Fault Localization for Firewall Policies

Author

Hwang, JeeHyun ; Xie, Tao ; Chen, Fei ; Liu, Alex X.

Author_Institution

Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA

fYear

2009

fDate

27-30 Sept. 2009

Firstpage

100

Lastpage

106

Abstract

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming.To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

Keywords

authorisation; enterprise security; fault localization detection; firewall policy testing; private network protection; Computer science; Computer security; Failure analysis; Fault detection; Fault location; Inspection; Protection; Reliability engineering; Telecommunication traffic; Testing; Fault Localization; Firewall Policy; Firewalls; Network Security; Policy Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Reliable Distributed Systems, 2009. SRDS '09. 28th IEEE International Symposium on

Conference_Location

Niagara Falls, NY

ISSN

1060-9857

Print_ISBN

978-0-7695-3826-6

Type

conf

DOI

10.1109/SRDS.2009.38

Filename

5283420