Handling Stateful Firewall Anomalies

  • Frédéric Cuppens
  • Nora Cuppens-Boulahia
  • Joaquin Garcia-Alfaro
  • Tarik Moataz
  • Xavier Rimasson
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 376)


A security policy consists of a set of rules designed to protect an information system. To ensure this protection, the rules must be deployed on security components in a consistent and non-redundant manner. Unfortunately, an empirical approach is often adopted by network administrators, to the detriment of theoretical validation. While the literature on the analysis of configurations of first generation (stateless) firewalls is now rich, this is not the case for second and third generation firewalls, also known as stateful firewalls. In this paper, we address this limitation, and provide solutions to analyze and handle stateful firewall anomalies and misconfiguration.


Boolean Function Stateful Rule Layer Protocol Passive Mode Tuple Space 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-Driven Security Policy Deployment: Property Oriented Approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Garcia-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Sec. 7(2), 103–122 (2008)CrossRefGoogle Scholar
  3. 3.
    Adiseshu, H., Suri, S., Parulkar, G.: Detecting and Resolving Packet Filter Conflicts. In: INFOCOM, Tel Aviv, Israel, pp. 1203–1212 (2000)Google Scholar
  4. 4.
    Al-Shaer, E., Hamed, H.: Discovery of Policy Anomalies in Distributed Firewalls. In: INFOCOM, Hong Kong, China (2004)Google Scholar
  5. 5.
    Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: A Toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 199–213 (2006)Google Scholar
  6. 6.
    Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley (2003)Google Scholar
  7. 7.
    Gouda, M., Liu, A.: A model of stateful firewalls and its properties. In: DSN, Yokohama, Japan, pp. 128–137 (2005)Google Scholar
  8. 8.
    Buttyan, L., Pék, G., Thong, T.V.: Consistency verification of stateful firewalls is not harder than the stateless case. Infocommunications Journal LXIV (2009)Google Scholar
  9. 9.
    Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies. In: DPM/SETOP, Athens, Greece, pp. 203–215 (2010)Google Scholar
  10. 10.
    Guttman, J.: Filtering postures: Local enforcement for global policies. In: Proceedings, 1997 IEEE Symposium on Security and Privacy, pp. 120–129. IEEE Computer Society Press (1997)Google Scholar
  11. 11.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit (1999)Google Scholar
  12. 12.
    Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Formal Aspects in Security and Trust, pp. 203–218 (2004)Google Scholar
  13. 13.
    Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Toutain, L.: Dynamic deployment of context-aware access control policies for constrained security devices. Journal of Systems and Software 84(7), 1144–1159 (2011)CrossRefGoogle Scholar
  14. 14.
    Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: DSN, pp. 576–585 (2000)Google Scholar
  15. 15.
    Liu, A.X., Gouda, M.G., Ma, H.H., Ngu, A.H.: Firewall Queries. In: Higashino, T. (ed.) OPODIS 2004. LNCS, vol. 3544, pp. 197–212. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187 (2000)Google Scholar
  17. 17.
    Baboescu, F., Varghese, G.: Scalable packet classification. In: ACM SIGCOMM, pp. 199–210 (2001)Google Scholar
  18. 18.
    Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry, pp. 827–835 (2001)Google Scholar
  19. 19.
    Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly discovery and rule editing. In: Integrated Network Management, pp. 17–30 (2003)Google Scholar
  20. 20.
    Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Analysis of Policy Anomalies on Distributed Network Security Setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 496–511. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N.: Management of exceptions on access control policies. In: SEC, pp. 97–108 (2007)Google Scholar
  22. 22.
    Srinivasan, V., Suri, S., Varghese, G.: Packet classification using tuple space search. In: Proc. of SIGCOMM, pp. 135–146 (1999)Google Scholar
  23. 23.
    Fitzgerald, W., Foley, S., Foghlú, M.Ó.: Network access control interoperation using semantic web techniques. In: WOSIS, pp. 26–37 (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Frédéric Cuppens
    • 1
  • Nora Cuppens-Boulahia
    • 1
    • 2
  • Joaquin Garcia-Alfaro
    • 1
  • Tarik Moataz
    • 1
  • Xavier Rimasson
    • 1
  1. 1.Institut Télécom, Télécom BretagneCesson-SévignéFrance
  2. 2.Swid Web Performance ServiceRennesFrance

Personalised recommendations