The Policy Mapping Algorithm for High-speed Firewall Policy Verifying
نویسندگان
چکیده
In this paper, we have proposed a novel algorithm and data structures to improve the speed of firewall policy verification. it is called the policy mapping (PMAP). Time complexity of the proposed technique is O(1) to verify incoming-outgoing packets against the firewall policy. Besides, the algorithm is not limited to handle IP network classes as IPSET which is the top of high-speed firewall open source today. PMAP can also optimize the firewall rule decision by employing the firewall decision state diagram (FDSD) to clarify ordering of policy verifying. The consumed memory of PMAP is reasonable. It consumes the memory usage around 3.27 GB for maintaining rule data structures processing the firewall rule at 5,000 rules.
منابع مشابه
Firewall policy verification and troubleshooting
Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). However, due to the lack of tools for verifying and troubleshooting firewall policies, most firewalls on the Internet have policy errors. A fir...
متن کاملFirewall Analysis with Policy-based Host Classification
For administrators of large systems, testing and debugging a firewall policy is a difficult process. The size and complexity of many firewall policies make manual inspection of the rule set tedious and error-prone. The complex interaction of conflicting rules can conceal serious errors that compromise the security of the network or interrupt the delivery of important services. Most existing too...
متن کاملNetwork Security Policy Verification
We present a unified theory for verifying network security policies. A security policy is represented as directed graph. To check high-level security goals, security invariants over the policy are expressed. We cover monotonic security invariants, i.e. prohibiting more does not harm security. We provide the following contributions for the security invariant theory. (i) Secure auto-completion of...
متن کاملInferring Higher Level Policies from Firewall Rules
Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level filtering rules which are configured using vendor-specific tools. System administrators start off by writing rules which implement the security po...
متن کاملOn autonomic optimization of firewall policy organization
Security policies play a critical role in many of the current network security technologies such as firewalls, IPSec and IDS devices. The configuration of these policies not only determines the functionality of such devices, but also substantially affects their performance. The optimization of filtering policy configuration is critically important to provide high performance packet filtering pa...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- I. J. Network Security
دوره 18 شماره
صفحات -
تاریخ انتشار 2016