Abstract
While configuring firewalls, firewall rule ordering and distribution must be done cautiously on each of cooperative firewalls, especially in a large-scale network. However, network operators are prone to incorrectly configuring firewalls because there are typically hundreds of thousands of filtering rules (i.e., rules in the access control list file, or ACL for short) which could be set up in a firewall, not to mention these rules among firewalls could affect mutually. To speed up the crucial but laboring inspection of rule configuration on firewalls, this chapter describes our developed diagnosis system which can not only figure out anomalies among firewall rules effectively but also infer/correlate the main reasons from the diagnosed anomalies for filtering (behavior) mismatching between firewalls. At the end of this chapter, the system prototype is shown as a demonstration of our system implementation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hari B, Suri S, Parulkar G (2000) Detecting and resolving packet filter conflicts. Proc IEEE INFOCOM 3:1203–1212
Al-Shaer E, Hamed H (2004) Discovery of policy anomalies in distributed firewalls. In: Proceedings of the 23rd annual joint conference of the IEEE Computer and Communications Societies, vol 4, pp 2605–2616
Al-Shaer E, Hamed H (2003) Firewall policy advisor for anomaly discovery and rule editing, In: Proceedings of the 8th international symposium on integrated network management, pp 17–30
Al-Shaer E, Hamed H, Boutaba R, Hasan M (2005) Conflict classification and analysis of distributed firewall policies. IEEE J Selected Areas Commun 23(10):2069–2084
Al-Shaer E (2004) Managing firewall and network-edge security policies. In: Proceedings of network operations and management symposium, vol 1, pp 926–932
Yin Y, Katayama Y, Takahashi N (2008) Detection of conflicts caused by a combinations of filters based on spatial relationships. J Inf Process Soc Jpn 49:3121–3135
Thanasegaran S, Yin Y, Tateiwa Y, Katayama Y, Takahashi N (2009) Topological approach to detect conflicts in firewall policies. In: International workshop on security in systems and networks, proceedings of the of 23rd IEEE international parallel and distributed processing symposium, SSN-1569173665-paper-3.pdf
Yin Y, Bhuvaneswaran RS, Katayama Y, Takahashi N (2005) Implementation of packet filter configurations anomaly detection system with SIERRA. In: International conference on information, communication and signal processing, LNCS 3783, pp 467–480
Chao CS, Liu AC (2006) An internet firewall policy verification system. In: Proceedings of the 9th Asia-Pacific network operations and management symposium, Poster session 1, No. 4, Sept 2006
Chao CS (2007) An internet firewall policy validation system. In: Proceedings of the 10th Asia-Pacific network operations and management symposium, Oct 2007, pp 364–374
Liu A, Gouda MG (2008) Diverse firewall design. IEEE Trans Parallel Distrib Syst 19(9):1237–1251
Liu A (2009) Firewall policy verification and troubleshooting. Comput Netw 53(16):2800–2809
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Chao, CS. (2013). A Novel and Feasible System for Rule Anomaly and Behavior Mismatching Diagnosis Among Firewalls. In: Juang, J., Huang, YC. (eds) Intelligent Technologies and Engineering Systems. Lecture Notes in Electrical Engineering, vol 234. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-6747-2_7
Download citation
DOI: https://doi.org/10.1007/978-1-4614-6747-2_7
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-6746-5
Online ISBN: 978-1-4614-6747-2
eBook Packages: EngineeringEngineering (R0)