Title :
A topological approach to detect conflicts in firewall policies
Author :
Thanasegaran, Subana ; Yin, Yi ; Tateiwa, Yuichiro ; Katayama, Yoshiaki ; Takahashi, Naohisa
Author_Institution :
Dept. of Comput. Sci. Eng., Nagoya Inst. of Technol., Nagoya, Japan
Abstract :
Packet filtering provides initial layer of security based upon set of ordered filters called firewall policies. It examines the network packets and decides whether to accept or deny them. But when a packet matches two or more filters conflicts arise. Due to the conflicts, some filters are never executed and some filters are occasionally executed. It may results into unintended traffic and it is a tedious job for administrator to detect conflicts. Detection of conflicts through geometrical approach provides a systematic and powerful error classification, but as the filters and key fields of header increase, it demands high memory and computation time. To solve this problem, we propose a topological approach called BISCAL (Bit-vector based spatial calculus) to detect the conflicts in the firewall policies. As because of our approach preserves only the topology of the filters, it can reduce memory usage and computation time to a great extend.
Keywords :
authorisation; computer network management; process algebra; bit-vector based spatial calculus; computation time; conflict detection; error classification; firewall policies; memory usage; ordered filter; packet filtering; security layer; topological approach; Calculus; Computer networks; Computer science; Computer security; Information filtering; Information filters; Matched filters; Network topology; Protection; Telecommunication traffic; Packet filtering; conflict detection; firewall policy;
Conference_Titel :
Parallel & Distributed Processing, 2009. IPDPS 2009. IEEE International Symposium on
Conference_Location :
Rome
Print_ISBN :
978-1-4244-3751-1
Electronic_ISBN :
1530-2075
DOI :
10.1109/IPDPS.2009.5161245
