gates; Protocols; Application gateway; firewall; policy anomalies; policy conflicts; proxy; regular expressions;
Journal_Title :
Networking, IEEE/ACM Transactions on
DOI :
10.1109/TNET.2013.2293625
