A Fully Automatic Approach for Fixing Firewall Misconfigurations

Author

Souayeh, N.B.Y.B. ; Bouhoula, Adel

Author_Institution

Higher Sch. of Commun. of Tunis (Sup´´Com), Univ. of Carthage, Tunis, Tunisia

fYear

2011

fDate

Aug. 31 2011-Sept. 2 2011

Firstpage

461

Lastpage

466

Abstract

Firewalls are among the most important mechanisms used to enforce network security policies. However, It has been observed that most firewall policies on the Internet are poorly designed. A firewall error may allow the spread of malicious traffic or block legitimate one causing serious damages. A major source of firewall misconfigurations stem from the logically entangled nature of firewall filtering rules. Moreover, updating filtering rules could induce to faults and in turn could lead to irreparable consequences. Despite of the importance of automatic correction of firewall configurations, this problem has not been explored in previous work. In this paper, we propose a formal and fully automatic approach for correcting a firewall during execution. We prove that our method is both correct and safe. To a better efficiency, we also propose a rule-based optimization approach. Finally, our methods have been implemented in a prototype. The first results are very promising.

Keywords

Internet; authorisation; computer networks; optimisation; Internet; firewall filtering rules; firewall misconfigurations; malicious traffic; network security policies; rule-based optimization approach; Fires; Optimization; Protocols; Security; Semantics; Servers; Firewall; SMT solver; formal verification; security policy;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer and Information Technology (CIT), 2011 IEEE 11th International Conference on

Conference_Location

Pafos

Print_ISBN

978-1-4577-0383-6

Electronic_ISBN

978-0-7695-4388-8

Type

conf

DOI

10.1109/CIT.2011.84

Filename

6036810