Safe and Efficient Strategies for Updating Firewall Policies
نویسندگان
چکیده
Due to the large size and complex structure of modern networks, firewall policies can contain several thousand rules. The size and complexity of these policies require automated tools providing a user-friendly environment to specify, configure and safely deploy a target policy. Much research has already addressed policy specification, conflict detection, and optimization but very little research is devoted to firewall policy deployment. Only recently, some researchers have proposed deployment strategies for two important classes of policy editing languages. In this report, we show that these strategies have serious flaws leading to security breaches. Then we provide correct, efficient and safe algorithms for both classes of languages. Our experimental results show that these algorithms are very fast and can be used safely even for deploying very large policies. Key-words: Firewall Policy Management, Firewalls, Network Security. ∗ INRIA Nancy Grand Est, UMR 7503 ([email protected]). † INRIA Nancy Grand Est & Univ. Nancy 2, UMR 7503 ([email protected]). ‡ INRIA Nancy Grand Est, UMR 7503 ([email protected]). in ria -0 03 81 77 8, v er si on 2 18 M ay 2 00 9 Stratégies Sûres et Efficaces pour la Mise-à-jour des Politiques de Pare-Feu Résumé : Actuellement, les politiques de pare-feu (en anglais firewall) peuvent contenir de milliers de règles et ce à cause de la taille énorme et la structure complexe des réseaux modernes. De ce fait, ces politiques nécessitent des outils automatiques fournissant un environnement convivial pour spécifier, configurer et déployer en sûreté une politique cible. Beaucoup de travaux de recherche ont traité de la spécification des politiques, la détection des conflits et le problème d’optimisation, mais très peu de travaux se sont intéressés au déploiement de politiques. Ce n’est que récemment, certains chercheurs ont proposé des stratégies de déploiement pour les deux importantes catégories d’édition de politiques. Dans ce rapport, nous montrons que ces stratégies sont erronées et pourraient mener à des failles de sécurité. Ensuite, nous fournissons deux algorithmes corrects, efficaces et sûrs pour les classes d’édition de politiques. Nos résultats expérimentaux montrent que ces algorithmes sont trés rapides et peuvent être utilisés en toute sûreté, même pour le déploiement de politiques dont la taille est très importante. Mots-clés : Gestion des Politiques de Pare-Feu, Pare-Feu, Sécurité des Réseaux. in ria -0 03 81 77 8, v er si on 2 18 M ay 2 00 9 Safe and Efficient Strategies for Updating Firewall Policies 3
منابع مشابه
Enforcing RBAC Policies over Data Stored on Untrusted Server (Extended Version)
One of the security issues in data outsourcing is the enforcement of the data owner’s access control policies. This includes some challenges. The first challenge is preserving confidentiality of data and policies. One of the existing solutions is encrypting data before outsourcing which brings new challenges; namely, the number of keys required to access authorized resources, efficient policy u...
متن کاملA New Method for Creating Efficient Security Policies in Virtual Private Network
One of the most important protocols for implementing tunnels in order to take action of secure virtual private network is IPsec protocol. IPsec policies are used widely in order to limit access to information in security gateways or firewalls. The security treatment, namely (Deny, Allow or Encrypt) is done for outbound as well as inbound traffic by security policies. It is so important that the...
متن کاملDistributed Firewall with Intrusion Detection System
With the growth of Internet, network security has received significant attention over pass ten years due to the increasing threat of hacker attacks. To achieve security goals, most corporate environments have deployed firewalls to block the intrusion. However, traditional firewalls only provided static filleting analysis so that they can not analyze the content of data packet for providing dyna...
متن کاملAssisted Firewall Policy Repair Using Examples and History
Firewall policies can be extremely complex and difficult to maintain, especially on networks with more than a few hundred machines. The difficulty of configuring a firewall properly often leads to serious errors in the firewall configuration or discourage system administrators from implementing restrictive policies. In previous research, we developed a technique for modeling firewall policies u...
متن کاملOn the Safety and Efficiency of Virtual Firewall Elasticity Control
Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as ...
متن کامل