Weiping Wang,Wenhui Chen,Zhepeng Li,Huaping Chen

DOI: https://doi.org/10.1007/978-3-540-37275-2_67

2006-01-01

Abstract:As a traditional technique of information security, distributed firewall has taken very important position, while problems remain. Correct configuration of distributed firewall policies and keeping individual firewall filter decisions compatible to each other are quite inconvenient for administrators. To realize the comparison between firewalls’ policies, this paper provide FPT(firewall policy tree) model, and the construction algorithm which can turn a firewall policy into a policy tree, as well as the comparison algorithm. Combination of the two algorithms can be used to perform a comparison between distributed firewalls’ policies. By doing this, the paper can obtain the set of data packages on which different firewalls have made inconsistent filter decision, and find out the inconsistency in distributed firewall policies. Besides, this model could be extended to package classification systems for policies comparison.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

WANG Wei-Ping,CHEN Wen-Hui,LI Zhe-Peng,CHEN Hua-Ping

DOI: https://doi.org/10.3969/j.issn.1002-1175.2007.03.017

2007-01-01

Abstract:As a traditional technique of information security,firewall has played a very important role.Security administrators frequently have to compare firewall policies looking for inconsistence,while it is not a smooth process to choose a platform for the comparison.To realize the comparison between firewalls' policies,this paper provides FPT(firewall policy tree) model,and the construction algorithm which can turn a firewall policy into a policy tree,as well as the comparison algorithm,and finally presents the procedures of comparing firewalls' policies.Combination of the two algorithms can be used to perform a comparison between firewalls' policies.By doing this,the paper can obtain the set of data packages on which different firewalls have made inconsistent filter decisions,so as to find out the inconsistency in firewalls' policies.

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2008.34

2012-01-01

IEEE Transactions on Network and Service Management

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the firewall policy under test. To achieve high structural coverage effectively, we have developed four automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), the one based on global constraint solving (considering multiple rules globally in a policy), and the one based on boundary values.We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.

Fei Chen,Alex X. Liu,Jeehyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/2240166.2240177

2010-01-01

Abstract:Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem. In this article, we first propose a fault model for firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty firewall policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty firewall policy with three of these types of faults.

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2009.38

2009-01-01

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming.To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

DUAN Haixin,WU Jianping,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-0054.2001.01.025

2001-01-01

Abstract:Throughput and management issues arise when firewalls are applied in large transit networks. The manual configuration of large numbers of firewalls distributed in many access points can not provide open and dynamic environment and the large number of filtering rules decreases each firewall's throughput. Management can be improved using algorithms to automatically allocate global filtering rules to individual firewalls and to dynamically configure all of the firewalls according to the results of intrusion detection systems and search engines. The throughput of individual firewalls can be improved using a hash table based rule matching algorithm, which reduces the time complexity from O(N) to O(1) for transit networks, and therefore, increases the firewall throughput.

Ren Anxi,Yang Shoubao,Li Hongwei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.04.050

2006-01-01

Abstract:In order to decrease the rule-matching time and enhance the performance of firewall,this paper presents a statistic-analysis method,which adjust the order of firewall rules dynamically according to the analytic results obtained through analyzing the network flow.The simulation proves that it can improve the performance of firewall in some extent.

Zhang Yi,Zhang Yong,Wang Weinong

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.06.044

2006-01-01

Abstract:The management of firewalls in today’s enterprise network environment is a complex and error-prone task.Effective techniques and tools for administrating the firewall configurations must be available to network administrators so that they can fulfill their responsibilities under the guide of a systematic methodology,not just based on their experiences.In this paper,we present such a technique by using the geometry technology to model the firewall configurations.Each filtering rule is mapped onto a hyperspace object in a 3-dimensional hyperspace.The semantics of a firewall’s configuration could then be visually comprehensible.Our approach enables a complete rewritten of a firewall’s legacy rules.Moreover,the concept of rule anomaly/conflict that is usually defined between two rules is extended to rule anomaly/conflict among two or more rules and can be identified easily in our model.

