WANG Wei-Ping,CHEN Wen-Hui,ZHU Wei-Wei,CHEN Hua-Ping,YANG Jie

DOI: https://doi.org/10.3969/j.issn.1002-1175.2007.02.019

2007-01-01

Abstract:As a traditional information security technology(IST),distributed firewall is playing an important role but it has some problems.Conflicts always appear in distributed firewall policy,bringing the security menace.After discussions of some relations between the rules of firewall,this paper demonstrates the probable mistakes which might exist in policy configuration,and also introduces an algorithm of mistake-detecting about policy configuration.Finally,the direction of further research is also presented.

Fei Chen,Alex X. Liu,Jeehyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/2240166.2240177

2010-01-01

Abstract:Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem. In this article, we first propose a fault model for firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty firewall policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty firewall policy with three of these types of faults.

L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Zhang Yi,Zhang Yong,Wang Weinong

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.06.044

2006-01-01

Abstract:The management of firewalls in today’s enterprise network environment is a complex and error-prone task.Effective techniques and tools for administrating the firewall configurations must be available to network administrators so that they can fulfill their responsibilities under the guide of a systematic methodology,not just based on their experiences.In this paper,we present such a technique by using the geometry technology to model the firewall configurations.Each filtering rule is mapped onto a hyperspace object in a 3-dimensional hyperspace.The semantics of a firewall’s configuration could then be visually comprehensible.Our approach enables a complete rewritten of a firewall’s legacy rules.Moreover,the concept of rule anomaly/conflict that is usually defined between two rules is extended to rule anomaly/conflict among two or more rules and can be identified easily in our model.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

WANG Wei-Ping,CHEN Wen-Hui,LI Zhe-Peng,CHEN Hua-Ping

DOI: https://doi.org/10.3969/j.issn.1002-1175.2007.03.017

2007-01-01

Abstract:As a traditional technique of information security,firewall has played a very important role.Security administrators frequently have to compare firewall policies looking for inconsistence,while it is not a smooth process to choose a platform for the comparison.To realize the comparison between firewalls' policies,this paper provides FPT(firewall policy tree) model,and the construction algorithm which can turn a firewall policy into a policy tree,as well as the comparison algorithm,and finally presents the procedures of comparing firewalls' policies.Combination of the two algorithms can be used to perform a comparison between firewalls' policies.By doing this,the paper can obtain the set of data packages on which different firewalls have made inconsistent filter decisions,so as to find out the inconsistency in firewalls' policies.

DUAN Haixin,WU Jianping,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-0054.2001.01.025

2001-01-01

Abstract:Throughput and management issues arise when firewalls are applied in large transit networks. The manual configuration of large numbers of firewalls distributed in many access points can not provide open and dynamic environment and the large number of filtering rules decreases each firewall's throughput. Management can be improved using algorithms to automatically allocate global filtering rules to individual firewalls and to dynamically configure all of the firewalls according to the results of intrusion detection systems and search engines. The throughput of individual firewalls can be improved using a hash table based rule matching algorithm, which reduces the time complexity from O(N) to O(1) for transit networks, and therefore, increases the firewall throughput.

孙立琴,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.05.048

2012-01-01

Abstract:In order to detect all conflicts existing in firewall policy and visualize the relationships between rules and the reasons that generate conflicts, the rule segmentation is adopted to detect conflicts, and grids visualization method to visualize the relationships between rules and the reasons that generates conflicts. Conflict detection contains three functional parts, including segmentation of firewall policy, analysis on the segmentation result and extraction of the conflict domain. Thus the administrator could clearly know the anomaly cause, enhance the understanding, inspect the firewall policies, and avoid the introduction of new conflicts while modifying existing conflicts. And the experiment indicates the feasibility and effectiveness of this method.

Avishai Wool

DOI: https://doi.org/10.48550/arXiv.0911.1240

2009-11-06

Cryptography and Security

Abstract:The first quantitative evaluation of the quality of corporate firewall configurations appeared in 2004, based on Check Point FireWall-1 rule-sets. In general that survey indicated that corporate firewalls were often enforcing poorly written rule-sets, containing many mistakes. The goal of this work is to revisit the first survey. The current study is much larger. Moreover, for the first time, the study includes configurations from two major vendors. The study also introduce a novel "Firewall Complexity" (FC) measure, that applies to both types of firewalls. The findings of the current study indeed validate the 2004 study's main observations: firewalls are (still) poorly configured, and a rule-set's complexity is (still) positively correlated with the number of detected risk items. Thus we can conclude that, for well-configured firewalls, ``small is (still) beautiful''. However, unlike the 2004 study, we see no significant indication that later software versions have fewer errors (for both vendors).

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2009.38

2009-01-01

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming.To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

Hui Yuan,Lei Zheng,Shuang Qiu,Xiangli Peng,Yuan Liang,Yaodong Hu,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_142

2019-04-25

Abstract:With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.

