• DocumentCode
    1431353
  • Title

    Systematic Structural Testing of Firewall Policies

  • Author

    Hwang, JeeHyun ; Xie, Tao ; Chen, Fei ; Liu, Alex X.

  • Author_Institution
    Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA
  • Volume
    9
  • Issue
    1
  • fYear
    2012
  • fDate
    3/1/2012 12:00:00 AM
  • Firstpage
    1
  • Lastpage
    11
  • Abstract
    Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the firewall policy under test. To achieve high structural coverage effectively, we have developed four automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), the one based on global constraint solving (considering multiple rules globally in a policy), and the one based on boundary values. We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.
  • Keywords
    authorisation; computer network security; automated packet generation; enterprise security; firewall policies; private network protection; structural coverage; systematic structural testing; Fault detection; Fires; Generators; IP networks; Protocols; Systematics; Testing; Firewall policy; fault detection; structural coverage; test packet generation; validation;
  • fLanguage
    English
  • Journal_Title
    Network and Service Management, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1932-4537
  • Type

    jour

  • DOI
    10.1109/TNSM.2012.012012.100092
  • Filename
    6138839