A topological approach to detect conflicts in firewall policies

Packet filtering provides initial layer of security based upon set of ordered filters called firewall policies. It examines the network packets and decides whether to accept or deny them. But when a packet matches two or more filters conflicts arise. Due to the conflicts, some filters are never executed and some filters are occasionally executed. It may results into unintended traffic and it is a tedious job for administrator to detect conflicts. Detection of conflicts through geometrical approach provides a systematic and powerful error classification, but as the filters and key fields of header increase, it demands high memory and computation time. To solve this problem, we propose a topological approach called BISCAL (Bit-vector based spatial calculus) to detect the conflicts in the firewall policies. As because of our approach preserves only the topology of the filters, it can reduce memory usage and computation time to a great extend.