Policy Anomaly Detection for Distributed IPv6 Firewalls

Claas Lorenz, Bettina Schnor

2015

Abstract

Concerning the design of a security architecture, Firewalls play a central role to secure computer networks. Facing the migration of IPv4 to IPv6, the setup of capable firewalls and network infrastructures will be necessary. The semantic differences between IPv4 and IPv6 make misconfigurations possible that may cause a lower performance or even security problems. For example, a cycle in a firewall configuration allows an attacker to craft network packets that may result in a Denial of Service. This paper investigates model checking techniques for automated policy anomaly detection. It shows that with a few adoptions existing approaches can be extended to support the IPv6 protocol with its specialities like the tremendously larger address space or extension headers. The performance is evaluated empirically by measurements with our prototype implementation ad6.

Paper Citation

in Harvard Style

Lorenz C. and Schnor B. (2015). Policy Anomaly Detection for Distributed IPv6 Firewalls . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 210-219. DOI: 10.5220/0005517402100219

in Bibtex Style

@conference{secrypt15,
author={Claas Lorenz and Bettina Schnor},
title={Policy Anomaly Detection for Distributed IPv6 Firewalls},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={210-219},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005517402100219},
isbn={978-989-758-117-5},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Policy Anomaly Detection for Distributed IPv6 Firewalls
SN - 978-989-758-117-5
AU - Lorenz C.
AU - Schnor B.
PY - 2015
SP - 210
EP - 219
DO - 10.5220/0005517402100219