DocumentCode :
1050571
Title :
Firewall Policy Queries
Author :
Liu, Alex X. ; Gouda, Mohamed G.
Author_Institution :
Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI
Volume :
20
Issue :
6
fYear :
2009
fDate :
6/1/2009 12:00:00 AM
Firstpage :
766
Lastpage :
777
Abstract :
Firewalls are crucial elements in network security, and have been widely deployed in most businesses and institutions for securing private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy. Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. Because a firewall may have a large number of rules and the rules often conflict, understanding and analyzing the function of a firewall has been known to be notoriously difficult. An effective way to assist firewall administrators to understand and analyze the function of their firewalls is by issuing queries. An example of a firewall query is "Which computers in the private network can receive packets from a known malicious host in the outside Internet?rdquo Two problems need to be solved in order to make firewall queries practically useful: how to describe a firewall query and how to process a firewall query. In this paper, we first introduce a simple and effective SQL-like query language, called the Structured Firewall Query Language (SFQL), for describing firewall queries. Second, we give a theorem, called the Firewall Query Theorem, as the foundation for developing firewall query processing algorithms. Third, we present an efficient firewall query processing algorithm, which uses decision diagrams as its core data structure. Fourth, we propose methods for optimizing firewall query results. Finally, we present methods for performing the union, intersect, and minus operations on firewall query results. Our experimental results show that our firewall query processing algorithm is very effici- - ent: it takes less than 10 milliseconds to process a query over a firewall that has up to 10,000 rules.
Keywords :
Internet; SQL; authorisation; computer networks; data structures; decision diagrams; query processing; Firewall Query Theorem; Internet; SQL-like query language; Structured Firewall Query Language; data structure; decision diagrams; firewall policy error; firewall policy queries; firewall query processing algorithms; malicious traffic; network security; private networks; security holes; Network security; firewall correctness.; firewall queries; firewall testing;
fLanguage :
English
Journal_Title :
Parallel and Distributed Systems, IEEE Transactions on
Publisher :
ieee
ISSN :
1045-9219
Type :
jour
DOI :
10.1109/TPDS.2008.263
Filename :
4731249
Link To Document :
بازگشت