LI Xin,JI Zhen-zhou,LIU Wei-chen,HU Ming-zeng

DOI: https://doi.org/10.3969/j.issn.1007-5321.2006.04.022

2006-01-01

Abstract:To improve the efficiency and scalability of conflict detection for multi-dimensional classifiers,a new algorithm,based on grid of trie(GoT) algorithm,was proposed.The new algorithm uses Patricia trie,constricts the length of Internet protocol(IP) prefix in order to use Hash technology,and improves the performance of the algorithm by adding ingress and egress of firewall for each filter.

Dinesha Ranathunga,Matthew Roughan,Paul Tune,Phil Kernick,Nick Falkner

DOI: https://doi.org/10.48550/arXiv.1902.05689

2019-02-15

Abstract:Firewall configuration is critical, yet often conducted manually with inevitable errors, leaving networks vulnerable to cyber attack [40]. The impact of misconfigured firewalls can be catastrophic in Supervisory Control and Data Acquisition (SCADA) networks. These networks control the distributed assets of industrial systems such as power generation and water distribution systems. Automation can make designing firewall configurations less tedious and their deployment more reliable. In this paper, we propose ForestFirewalls, a high-level approach to configuring SCADA firewalls. Our goals are three-fold. We aim to: first, decouple implementation details from security policy design by abstracting the former; second, simplify policy design; and third, provide automated checks, pre and post-deployment, to guarantee configuration accuracy. We achieve these goals by automating the implementation of a policy to a network and by auto-validating each stage of the configuration process. We test our approach on a real SCADA network to demonstrate its effectiveness.

Cryptography and Security

Ren Anxi,Yang Shoubao,Li Hongwei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.04.050

2006-01-01

Abstract:In order to decrease the rule-matching time and enhance the performance of firewall,this paper presents a statistic-analysis method,which adjust the order of firewall rules dynamically according to the analytic results obtained through analyzing the network flow.The simulation proves that it can improve the performance of firewall in some extent.

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2008.34

2012-01-01

IEEE Transactions on Network and Service Management

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the firewall policy under test. To achieve high structural coverage effectively, we have developed four automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), the one based on global constraint solving (considering multiple rules globally in a policy), and the one based on boundary values.We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.

Xin Lu

2008-01-01

Abstract:To solve the problem that current algorithms for detecting firewall filters conflicts had poor performance,this paper proposed a fast algorithm called FRCD for detecting conflicts.FRCD constructed two binary trees for every dimension.Experiments verify its good performance.

Zhen Dong,Ghanavati, M.,Andrzejak, A.

DOI: https://doi.org/10.1109/ISSREW.2013.6688897

2013-01-01

Abstract:Software configuration settings are an effective way to customize applications. However, inconsistencies or mistakes in option values can result in a system crash and need huge time and effort to diagnose. We present a technique to identify the root causes of configuration errors. It uses static program analysis to link the misconfiguration of an application to a specific configuration option. Our technique has two prominent characteristics compared to existing approaches: it relies only on static analysis, and it does not need profiles of the application with correct configuration. Based on the proposed techniques, we developed a tool called ConfDebugger. We evaluated its effectiveness on 8 configuration errors in the Java program JChord. ConfDebugger successfully diagnosed 7 out of 8 errors. For 5 of them, root cause was exactly pinpointed without a false positive, and in total, the average number of false positives was only 0.5. This is better than two state-of-the-art methods, with average numbers of false positives of 1.7 and 5.7, respectively.

杨琛,杨寿保

DOI: https://doi.org/10.3969/j.issn.1002-137X.2002.12.020

2002-01-01

Computer Science

Abstract:In this paper, we will firstly analyze the design and implementation of Windows Based Firewall. To im-prove the rule matching performance, we introduce a new, high efficient rule matching algorithm and present theWindows 2000 based firewall prototype.

YE Zhen-xin,YANG Shu-tang,MA Jin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.06.019

2009-01-01

Abstract:This paper studies the factors that influence the performance of the firewall, and proposes a method that use the Rule-Set Anomaly Detection to downsize the Rule-Set. With the reordering of the rules according to their matching probability and by keeping the original semantic of the firewall policy unchanged, the firewall performance optimization is realized.

S. Pesic,A. Baiocchi,Livia Trazza,Simone Ferraresi

DOI: https://doi.org/10.1109/ICC.2007.220

2007-06-24

Abstract:Firewalls and Security Gateways are core elements in network security infrastructure. As networks and services become more complex, managing access-list rules becomes an error-prone task. Conflicts in a policy can cause holes in security, and can often be hard to find while performing only visual or manual inspection. First, we have defined a methodology to systematically classify the severity of rule conflicts; secondly, we have proposed two different solutions to automatically resolve conflicts in a firewall. For one of them we found an algebraic proof of the existence of the solution and the convergence of the algorithm, and then we have made a software implementation to test it.

Computer Science