Title :
Inferring the Impact of Firewall Policy Changes by Analyzing Spatial Relations between Packet Filters
Author :
Yin, Yi ; Bhuvaneswaran, R.S. ; Katayama, Yoshiaki ; Takahashi, Naohisa
Author_Institution :
Nagoya Inst. of Technol., Nagoya
Abstract :
Network security can be increased filtering packets at a firewall. Packet filtering examines network packets and decides whether to accept or deny them, and these decisions are made according to policies that are established by the network administrator and implemented by specific filters. An administrator who finds it hard to understand and maintain a policy, will not easily find problems that occur when the filters are changed (added, deleted, or replaced) and will therefore not be certain that the intended policies are implemented correctly and completely. In this paper, we consider the relations between filters as spatial relations, and show how the impact of firewall policy changes can be determined by analyzing spatial relations between filters. Using these relations reduces the amount of computation required for impact analysis because it eliminates the need to compare all the predicates involved in the filters. Experimental results show that the proposed impact analysis method is suitable for small networks and can be used for policies with large numbers of filters.
Keywords :
computer networks; pattern classification; telecommunication security; tree data structures; SIERRA tree; firewall policy change impact analysis; network administration; network security; packet classification; packet filtering; spatial relation analysis; Electronic mail; Filtering; Filters; Software engineering; Spatial resolution;
Conference_Titel :
Communication Technology, 2006. ICCT '06. International Conference on
Conference_Location :
Guilin
Print_ISBN :
1-4244-0800-8
Electronic_ISBN :
1-4244-0801-6
DOI :
10.1109/ICCT.2006.341930
