Analysis of Application-Layer Filtering Policies With Application to HTTP

Author

Basile, Cataldo ; Lioy, Antonio

Author_Institution

Dip. Autom. e Inf., Politec. di Torino, Turin, Italy

Volume

23

Issue

1

fYear

2015

fDate

Feb. 2015

Firstpage

28

Lastpage

41

Abstract

Application firewalls are increasingly used to inspect upper-layer protocols (as HTTP) that are the target or vehicle of several attacks and are not properly addressed by network firewalls. Like other security controls, application firewalls need to be carefully configured, as errors have a significant impact on service security and availability. However, currently no technique is available to analyze their configuration for correctness and consistency. This paper extends a previous model for analysis of packet filters to the policy anomaly analysis in application firewalls. Both rule-pair and multirule anomalies are detected, hence reducing the likelihood of conflicting and suboptimal configurations. The expressiveness of this model has been successfully tested against the features of Squid, a popular Web caching proxy offering various access control capabilities. The tool implementing this model has been tested on various scenarios and exhibits good performance.

Keywords

Internet; authorisation; firewalls; transport protocols; HTTP; Squid Web caching proxy; access control capabilities; application firewalls; application-layer filtering policies; multirule anomalies; packet filters; policy anomaly analysis; rule-pair anomalies; service security; upper-layer protocols; Access control; Analytical models; IEEE transactions; IP networks; Logic gates; Protocols; Application gateway; firewall; policy anomalies; policy conflicts; proxy; regular expressions;

fLanguage

English

Journal_Title

Networking, IEEE/ACM Transactions on

Publisher

ieee

ISSN

1063-6692

Type

jour

DOI

10.1109/TNET.2013.2293625

Filename

6690252