Skip to main content
SpringerLink
Log in

Safe and Efficient Strategies for Updating Firewall Policies

  • Conference paper
Trust, Privacy and Security in Digital Business (TrustBus 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6264))

Abstract

Due to the large size and complex structure of modern networks, firewall policies can contain several thousand rules. The size and complexity of these policies require automated tools providing a user-friendly environment to specify, configure and safely deploy a target policy. When activated in online mode, a firewall policy deployment is a very difficult and error-prone task. Indeed, it may result in self-Denial of Service (self-DoS) and/or temporary security breaches. In this paper, we provide correct, efficient and safe algorithms for two important classes of policy editing. Our experimental results show that these algorithms are fast and can be used safely even for deploying large policies.

This work has been supported by the INRIA ARC 2010 ACCESS and FP7-ICT-2007-1 Project No.216471 AVANTSSAR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cisco Security Manager, http://www.cisco.com/en/US/products/ps6498/index.html

  2. Entrasys Matrix X Core Router, http://www.entrasys.com/products/routing/x/

  3. F-Secure. Malware information pages: Slammer, http://www.f-secure.com/v-descs/mssqlm.shtml

  4. F-Secure. Malware information pages: Worm:w32/downadup.al, http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

  5. Juniper Network and Security Manager, http://www.juniper.net/us/en/local/pdf/datasheets/1100018-en.pdf

  6. Ahmed, Z., Imine, A., Rusinowitch, M.: Safe and Efficient Strategies for Updating Firewall Policies. Research Report RR-6940, INRIA (2009), http://webloria.loria.fr/~imine/rep2009.pdf

  7. Al-Shaer, E., Hamed, H.: Modeling and Management of Firewall Policies. IEEE Transactions on Network and Service Management 1(1), 2–10 (2004)

    Article  Google Scholar 

  8. Anwar, M., Zafar, M., Ahmed, Z.: A Proposed Preventive Information Security System. In: International Conference on Electrical Engineering, ICEE ’07, pp. 1–6 (2007)

    Google Scholar 

  9. Baboescu, F., Varghese, G.: Fast and Scalable Conflict Detection for Packet Classifiers. In: ICNP, pp. 270–279 (2002)

    Google Scholar 

  10. Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31 (1999)

    Google Scholar 

  11. Cobb, S.: ICSA Firewall Policy Guide v2.0. Technical report. NCSA Security White Paper Series (1997)

    Google Scholar 

  12. Cormode, G., Muthukrishnan, S., Sahinalp, S.C.: Permutation Editing and Matching via Embeddings. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 481–492. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Englund, M.: Securing systems with host-based firewalls. In: Sun BluePrints Online (September 2001)

    Google Scholar 

  14. Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 39–56. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  15. Gouda, M.G., Liu, A.X.: Firewall Design: Consistency, Completeness, and Compactness. In: ICDCS, pp. 320–327 (2004)

    Google Scholar 

  16. Hamed, H., Al-Shaer, E.: Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS, pp. 332–342 (2006)

    Google Scholar 

  17. Karen, S., Paul, H.: Guidelines on Firewalls and Firewall Policy. NIST Recommendations, SP 800-41 (July 2008)

    Google Scholar 

  18. Liu, A.X.: Change-impact analysis of firewall policies. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 155–170. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Myers, E.W.: An o(nd) difference algorithm and its variations. Algorithmica 1(2), 251–266 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  20. Qian, J.: ACLA: A framework for Access Control List (ACL) Analysis and Optimization. In: Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, Deventer, The Netherlands, p. 4. Kluwer, B.V. (2001)

    Google Scholar 

  21. Qiu, L., Varghese, G., Suri, S.: Fast firewall implementations for software and hardware-based routers. In: International Conference on Network Protocols, pp. 155–170 (2001)

    Google Scholar 

  22. Zhang, C.C., Winslett, M., Gunter, C.A.: On the Safety and Efficiency of Firewall Policy Deployment. In: SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 33–50. IEEE Computer Society, Los Alamitos (2007)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. INRIA Nancy Grand Est, France

    Zeeshan Ahmed & Michaël Rusinowitch

  2. INRIA Nancy Grand Est & Nancy-Université, France

    Abdessamad Imine

Authors
  1. Zeeshan Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abdessamad Imine
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michaël Rusinowitch
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Digital Systems, University of Piraeus, 18534, Piraeus, Greece

    Sokratis Katsikas

  2. Computer Science Department, University of Malaga, 29071, Malaga, Spain

    Javier Lopez

  3. Department of Telematics Engineering, Technical University of Catalonia, 08034, Barcelona, Spain

    Miguel Soriano

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ahmed, Z., Imine, A., Rusinowitch, M. (2010). Safe and Efficient Strategies for Updating Firewall Policies. In: Katsikas, S., Lopez, J., Soriano, M. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2010. Lecture Notes in Computer Science, vol 6264. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15152-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15152-1_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15151-4

  • Online ISBN: 978-3-642-15152-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation