Management and translation of filtering security policies

Firewalls are essential elements for security policy enforcement in modern networks. However, managing a filtering security policy, especially for enterprise networks, has become complex and error-prone. Filtering rules have to be carefully written and organized in order to correctly implement the security policy and avoid policy anomalies. In this paper, we present a set of techniques and algorithms that provide (1) automatic anomaly discovery for rule conflicts and potential problems in legacy firewalls, (2) anomaly-free policy editing for rule insertion, modification and removal, and (3) concise translation of filtering rules to high-level textual description for user visualization and verification. These techniques significantly simplify the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to filtering policy misconfiguration.