孙立琴,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.05.048

2012-01-01

Abstract:In order to detect all conflicts existing in firewall policy and visualize the relationships between rules and the reasons that generate conflicts, the rule segmentation is adopted to detect conflicts, and grids visualization method to visualize the relationships between rules and the reasons that generates conflicts. Conflict detection contains three functional parts, including segmentation of firewall policy, analysis on the segmentation result and extraction of the conflict domain. Thus the administrator could clearly know the anomaly cause, enhance the understanding, inspect the firewall policies, and avoid the introduction of new conflicts while modifying existing conflicts. And the experiment indicates the feasibility and effectiveness of this method.

Cheng Zang,Zhongdong Huang,Ke Chen,Jinxiang Dong

DOI: https://doi.org/10.1007/978-3-540-72863-4_64

2007-01-01

Abstract:Dynamic policy enables the system to adjust the policies according to the changing circumstance, and makes the system more flexible and adaptive. We have proposed a dynamic model and the idea is to dynamically change the policy according to a pair of states rather than one state, which provides more information for the policy decision making, thus makes policy more accurate. The dynamic policy architecture based on this model is built in this paper, and we describe the components and steps of detecting a change, deciding the pair of current and previous states and picking up the policy according to the change.

Li Duofeng,Yang Shutang,Ma Jin,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.09.004

2007-01-01

Abstract:A firewall system using virtual firewall techniques based on independent group policy is proposed and designed,which supports large-scale multi-user concurrent control. The system allows that lots of users configure any firewall rules without confliction.It is especially suitable for class-scale information security teaching and training. As proved, the system is able to support over 1,000 students' online practice at the same time.

WANG Wei-Ping,CHEN Wen-Hui,ZHU Wei-Wei,CHEN Hua-Ping,YANG Jie

DOI: https://doi.org/10.3969/j.issn.1002-1175.2007.02.019

2007-01-01

Abstract:As a traditional information security technology(IST),distributed firewall is playing an important role but it has some problems.Conflicts always appear in distributed firewall policy,bringing the security menace.After discussions of some relations between the rules of firewall,this paper demonstrates the probable mistakes which might exist in policy configuration,and also introduces an algorithm of mistake-detecting about policy configuration.Finally,the direction of further research is also presented.

S. Pesic,A. Baiocchi,Livia Trazza,Simone Ferraresi

DOI: https://doi.org/10.1109/ICC.2007.220

2007-06-24

Abstract:Firewalls and Security Gateways are core elements in network security infrastructure. As networks and services become more complex, managing access-list rules becomes an error-prone task. Conflicts in a policy can cause holes in security, and can often be hard to find while performing only visual or manual inspection. First, we have defined a methodology to systematically classify the severity of rule conflicts; secondly, we have proposed two different solutions to automatically resolve conflicts in a firewall. For one of them we found an algebraic proof of the existence of the solution and the convergence of the algorithm, and then we have made a software implementation to test it.

Computer Science

Sen Huang,Kexin Wang,Weifeng Chen,Jianghong You,Xi Chen,Zhijiang Shao,Lorenz T. Biegler

DOI: https://doi.org/10.1016/B978-0-444-59506-5.50091-2

2012-01-01

Abstract:Appropriate discretization is a key point of simultaneous strategies for dynamic optimization. Inappropriate discretization mesh may cause slow convergence, or even failure in the solution of the resulting NLP problem. Based on the observation that the level of power change of HTR-PM and mesh configuration is related to each another, the current paper proposes a simplified MFE strategy to discretize and solve efficiently the dynamic optimization problems arising from frequent HTR-PM load transition. The strategy develops offline and online phases to generate at low cost the appropriate discretization meshes for problems corresponding to any level of power change. The example of online optimal operation of HTR-PM demonstrates that the performance for real-time applications is significantly improved.

