Policy segmentation for intelligent firewall testing

El-Atawy, Adel; Ibrahim, Khalil; Hamed, H.; Al-Shaer, Ehab

doi:10.1109/npsec.2005.1532056

Cited by 29 publications

(22 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, the test packets can be hand-generated by domain experts to target specific vulnerabilities in the given firewall F , or generated from the formal specifications of the security policy of the given firewall F , as in [6]. A scheme for targeting test packets for better fault coverage is given in [7]. Al-Shaer et al provide a complete framework to generate targeted packets and obtain good coverage in testing in [8].…”

Section: ) Firewall Testingmentioning

confidence: 99%

Firewall verification and redundancy checking are equivalent

Acharya

Gouda

2011

2011 Proceedings IEEE INFOCOM

View full text Add to dashboard Cite

Abstract-A firewall is a packet filter that is placed at the entrance of a private network. It checks the header fields of each incoming packet into the private network and decides, based on the specified rules in the firewall, whether to accept the packet and allow it to proceed or to discard the packet. To validate the correctness and effectiveness of the rules in a firewall, the firewall rules are usually subjected to two types of analysis: verification and redundancy checking. Verification is used to verify that the rules in a firewall accept all packets that should be accepted and discard all packets that should be discarded. Redundancy checking is used to check that no rule in a firewall is redundant (i.e. can be removed from the firewall without changing the sets of packets accepted and discarded by the firewall). In this paper we show that, contrary to the conventional wisdom, these two types of analysis are in fact equivalent. In particular, we show that (1) every verification algorithm can be also used to check whether a rule in a firewall is redundant, and (2) every redundancy checking algorithm can be also used to verify whether the rules in a firewall accept or discard an intended set of packets.

show abstract

Section: ) Firewall Testingmentioning

confidence: 99%

Firewall verification and redundancy checking are equivalent

Acharya

Gouda

2011

2011 Proceedings IEEE INFOCOM

View full text Add to dashboard Cite

show abstract

“…For instance, the test packets can be hand-generated by domain experts to target specific vulnerabilities in the given firewall F , or generated from the formal specifications of the security policy of the given firewall F , as in [3]. A scheme for targeting test packets for better fault coverage is given in [4] and [5]. Blowtorch [6] is a framework to generate packets for testing.…”

Section: Related Workmentioning

confidence: 99%

Firewall modules and modular firewalls

Acharya

Joshi

Gouda

2010

The 18th IEEE International Conference on Network Protocols

View full text Add to dashboard Cite

Abstract-A firewall is a packet filter placed at an entry point of a network in the Internet. Each packet that goes through this entry point is checked by the firewall to determine whether to accept or discard the packet. The firewall makes this determination based on a specified sequence of overlapping rules. The firewall uses the first-match criterion to determine which rule in the sequence should be applied to which packet. Thus, to compute the set of packets to which a rule is applied, the firewall designer needs to consider all the rules that precede this rule in the sequence. This "rule dependency" complicates the task of designing firewalls (especially those with thousands of rules), and makes firewalls hard to understand. In this paper, we present a metric, called the dependency metric, for measuring the complexity of firewalls. This metric, though accurate, does not seem to suggest ways to design firewalls whose dependency metrics are small. Thus, we present another metric, called the inversion metric, and develop methods for designing firewalls with small inversion metrics. We show that the dependency metric and the inversion metric are correlated for some classes of firewalls. So by aiming to design firewalls with small inversion metrics, the designer may end up with firewalls whose dependency metrics are small as well. We present a method for designing modular firewalls whose inversion metrics are very small. Each modular firewall consists of several components, called firewall modules. The inversion metric of each firewall module is very small -in fact, 1 or 2. Thus, we conclude that modular firewalls are easy to design and easy to understand.

show abstract

“…Sets of test input values may be constructed using equivalence class partitioning, intelligent segmentation [11] or expert knowledge. The equivalence class partitioning divides the input domain of policy field into a finite number of partitions or equivalence classes [12].…”

Section: B Test Case Generation For Firewallsmentioning

confidence: 99%

“…The equivalence class partitioning divides the input domain of policy field into a finite number of partitions or equivalence classes [12]. El-Atawy et al [11] proposed intelligent segmentation, where potential erroneous regions in the the firewall input space are adapted using the firewall policy. When determining test input data, values that a hacker might choose may be considered in addition to using the blacklists from network/security administrator or third parties as well as using statistical significant/insignificant past traffic.…”

Section: B Test Case Generation For Firewallsmentioning

confidence: 99%

Feedback Control Based Test Case Instantiation for Firewall Testing

Tuğlular

Gercek

2010

2010 IEEE 34th Annual Computer Software and Applications Conference Workshops

View full text Add to dashboard Cite

Abstract-A firewall's proper functioning is critical to the network it protects. Thus, a firewall should be tested with respect to its intended security policy. We propose a feedback control based approach for test case generation to detect mismatches between firewall's expected and executed behavior. In the proposed approach, abstract test cases are generated from firewall decision diagrams and instantiated with the test input values chosen using the proposed feedback control based selection algorithm. A case study is presented to validate the presented approach.

show abstract

Policy segmentation for intelligent firewall testing

Cited by 29 publications

References 6 publications

Firewall verification and redundancy checking are equivalent

Firewall verification and redundancy checking are equivalent

Firewall modules and modular firewalls

Feedback Control Based Test Case Instantiation for Firewall Testing

Contact Info

Product

Resources

About