Firewall modules and modular firewalls

Chowdhury

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

et al. 2015

Developing metrics for quantifying the security and usability aspects of a system has been of constant interest to the cybersecurity research community. Such metrics have the potential to provide valuable insight on security and usability of a system and to aid in the design, development, testing, and maintenance of the system. Working towards the overarching goal of such metric development, in this work we lay down the groundwork for developing metrics for quantifying the complexity of firewall policies. We are particularly interested in capturing the human perceived complexity of firewall policies. To this end, we propose a potential workflow that researchers can follow to develop empirically-validated, objective metrics for measuring the complexity of firewall policies. We also propose three hypotheses that capture salient properties of a firewall policy which constitute the complexity of a policy for a human user. We identify two categories of human-perceived policy complexity (i.e., syntactic complexity and semantic complexity), and for each of them propose potential complexity metrics for firewall policies that exploit two of the hypotheses we suggest. The current work can be viewed as a stepping stone for future research on development of such policy complexity metrics.

Section: Hotsosmentioning

confidence: 99%

Towards quantification of firewall policy complexity

Chowdhury

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

et al. 2015

2011 Proceedings IEEE INFOCOM

“…Such algorithms, that can generate a firewall from its specification, are provided in [2] and [17]. We develop a new approach to the problem of firewall design and demonstrate how to design a firewall as a set of modules, in [18]. Our current paper demonstrates that one of the most studied problems of firewall analysis, namely redundancy checking, is equivalent to firewall verification.…”

Section: ) Firewall Analysismentioning

confidence: 99%

Firewall verification and redundancy checking are equivalent

Acharya

Gouda

2011

Self Cite

Abstract-A firewall is a packet filter that is placed at the entrance of a private network. It checks the header fields of each incoming packet into the private network and decides, based on the specified rules in the firewall, whether to accept the packet and allow it to proceed or to discard the packet. To validate the correctness and effectiveness of the rules in a firewall, the firewall rules are usually subjected to two types of analysis: verification and redundancy checking. Verification is used to verify that the rules in a firewall accept all packets that should be accepted and discard all packets that should be discarded. Redundancy checking is used to check that no rule in a firewall is redundant (i.e. can be removed from the firewall without changing the sets of packets accepted and discarded by the firewall). In this paper we show that, contrary to the conventional wisdom, these two types of analysis are in fact equivalent. In particular, we show that (1) every verification algorithm can be also used to check whether a rule in a firewall is redundant, and (2) every redundancy checking algorithm can be also used to verify whether the rules in a firewall accept or discard an intended set of packets.

“…A firewall F executes two steps when an incoming packet p reaches it. In the first step, it identifies the first rule r in the sequential ruleset whose <predicate> allots the value true to packet p due to the matches in the fields while in the second step, if the <decision> of rule r is to accept or to discard packet p, then, the firewall accepts or discards the packet as the case may be [11], [10].…”

Section: A Experiments 1: Unauthorized Access Prevention By the Firewallmentioning

confidence: 99%

“…A firewall system operation is based on first-match criterion to determine which rule should be applied to which packet. The filtering ruleset is sequential and divided into two parts, namely predicate and decision and is of the form [11], [10].…”

Section: A Experiments 1: Unauthorized Access Prevention By the Firewallmentioning

confidence: 99%

“…The work reports that the processing time of the firewall is reduced by predictive approach instead of standard firewall linear method of packet filtering. Likewise, [10] proposes a method for designing modular firewalls with small inversion metrics for design understanding. Furthermore, a firewall rule management policy without conflict and an algorithm to fast-check the firewall rules is demonstrated in [11].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Effective Multi-Layer Security for Campus Network

Alimi

2015

JCTECS

Abstract-The development in different communication systems as well as multimedia applications and services leads to high rate of Internet usage. However, transmission of information over such networks can be compromised and security breaches such as virus, denial of service, unauthorized access, and theft of proprietary information which may have devastating impact on the system may occur if adequate security measures are not employed. Consequently, building viable, effective, and safe network is one of the main technical challenges of information transmission in campus networks. Furthermore, it has been observed that, network threats and attacks exist from the lower layers of network traffic to the application layer; therefore, this paper proposes an effective multi-layer firewall system for augmenting the functionalities of other network security technologies due to the fact that, irrespective of the type of access control being employed, attacks are still bound to occur. The effectiveness of the proposed network architecture is demonstrated using Cisco Packet Tracer. The simulation results show that, implementation of the proposed topology is viable and offers reasonable degree of security at different network layers.