Chengyuan Zhu,Tianyuan Zhang

DOI: https://doi.org/10.1002/qre.3139

2022-01-01

Quality and Reliability Engineering International

Abstract:Dynamic fault tree (DFT) is an extended technology of Fault tree analysis (FTA). It has been widely used in many fields and plays an important role in improving the security performance of the system. Although DFT has developed for many years, new research in recent years is still worthy of attention. In this study, the research status of different realization methods/analysis techniques of DFT is comprehensively reviewed. First, the development and research trend of DFT are described. Second, the research on dynamic gates and components in the analysis techniques is introduced in detail. Third, the mainstream realization methods of DFT, such as Markov chain, Bayesian network (BN) and so on, are summarized. At the same time, the application of other auxiliary analysis techniques is also introduced. Then, based on the research progress of different realization methods, the future development direction and challenges of DFT are prospected. The realization methods of DFT not only need the rigorous theoretical foundation. Moreover, it is also necessary to consider the combination of real-time data and system modeling technology to realize dynamic assessment and smart system in the future.

WANG Weiping,CHEN Wenhui,ZHU Weiwei,CHEN Huaping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.11.049

2007-01-01

Abstract:As enterprises’ network security barrier,firewalls play a very important role.Since enterprises configurate firewalls according to its need;the rule table will be included.However,problems may occur during configuration.On one hand,the administrator himself may make some mistakes during initial configuration.On the other hand,possibility of conflicts among different rules increases with rule numbers in the table growing.This paper analyzes possible mistakes in the configuration process.It introduces several familiar types of mistakes in configuration,puts forward the algorithm which can find mistakes.The paper improves the algorithm according to the characteristics of the firewall rule table,which increases efficiency of detecting configuration mistakes.

Harleen Kaur,Omid MahdiEbadati E.,M. Afshar Alm

DOI: https://doi.org/10.48550/arXiv.1201.4555

2012-01-22

Abstract:The stimulate of this research seeks collaboration of firewalls which, could reach to the capability of distributed points of security policy; the front-end entity may much interact by the invaders so the separation between this entity and back-end entity to make the secure domain protection is necessary; collaborative security entity has the various task in the organization and there is a certain security policy to apply in; the entities like DPFF have to be protected from outsiders. Firewalls are utilized typically to be the main layer of security in the network framework. The research is presented the particular segment of the proposed framework that DPFF based on the developed iptable firewall to be the layers of defense, which is protected front and backend of the framework with a dynamic security and policy update to control the framework's safeguard through proposed portion approach algorithm that utilize to reduce the traffic and efficiency in detection and policy update mechanism. The policy update mechanism for DPFF is given the way of its employment. The complete framework signifies a distributed firewall, where the administrator configures the policy rules set, which could be separately or else from administration nodes' side.

Networking and Internet Architecture,Cryptography and Security

Daniele Bringhenti,Francesco Pizzato,Riccardo Sisto,Fulvio Valenza

DOI: https://doi.org/10.1002/nem.2307

2024-10-22

International Journal of Network Management

Abstract:This graphical abstract shows the workflow of the proposed approach for autonomous attack mitigation through firewall reconfiguration. Packet filtering firewalls represent a main defense line against cyber attacks that target computer networks daily. However, the traditional manual approaches for their configuration are no longer applicable to next‐generation networks, which have become much more complex after the introduction of virtualization paradigms. Some automatic strategies have been investigated in the literature to change that old‐fashioned configuration approach, but they are not fully autonomous and still require several human interventions. In order to overcome these limitations, this paper proposes an autonomous approach for firewall reconfiguration where all steps are automated, from the derivation of the security requirements coming from the logs of IDSs to the deployment of the automatically computed configurations. A core component of this process is React‐VEREFOO, which models the firewall reconfiguration problem as a Maximum Satisfiability Modulo Theories problem, allowing the combination of full automation, formal verification, and optimization in a single technique. An implementation of this proposal has undergone experimental validation to show its effectiveness and performance.

computer science, information systems,telecommunications

YE Zhen-xin,YANG Shu-tang,MA Jin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.06.019

2009-01-01

Abstract:This paper studies the factors that influence the performance of the firewall, and proposes a method that use the Rule-Set Anomaly Detection to downsize the Rule-Set. With the reordering of the rules according to their matching probability and by keeping the original semantic of the firewall policy unchanged, the firewall performance optimization is realized.