22 research outputs found
Firewall Rule Set Inconsistency Characterization by Clustering
Firewall ACLs could have inconsistencies, allowing traffic that
should be denied or vice-versa. In this paper, we analyze the inconsistency
characterization problem as a separate problem of the diagnosis one, and propose
definitions to characterize one-to-many inconsistencies. We identify the
combinatorial part of the problem that causes exponential complexity in combined
diagnosis and characterization algorithms proposed by other researchers.
The problem is divided in several smaller combinatorial ones, which effectively
reduces its complexity. Finally, we propose a heuristic to solve the problem in
worst case polynomial time as a proof of concept
Evaluation of Anonymized ONS Queries
Electronic Product Code (EPC) is the basis of a pervasive infrastructure for
the automatic identification of objects on supply chain applications (e.g.,
pharmaceutical or military applications). This infrastructure relies on the use
of the (1) Radio Frequency Identification (RFID) technology to tag objects in
motion and (2) distributed services providing information about objects via the
Internet. A lookup service, called the Object Name Service (ONS) and based on
the use of the Domain Name System (DNS), can be publicly accessed by EPC
applications looking for information associated with tagged objects. Privacy
issues may affect corporate infrastructures based on EPC technologies if their
lookup service is not properly protected. A possible solution to mitigate these
issues is the use of online anonymity. We present an evaluation experiment that
compares the of use of Tor (The second generation Onion Router) on a global
ONS/DNS setup, with respect to benefits, limitations, and latency.Comment: 14 page
Fast algorithms for consistency-based diagnosis of firewall rule sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACL management suffer some problems that need to be
addressed in order to be effective. The most studied
one is rule set consistency. There is an inconsistency if
different actions can be taken on the same traffic,
depending on the ordering of the rules. In this paper a
new algorithm to diagnose inconsistencies in firewall
rule sets is presented. Although many algorithms have
been proposed to address this problem, the presented
one is a big improvement over them, due to its low
algorithmic and memory complexity, even in worst
case. In addition, there is no need to pre-process in
any way the rule set previous to the application of the
algorithms. We also present experimental results with
real rule sets that validate our proposal.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACLs could have inconsistencies, allowing traffic that
should be denied or vice versa. In this paper, we
analyze the inconsistency characterization problem as
a separate problem of the diagnosis one, and propose
formal definitions in order to characterize one-to-many
inconsistencies. We identify the combinatorial part of
the problem that generates exponential complexities in
combined diagnosis and characterization algorithms
proposed by other authors. Then we propose a
decomposition of the combinatorial problem in several
smaller combinatorial ones, which can effectively
reduce the complexity of the problem. Finally, we
propose an approximate heuristic and algorithms to
solve the problem in worst case polynomial time.
Although many algorithms have been proposed to
address this problem, all of them are combinatorial.
The presented algorithms are an heuristic way to solve
the problem with polynomial complexity. There are no
constraints on how rule field ranges are expressed.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Fast Algorithms for Local Inconsistency Detection in Firewall ACL Updates
Filtering is a very important issue in next
generation networks. These networks consist of a
relatively high number of resource constrained devices
with very special features, such as managing frequent
topology changes. At each topology change, the access
control policy of all nodes of the network must be
automatically modified. In order to manage these
access control requirements, Firewalls have been
proposed by several researchers. However, many of
the problems of traditional firewalls are aggravated
due to these networks particularities.
In this paper we deeply analyze the local
consistency problem in firewall rule sets, with special
focus on automatic frequent rule set updates, which is
the case of the dynamic nature of next generation
networks. We propose a rule order independent local
inconsistency detection algorithm to prevent automatic
rule updates that can cause inconsistencies. The
proposed algorithms have very low computational
complexity as experimental results will show, and can
be used in real time environments.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
A heuristic polynomial algorithm for local inconsistency diagnosis in firewall rule sets
Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the
same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the
system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is
a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed
ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but
making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First,
we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in
several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and
inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the
problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several
independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters
contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give
the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that
optimal characterization can be now applied to several smaller problems (the result of the diagnosis process)
rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not
having the minimal diagnosis. Experimental results with real ACLs are given.Ministerio de Educación y Ciencia DPI2006-15476-C02-0