Detecting and resolving firewall policy anomalies

IEEE Transactions on Dependable and Secure Computing

Volumn 9, Issue 3, 2012, Pages 318-331

  Hu, Hongxin ^a   Ahn, Gail Joon ^a   Kulkarni, Ketan ^a  

^a Arizona State University   (United States)

Author keywords

access control; Firewall; policy anomaly management; visualization tool

Indexed keywords

ACCESS CONTROL; COMPUTER SYSTEM FIREWALLS; INFORMATION SERVICES; VISUALIZATION;

EMERGING COMPUTING TECHNOLOGIES; FIREWALL; MANAGEMENT ENVIRONMENTS; POLICY ANOMALY MANAGEMENTS; REPRESENTATION TECHNIQUES; SEGMENTATION TECHNIQUES; SYSTEMATIC ANALYSIS; VISUALIZATION TOOLS;

SERVICE ORIENTED ARCHITECTURE (SOA);

EID: 84858632756     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2012.20     Document Type: Article

References (37)

1. E. Al-Shaer and H. Hamed, "Discovery of Policy Anomalies in Distributed Firewalls," IEEE INFOCOM '04, vol. 4, pp. 2605-2616, 2004.
2. A. Wool, "Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese," IEEE Internet Computing, vol. 14, no. 4, pp. 58-65, July/Aug. 2010.
3. J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens, "Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies," Int'l J. Information Security, vol. 7, no. 2, pp. 103-122, 2008. (Pubitemid 351493917)
4. F. Baboescu and G. Varghese, "Fast and Scalable Conflict Detection for Packet Classifiers," Computer Networks, vol. 42, no. 6, pp. 717-735, 2003.
5. L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis, "Fireman: A Toolkit for Firewall Modeling and Analysis," Proc. IEEE Symp. Security and Privacy, p. 15, 2006.
6. E. Lupu and M. Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Trans. Software Eng., vol. 25, no. 6, pp. 852-869, Nov./Dec. 1999. (Pubitemid 30583219)
7. I. Herman, G. Melançon, and M. Marshall, "Graph Visualization and Navigation in Information Visualization: A Survey," IEEE Trans. Visualization and Computer Graphics, vol. 6, no. 1, pp. 24-43, Jan.-Mar. 2000. (Pubitemid 30594718)
8. H. Hu, G. Ahn, and K. Kulkarni, "Anomaly Discovery and Resolution in Web Access Control Policies," Proc. 16th ACM Symp. Access Control Models and Technologies, pp. 165-174, 2011.
9. L. Yuan, C. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network Measurement," ACM SIGCOMM Computer Comm. Rev., vol. 37, no. 4, p. 108, 2007.
10. A. El-Atawy, K. Ibrahim, H. Hamed, and E. Al-Shaer, "Policy Segmentation for Intelligent Firewall Testing," Proc. First Workshop Secure Network Protocols (NPSec '05), 2005.
11. G. Misherghi, L. Yuan, Z. Su, C.-N. Chuah, and H. Chen, "A General Framework for Benchmarking Firewall Optimization Techniques," IEEE Trans. Network and Service Management, vol. 5, no. 4, pp. 227-238, Dec. 2008.
12. M. Frigault, L. Wang, A. Singhal, and S. Jajodia, "Measuring Network Security Using Dynamic Bayesian Network," Proc. Fourth ACM Workshop Quality of Protection, 2008.
13. M. Sahinoglu, "Security Meter: A Practical Decision-Tree Model to Quantify Risk," IEEE Security and Privacy, vol. 3, no. 3, pp. 18-24, May 2005. (Pubitemid 40860469)
14. R. Sawilla and X. Ou, "Identifying Critical Attack Assets in Dependency Attack Graphs," Proc. 13th European Symp. Research in Computer Security (ESORICS), 2008.
15. P. Mell, K. Scarfone, and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," Published by FIRST-Forum of Incident Response and Security Teams, June 2007.
16. I. Fundulaki and M. Marx, "Specifying Access Control Policies for XML Documents with Xpath," Proc. Ninth ACM Symp. Access Control Models and Technologies, pp. 61-69, 2004.
17. S. Jajodia, P. Samarati, and V.S. Subrahmanian, "A Logical Language for Expressing Authorizations," Proc. IEEE Symp. Security and Privacy, pp. 31-42, May 1997.
18. T. Moses, "Extensible Access Control Markup Language (XACML), Version 2.0, Oasis Standard," Internet, http://docs.oasis-open.org/xacml/2. 0/accesscontrol-xacml-2.0-corespec-os.pdf, 2005.
19. N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin, "Access Control Policy Combining: Theory Meets Practice," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 135-144, 2009.
20. J. Jin, G. Ahn, H. Hu, M. Covington, and X. Zhang, "Patient-Centric Authorization Framework for Sharing Electronic Health Records," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 125-134, 2009.
21. J. Jin, G. Ahn, H. Hu, M. Covington, and X. Zhang, "Patient-Centric Authorization Framework for Electronic Healthcare Services," Computers and Security, vol. 30, no. 2, pp. 116-127, 2011.
22. J. Bentley and T. Ottmann, "Algorithms for Reporting and Counting Geometric Intersections," IEEE Trans. Computers, vol. 28, no. 9, 1979.
23. E. Al-Shaer, W. Marrero, A. El-Atawy, and K. ElBadawi, "Network Configuration in a Box: Towards End-to-End Verification of Network Reachability and Security," Proc. Int'l Conf. Network Protocols (ICNP '09), pp. 123-132, 2009.
24. "Java BDD," http://javabdd.sourceforge.net, 2012.
25. "Buddy Version 2.4," http://sourceforge.net/projects/buddy, 2012.
26. "TENABLE Network Security," http://www.nessus.org/nessus, 2012.
27. Tissynbe.py,http://www.tssci-security.com/projects/tissynbe-py, 2012.
28. K. Ingols, R. Lippmann, and K. Piwowarski, "Practical Attack Graph Generation for Network Defense," Proc. 22nd Ann. Computer Security Applications Conf. (ACSAC), 2006.
29. X. Ou, W. Boyer, and M. McQueen, "A Scalable Approach to Attack Graph Generation," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 336-345, 2006. (Pubitemid 47131381)
30. A. Wool, "Architecting the Lumeta Firewall Analyzer," Proc. 10th Conf. USENIX Security Symp., vol. 10, p. 7, 2001.
31. A. Mayer, A. Wool, and E. Ziskind, "Fang: A Firewall Analysis Engine," Proc. IEEE Symp. Security and Privacy, pp. 177-189, 2000.
32. M. Gouda and X. Liu, "Firewall Design: Consistency, Completeness, and Compactness," Proc. 24th Int'l Conf. Distributed Computing Systems (ICDCS '04), p. 327, 2004.
33. S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith, "Implementing a Distributed Firewall," Proc. Seventh ACM Conf. Computer and Comm. Security, p. 199, 2000.
34. A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," Proc. IEEE INFOCOM, pp. 1203-1212, 2000. (Pubitemid 30584611)
35. Z. Fu, S. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu, "IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution," Proc. Int'l Workshop Policies for Distributed Systems and Networks (POLICY '01), pp. 39-56, 2001. (Pubitemid 33225339)
36. R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Bacon, K. How, and H. Strong, "Expandable Grids for Visualizing and Authoring Computer Security Policies," Proc. 26th Ann. SIGCHI Conf. Human Factors in Computing Systems, pp. 1473-1482, 2008.
37. C. Brodie, C. Karat, and J. Karat, "An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench," Proc. Second Symp. Usable Privacy and Security, pp. 8-19, 2006. (Pubitemid 46966965)