122 research outputs found
Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACLs could have inconsistencies, allowing traffic that
should be denied or vice versa. In this paper, we
analyze the inconsistency characterization problem as
a separate problem of the diagnosis one, and propose
formal definitions in order to characterize one-to-many
inconsistencies. We identify the combinatorial part of
the problem that generates exponential complexities in
combined diagnosis and characterization algorithms
proposed by other authors. Then we propose a
decomposition of the combinatorial problem in several
smaller combinatorial ones, which can effectively
reduce the complexity of the problem. Finally, we
propose an approximate heuristic and algorithms to
solve the problem in worst case polynomial time.
Although many algorithms have been proposed to
address this problem, all of them are combinatorial.
The presented algorithms are an heuristic way to solve
the problem with polynomial complexity. There are no
constraints on how rule field ranges are expressed.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets
Firewalls provide the first line of defence of nearly all networked institutions today. However, Firewall ACLs could have inconsistencies, allowing traffic that should be denied or vice versa. In this paper, we analyze the inconsistency characterization problem as a separate problem of the diagnosis one, and propose formal definitions in order to characterize one-to-many inconsistencies. We identify the combinatorial part of the problem that generates exponential complexities in combined diagnosis and characterization algorithms proposed by other authors. Then we propose a decomposition of the combinatorial problem in several smaller combinatorial ones, which can effectively reduce the complexity of the problem. Finally, we propose an approximate heuristic and algorithms to solve the problem in worst case polynomial time. Although many algorithms have been proposed to address this problem, all of them are combinatorial. The presented algorithms are an heuristic way to solve the problem with polynomial complexity. There are no constraints on how rule field ranges are expressed
A heuristic polynomial algorithm for local inconsistency diagnosis in firewall rule sets
Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the
same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the
system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is
a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed
ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but
making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First,
we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in
several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and
inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the
problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several
independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters
contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give
the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that
optimal characterization can be now applied to several smaller problems (the result of the diagnosis process)
rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not
having the minimal diagnosis. Experimental results with real ACLs are given.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Firewall Rule Set Inconsistency Characterization by Clustering
Firewall ACLs could have inconsistencies, allowing traffic that
should be denied or vice-versa. In this paper, we analyze the inconsistency
characterization problem as a separate problem of the diagnosis one, and propose
definitions to characterize one-to-many inconsistencies. We identify the
combinatorial part of the problem that causes exponential complexity in combined
diagnosis and characterization algorithms proposed by other researchers.
The problem is divided in several smaller combinatorial ones, which effectively
reduces its complexity. Finally, we propose a heuristic to solve the problem in
worst case polynomial time as a proof of concept
Fast Algorithms for Local Inconsistency Detection in Firewall ACL Updates
Filtering is a very important issue in next
generation networks. These networks consist of a
relatively high number of resource constrained devices
with very special features, such as managing frequent
topology changes. At each topology change, the access
control policy of all nodes of the network must be
automatically modified. In order to manage these
access control requirements, Firewalls have been
proposed by several researchers. However, many of
the problems of traditional firewalls are aggravated
due to these networks particularities.
In this paper we deeply analyze the local
consistency problem in firewall rule sets, with special
focus on automatic frequent rule set updates, which is
the case of the dynamic nature of next generation
networks. We propose a rule order independent local
inconsistency detection algorithm to prevent automatic
rule updates that can cause inconsistencies. The
proposed algorithms have very low computational
complexity as experimental results will show, and can
be used in real time environments.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs
Developing and managing firewall Access Control
Lists (ACLs) are hard, time-consuming, and error-prone tasks
for a variety of reasons. Complexity of networks is constantly
increasing, as it is the size of firewall ACLs. Networks have
different access control requirements which must be translated
by a network administrator into firewall ACLs. During this task,
inconsistent rules can be introduced in the ACL. Furthermore,
each time a rule is modified (e.g. updated, corrected when a fault
is found, etc.) a new inconsistency with other rules can be
introduced. An inconsistent firewall ACL implies, in general, a
design or development fault, and indicates that the firewall is
accepting traffic that should be denied or vice versa. In this paper
we propose a complete and minimal consistency diagnosis process
which has worst-case quadratic time complexity with the number
of rules in a set of inconsistent rules. There are other proposals of
consistency diagnosis algorithms. However they have different
problems which can prevent their use with big, real-life, ACLs:
on the one hand, the minimal ones have exponential worst-case
time complexity; on the other hand, the polynomial ones are not
minimal.Ministerio de Eduación y Ciencia TIN2009-1371
Efficient algorithms and abstract data types for local inconsistency isolation in firewall ACLS
Writing and managing firewall ACLs are hard, tedious, time-consuming and error-prone tasks for a wide
range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL
implies in general a design fault, and indicates that the firewall is accepting traffic that should be denied or
vice versa. This can result in severe problems such as unwanted accesses to services, denial of service,
overflows, etc. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not.
Although many algorithms to detect and manage inconsistencies in firewall ACLs have been proposed, they
have different drawbacks regarding different aspects of the consistency diagnosis problem, which can
prevent their use in a wide range of real-life situations. In this paper, we review these algorithms along with
their drawbacks, and propose a new divide and conquer based algorithm, which uses specialized abstract
data types. The proposed algorithm returns consistency results over the original ACL. Its computational
complexity is better than the current best algorithm for inconsistency isolation, as experimental results will
also show.Ministerio de Educación y Ciencia DIP2006-15476-C02-0
A Hybrid SDN-based Architecture for Wireless Networks
With new possibilities brought by the Internet of Things (IoT) and edge computing, the traffic demand of wireless networks increases dramatically. A more sophisticated network management framework is required to handle the flow routing and resource allocation for different users and services. By separating the network control and data planes, Software-defined Networking (SDN) brings flexible and programmable network control, which is considered as an appropriate solution in this scenario.Although SDN has been applied in traditional networks such as data centers with great successes, several unique challenges exist in the wireless environment. Compared with wired networks, wireless links have limited capacity. The high mobility of IoT and edge devices also leads to network topology changes and unstable link qualities. Such factors restrain the scalability and robustness of an SDN control plane. In addition, the coexistence of heterogeneous wireless and IoT protocols with distinct representations of network resources making it difficult to process traffic with state-of-the-art SDN standards such as OpenFlow. In this dissertation, we design a novel architecture for the wireless network management. We propose multiple techniques to better adopt SDN to relevant scenarios. First, while maintaining the centralized control plane logically, we deploy multiple SDN controller instances to ensure their scalability and robustness. We propose algorithms to determine the controllers\u27 locations and synchronization rates that minimize the communication costs. Then, we consider handling heterogeneous protocols in Radio Access Networks (RANs). We design a network slicing orchestrator enabling allocating resources across different RANs controlled by SDN, including LTE and Wi-Fi. Finally, we combine the centralized controller with local intelligence, including deploying another SDN control plane in edge devices locally, and offloading network functions to a programmable data plane. In all these approaches, we evaluate our solutions with both large-scale emulations and prototypes implemented in real devices, demonstrating the improvements in multiple performance metrics compared with state-of-the-art methods
- …