Abstract
The use of different network security components, such as firewalls and network intrusion detection systems (NIDSs), is the dominant method to survey and guarantee the security policy in current corporate networks. On the one hand, firewalls are traditional security components which provide means to filter traffic within corporate networks, as well as to police the incoming and outcoming interaction with the Internet. On the other hand, NIDSs are complementary security components used to enhance the visibility level of the network, pointing to malicious or anomalous traffic. To properly configure both firewalls and NIDSs, it is necessary to use several sets of filtering and alerting rules. Nevertheless, the existence of anomalies between those rules, particularly in distributed multi-component scenarios, is very likely to degrade the network security policy. The discovering and removal of these anomalies is a serious and complex problem to solve. In this paper, we present a set of algorithms for such a management.
Chapter PDF
Similar content being viewed by others
References
Adiseshu, H., Suri, S., Parulkar, G.: Detecting and Resolving Packet Filter Conflicts. In: 19th Annual Joint Conference of the IEEE Computer and Communications Societies, pp. 1203–1212 (2000)
Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls. In: IEEE INFOCOM 2004 (March 2004)
Al-Shaer, E.S., Hamed, H.H., Masum, H.: Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications 23(10) (2005)
Al-Shaer, E.S., Hamed, H.H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3) (March 2006)
Castagnetto, J., et al.: Professional PHP Programming. Wrox Press Inc. (1999) ISBN 1-86100-296-3
Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet security: Repelling the wily hacker, 2nd edn. Addison-Wesley, Reading (2003)
Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J.: Detection and Removal of Firewall Misconfiguration. In: Proceedings of the 2005 IASTED International Conference on Communication, Network and Information Security, pp. 154–162 (2005)
Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J.: Misconfiguration Management of Network Security Components. In: Proceedings of the 7th International Symposium on System and Information Security, Sao Paulo, Brazil (2005)
Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD Thesis, Department of Computer Science, Stanford University (2000)
Gouda, M.G., Liu, A.X.: Firewall Design: Consistency, Completeness and Compactness. In: 24th IEEE International Conference on Distributed Computing Systems (ICDCS 2004), pp. 320–327 (2004)
MITRE Corp. Common Vulnerabilities and Exposures. [Online], Available from: http://cve.mitre.org/
Northcutt, S.: Network Intrusion Detection: An analyst’s Hand Book, 3rd edn. New Riders Publishing (2002)
Open Security Foundation. Open Source Vulnerability Database. [Online], Available from: http://osvdb.org/
Reed, D.: IP Filter. [Online], Available from: http://www.ja.net/CERT/Software/ipfilter/ip-filter.html
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: 13th USENIX Systems Administration Conference, Seattle, WA (1999)
Welte, H., Kadlecsik, J., Josefsson, M., McHardy, P., et al.: The netfilter project: firewalling, nat and packet mangling for linux 2.4x and 2.6.x [Online], Available from: http://www.netfilter.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N. (2006). Analysis of Policy Anomalies on Distributed Network Security Setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_30
Download citation
DOI: https://doi.org/10.1007/11863908_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)