Abstract
A security policy consists of a set of rules designed to protect an information system. To ensure this protection, the rules must be deployed on security components in a consistent and non-redundant manner. Unfortunately, an empirical approach is often adopted by network administrators, to the detriment of theoretical validation. While the literature on the analysis of configurations of first generation (stateless) firewalls is now rich, this is not the case for second and third generation firewalls, also known as stateful firewalls. In this paper, we address this limitation, and provide solutions to analyze and handle stateful firewall anomalies and misconfiguration.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-Driven Security Policy Deployment: Property Oriented Approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010)
Garcia-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Sec. 7(2), 103–122 (2008)
Adiseshu, H., Suri, S., Parulkar, G.: Detecting and Resolving Packet Filter Conflicts. In: INFOCOM, Tel Aviv, Israel, pp. 1203–1212 (2000)
Al-Shaer, E., Hamed, H.: Discovery of Policy Anomalies in Distributed Firewalls. In: INFOCOM, Hong Kong, China (2004)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: A Toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 199–213 (2006)
Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley (2003)
Gouda, M., Liu, A.: A model of stateful firewalls and its properties. In: DSN, Yokohama, Japan, pp. 128–137 (2005)
Buttyan, L., Pék, G., Thong, T.V.: Consistency verification of stateful firewalls is not harder than the stateless case. Infocommunications Journal LXIV (2009)
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies. In: DPM/SETOP, Athens, Greece, pp. 203–215 (2010)
Guttman, J.: Filtering postures: Local enforcement for global policies. In: Proceedings, 1997 IEEE Symposium on Security and Privacy, pp. 120–129. IEEE Computer Society Press (1997)
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit (1999)
Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Formal Aspects in Security and Trust, pp. 203–218 (2004)
Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Toutain, L.: Dynamic deployment of context-aware access control policies for constrained security devices. Journal of Systems and Software 84(7), 1144–1159 (2011)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: DSN, pp. 576–585 (2000)
Liu, A.X., Gouda, M.G., Ma, H.H., Ngu, A.H.: Firewall Queries. In: Higashino, T. (ed.) OPODIS 2004. LNCS, vol. 3544, pp. 197–212. Springer, Heidelberg (2005)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187 (2000)
Baboescu, F., Varghese, G.: Scalable packet classification. In: ACM SIGCOMM, pp. 199–210 (2001)
Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry, pp. 827–835 (2001)
Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly discovery and rule editing. In: Integrated Network Management, pp. 17–30 (2003)
Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Analysis of Policy Anomalies on Distributed Network Security Setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 496–511. Springer, Heidelberg (2006)
Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: SEC, pp. 97–108 (2007)
Srinivasan, V., Suri, S., Varghese, G.: Packet classification using tuple space search. In: Proc. of SIGCOMM, pp. 135–146 (1999)
Fitzgerald, W., Foley, S., Foghlú, M.Ó.: Network access control interoperation using semantic web techniques. In: WOSIS, pp. 26–37 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Moataz, T., Rimasson, X. (2012). Handling Stateful Firewall Anomalies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)