Developing and managing firewall Access Control
Lists (ACLs) are hard, time-consuming, and error-prone tasks
for a variety of reasons. Complexity of networks is constantly
increasing, as it is the size of firewall ACLs. Networks have
different access control requirements which must be translated
by a network administrator into firewall ACLs. During this task,
inconsistent rules can be introduced in the ACL. Furthermore,
each time a rule is modified (e.g. updated, corrected when a fault
is found, etc.) a new inconsistency with other rules can be
introduced. An inconsistent firewall ACL implies, in general, a
design or development fault, and indicates that the firewall is
accepting traffic that should be denied or vice versa. In this paper
we propose a complete and minimal consistency diagnosis process
which has worst-case quadratic time complexity with the number
of rules in a set of inconsistent rules. There are other proposals of
consistency diagnosis algorithms. However they have different
problems which can prevent their use with big, real-life, ACLs:
on the one hand, the minimal ones have exponential worst-case
time complexity; on the other hand, the polynomial ones are not
minimal.Ministerio de Eduación y Ciencia TIN2009-1371
