Inferring the Impact of Firewall Policy Changes by Analyzing Spatial Relations between Packet Filters

Network security can be increased filtering packets at a firewall. Packet filtering examines network packets and decides whether to accept or deny them, and these decisions are made according to policies that are established by the network administrator and implemented by specific filters. An administrator who finds it hard to understand and maintain a policy, will not easily find problems that occur when the filters are changed (added, deleted, or replaced) and will therefore not be certain that the intended policies are implemented correctly and completely. In this paper, we consider the relations between filters as spatial relations, and show how the impact of firewall policy changes can be determined by analyzing spatial relations between filters. Using these relations reduces the amount of computation required for impact analysis because it eliminates the need to compare all the predicates involved in the filters. Experimental results show that the proposed impact analysis method is suitable for small networks and can be used for policies with large numbers of filters.