EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS

S. Pozo; A. J. Varela-Vaca; R. M. Gasca; R. Ceballos

doi:10.5220/0002233100420053

EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS

S. Pozo, A. J. Varela-Vaca, R. M. Gasca, R. Ceballos

2009

Abstract

Writing and managing firewall ACLs are hard, tedious, time-consuming and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to detect and manage inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding different aspects of the consistency diagnosis problem, which can prevent their use in a wide range of real-life situations. In this paper, we review these algorithms along with their drawbacks, and propose a new divide and conquer based algorithm, which uses specialized abstract data types. The proposed algorithm returns consistency results over the original ACL. Its computational complexity is better than the current best algorithm for inconsistency isolation, as experimental results will also show

Download

Paper Citation

in Harvard Style

Pozo S., J. Varela-Vaca A., M. Gasca R. and Ceballos R. (2009). EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 42-53. DOI: 10.5220/0002233100420053

in Bibtex Style

@conference{secrypt09,
author={S. Pozo and A. J. Varela-Vaca and R. M. Gasca and R. Ceballos},
title={EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={42-53},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002233100420053},
isbn={978-989-674-005-4},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - EFFICIENT ALGORITHMS AND ABSTRACT DATA TYPES FOR LOCAL INCONSISTENCY ISOLATION IN FIREWALL ACLS
SN - 978-989-674-005-4
AU - Pozo S.
AU - J. Varela-Vaca A.
AU - M. Gasca R.
AU - Ceballos R.
PY - 2009
SP - 42
EP - 53
DO - 10.5220/0002233100420053