On Assisted Packet Filter Conflicts Resolution: An Iterative Relaxed Approach

A. Yazidi, A. Bouhoula
{"title":"On Assisted Packet Filter Conflicts Resolution: An Iterative Relaxed Approach","authors":"A. Yazidi, A. Bouhoula","doi":"10.1109/LCN.2016.15","DOIUrl":null,"url":null,"abstract":"With the dramatic growth of network attacks, a new set of challenges has raised in the field of electronic security. Undoubtedly, firewalls are core elements in the network security architecture. However, firewalls may include policy anomalies resulting in critical network vulnerabilities. A substantial step towards ensuring network security is resolving packet filter conflicts. Numerous studies have investigated the discovery and analysis of filtering rules anomalies. However, no such emphasis was given to the resolution of these anomalies. Legacy work for correcting anomalies operate with the premise of creating totally disjunctive rules. Unfortunately, such solutions are impractical from implementation point of view as they lead to an explosion of the number of firewall rules. In this paper, we present a new approach for performing assisted corrective actions, which in contrast to the-state-of-the-art family of radically disjunctive approaches, does not lead to a prohibitive increase of the firewall size. In this sense, we allow relaxation in the correction process by clearly distinguishing between constructive anomalies that can be tolerated and destructive anomalies that should be systematically fixed. This distinction between constructive and destructive anomalies is assisted by the network administrator which supports the fact that he has a major role in the heart of the corrective process. To the best of our knowledge, such assisted approach for relaxed resolution of packet filter conflicts was not investigated before. We provide theoretical analysis that demonstrate that our scheme results is sound and indeed result into a conflict-free policy. In addition, we have implemented our solution in a user friendly tool.","PeriodicalId":6864,"journal":{"name":"2016 IEEE 41st Conference on Local Computer Networks (LCN)","volume":"117 1","pages":"35-42"},"PeriodicalIF":0.0000,"publicationDate":"2016-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 41st Conference on Local Computer Networks (LCN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LCN.2016.15","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

Abstract

With the dramatic growth of network attacks, a new set of challenges has raised in the field of electronic security. Undoubtedly, firewalls are core elements in the network security architecture. However, firewalls may include policy anomalies resulting in critical network vulnerabilities. A substantial step towards ensuring network security is resolving packet filter conflicts. Numerous studies have investigated the discovery and analysis of filtering rules anomalies. However, no such emphasis was given to the resolution of these anomalies. Legacy work for correcting anomalies operate with the premise of creating totally disjunctive rules. Unfortunately, such solutions are impractical from implementation point of view as they lead to an explosion of the number of firewall rules. In this paper, we present a new approach for performing assisted corrective actions, which in contrast to the-state-of-the-art family of radically disjunctive approaches, does not lead to a prohibitive increase of the firewall size. In this sense, we allow relaxation in the correction process by clearly distinguishing between constructive anomalies that can be tolerated and destructive anomalies that should be systematically fixed. This distinction between constructive and destructive anomalies is assisted by the network administrator which supports the fact that he has a major role in the heart of the corrective process. To the best of our knowledge, such assisted approach for relaxed resolution of packet filter conflicts was not investigated before. We provide theoretical analysis that demonstrate that our scheme results is sound and indeed result into a conflict-free policy. In addition, we have implemented our solution in a user friendly tool.
辅助包过滤冲突解决:一种迭代松弛方法
随着网络攻击的急剧增长,对电子安全领域提出了一系列新的挑战。毫无疑问,防火墙是网络安全体系结构中的核心元素。但是,防火墙可能包含导致关键网络漏洞的策略异常。确保网络安全的一个重要步骤是解决包过滤器冲突。大量的研究对过滤规则异常的发现和分析进行了研究。然而,对这些异常现象的解决却没有给予这样的重视。纠正异常的遗留工作以创建完全析取规则为前提。不幸的是,从实现的角度来看,这种解决方案是不切实际的,因为它们会导致防火墙规则数量的激增。在本文中,我们提出了一种执行辅助纠正措施的新方法,与最先进的根本分离方法相比,它不会导致防火墙大小的禁忌性增加。从这个意义上说,我们允许在纠正过程中放松,通过清楚地区分可以容忍的建设性异常和应该系统地修复的破坏性异常。这种建设性和破坏性异常之间的区别是由网络管理员协助的,这支持了他在纠正过程的核心中起主要作用的事实。据我们所知,这种辅助的轻松解决包过滤器冲突的方法以前没有研究过。我们提供了理论分析,证明我们的方案结果是合理的,确实导致了一个无冲突的政策。此外,我们已经在一个用户友好的工具中实现了我们的解决方案。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信