122 research outputs found
Fast Algorithms for Local Inconsistency Detection in Firewall ACL Updates
Filtering is a very important issue in next
generation networks. These networks consist of a
relatively high number of resource constrained devices
with very special features, such as managing frequent
topology changes. At each topology change, the access
control policy of all nodes of the network must be
automatically modified. In order to manage these
access control requirements, Firewalls have been
proposed by several researchers. However, many of
the problems of traditional firewalls are aggravated
due to these networks particularities.
In this paper we deeply analyze the local
consistency problem in firewall rule sets, with special
focus on automatic frequent rule set updates, which is
the case of the dynamic nature of next generation
networks. We propose a rule order independent local
inconsistency detection algorithm to prevent automatic
rule updates that can cause inconsistencies. The
proposed algorithms have very low computational
complexity as experimental results will show, and can
be used in real time environments.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Efficient data structures for local inconsistency detection in firewall ACL updates
Filtering is a very important issue in next generation networks. These networks consist of a relatively high
number of resource constrained devices and have special features, such as management of frequent topology
changes. At each topology change, the access control policy of all nodes of the network must be
automatically modified. In order to manage these access control requirements, Firewalls have been proposed
by several researchers. However, many of the problems of traditional firewalls are aggravated due to these
networks particularities, as is the case of ACL consistency. A firewall ACL with inconsistencies implies in
general design errors, and indicates that the firewall is accepting traffic that should be denied or vice versa.
This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc.
Detecting inconsistencies is of extreme importance in the context of highly sensitive applications (e.g.
health care). We propose a local inconsistency detection algorithm and data structures to prevent automatic
rule updates that can cause inconsistencies. The proposal has very low computational complexity as both
theoretical and experimental results will show, and thus can be used in real time environments.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs
Developing and managing firewall Access Control
Lists (ACLs) are hard, time-consuming, and error-prone tasks
for a variety of reasons. Complexity of networks is constantly
increasing, as it is the size of firewall ACLs. Networks have
different access control requirements which must be translated
by a network administrator into firewall ACLs. During this task,
inconsistent rules can be introduced in the ACL. Furthermore,
each time a rule is modified (e.g. updated, corrected when a fault
is found, etc.) a new inconsistency with other rules can be
introduced. An inconsistent firewall ACL implies, in general, a
design or development fault, and indicates that the firewall is
accepting traffic that should be denied or vice versa. In this paper
we propose a complete and minimal consistency diagnosis process
which has worst-case quadratic time complexity with the number
of rules in a set of inconsistent rules. There are other proposals of
consistency diagnosis algorithms. However they have different
problems which can prevent their use with big, real-life, ACLs:
on the one hand, the minimal ones have exponential worst-case
time complexity; on the other hand, the polynomial ones are not
minimal.Ministerio de Eduación y Ciencia TIN2009-1371
Efficient algorithms and abstract data types for local inconsistency isolation in firewall ACLS
Writing and managing firewall ACLs are hard, tedious, time-consuming and error-prone tasks for a wide
range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL
implies in general a design fault, and indicates that the firewall is accepting traffic that should be denied or
vice versa. This can result in severe problems such as unwanted accesses to services, denial of service,
overflows, etc. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not.
Although many algorithms to detect and manage inconsistencies in firewall ACLs have been proposed, they
have different drawbacks regarding different aspects of the consistency diagnosis problem, which can
prevent their use in a wide range of real-life situations. In this paper, we review these algorithms along with
their drawbacks, and propose a new divide and conquer based algorithm, which uses specialized abstract
data types. The proposed algorithm returns consistency results over the original ACL. Its computational
complexity is better than the current best algorithm for inconsistency isolation, as experimental results will
also show.Ministerio de Educación y Ciencia DIP2006-15476-C02-0
A heuristic polynomial algorithm for local inconsistency diagnosis in firewall rule sets
Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the
same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the
system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is
a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed
ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but
making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First,
we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in
several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and
inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the
problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several
independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters
contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give
the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that
optimal characterization can be now applied to several smaller problems (the result of the diagnosis process)
rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not
having the minimal diagnosis. Experimental results with real ACLs are given.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Recommended from our members
Enhancing Automated Network Management
Network management benefits from automated tools. With the recent advent of software-defined principles, automated tools have been proposed from both industry and academia to fulfill function components in the network management control loop. While automation aims to accommodate the ever increasing network diversity and dynamics with improved reliability and management efficiency, it also brings new concerns as it’s becoming more difficult to understand the control of the network and operators cannot rely on traditional troubleshooting tools. Meanwhile, how to effectively integrate new automation tools with existing legacy networks remains a question. This dissertationpresents efficient methods to address key functionalities within the control loop in the adaption of automated network management.Identifying the network-wide forwarding behaviors of a packet is essential for many network management tasks, including policy enforcement, rule verification, and fault localization. We start by presenting AP Classifier. AP Classifier was developed based on the concept of atomic predicates which can be used to characterize the forwarding behaviors of packets. There is an increasing trend that enterprises outsource their Network Function (NF) processing to a cloud to lower cost and ease management. To avoid threats to the enterprise’s private information, we propose SICS based on AP Classifier, a secure and dynamic NF outsourcing framework. Stateful NFs have become essential parts of modern networks, increasing the complexity in network management. A major step in network automation is to automatically translate high level network intents into low level configurations. To ensure those configurations and the states generated by automation match intents, we present Epinoia, a network intent checker for stateful networks. While the concept of auto-translation sounds promising, operators may not know what intents should be. To close the control loop, we present AutoInfer to automatically infer intents of running networks, which helps operators understand the network runtime states
Design and Evaluation of Packet Classification Systems, Doctoral Dissertation, December 2006
Although many algorithms and architectures have been proposed, the design of efficient packet classification systems remains a challenging problem. The diversity of filter specifications, the scale of filter sets, and the throughput requirements of high speed networks all contribute to the difficulty. We need to review the algorithms from a high-level point-of-view in order to advance the study. This level of understanding can lead to significant performance improvements. In this dissertation, we evaluate several existing algorithms and present several new algorithms as well. The previous evaluation results for existing algorithms are not convincing because they have not been done in a consistent way. To resolve this issue, an objective evaluation platform needs to be developed. We implement and evaluate several representative algorithms with uniform criteria. The source code and the evaluation results are both published on a web-site to provide the research community a benchmark for impartial and thorough algorithm evaluations. We propose several new algorithms to deal with the different variations of the packet classification problem. They are: (1) the Shape Shifting Trie algorithm for longest prefix matching, used in IP lookups or as a building block for general packet classification algorithms; (2) the Fast Hash Table lookup algorithm used for exact flow match; (3) the longest prefix matching algorithm using hash tables and tries, used in IP lookups or packet classification algorithms;(4) the 2D coarse-grained tuple-space search algorithm with controlled filter expansion, used for two-dimensional packet classification or as a building block for general packet classification algorithms; (5) the Adaptive Binary Cutting algorithm used for general multi-dimensional packet classification. In addition to the algorithmic solutions, we also consider the TCAM hardware solution. In particular, we address the TCAM filter update problem for general packet classification and provide an efficient algorithm. Building upon the previous work, these algorithms significantly improve the performance of packet classification systems and set a solid foundation for further study
Measuring inconsistency in a network intrusion detection rule set based on Snort
In this preliminary study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which are based on Snort and incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. We measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the *This is a revised and significantly extended version of [1]
- …