Abstract
Firewalls, forefront defense for corporate intranet security, filter traffic by comparing arriving packets against stored security policies in a sequential manner. In a large organization, traffic typically goes through several firewalls before it reaches the destination. Setting polices device-by-device in an organization with large number of firewalls may easily create conflicts in policies. The dependency of one firewall on the other in the network hierarchy requires the policies applied to resolve the conflicts to be in a specific order. A certain traffic type may be allowed in a lower-order firewall but blocked by a higher-order device. Also, a conflicts analyzer able to detect conflicts in a single device is not capable of analyzing enterprise-wise policy anomalies. Moreover, most of the existing tools are very much device-specific, whereas today’s organizations operate in a multivendor environment. In this chapter, we first discuss various issues related to policy conflicts in firewalls. We then propose an architecture for an enterprise-wise firewall policy management system that can detect conflict in real time when a new policy is added to any firewall.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
CiscoSystems: Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 (Cisco Systems Inc Version 6.3, 2003)
F. Cuppens, N. Cuppens, J. Garca-Alfaro: Detection and Removal of Firewall Misconfiguration, Proc. 2005 IASTED International Conference on Communication, Network and Information Security (CNIS 2005) (IASTED PRESS, 2005)
R. Boutaba, M. Hasan, E. Al-Shaer, H. Hamed: Conflict classification and analysis of distributed firewall policies, IEEE J. Selected Areas in Commun. 23(10), 2069–2084 (2005)
CiscoSystems: PIX Firewall Software Version 6.3 Commands (Cisco Systems Inc, 2002)
E. Al-Shaer, H. Hamed: Firewall policy advisor for anomaly detection and rule editing, Proc. IEEE/IFIP 8th Int. Symp. Integrated Network Management (IM 2003) (2003)
W.R. Cheswick, S.M. Bellovin: Firewalls and Internet Security; Repelling the Wily Hacker (Addison Wesley, NJ, USA 1994)
E.D. Zwicky, S. Cooper, D.B. Chapman: Building Internet firewalls, 2nd edn. (O’Reilly, USA 2000)
T.E. Uribe, S. Cheung: Automatic analysis of firewall and network intrusion detection system configurations, Proc. 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, ed. by V. Atluri, M. Backes, D.A. Basin, M. Waidner (ACM, 2004)
S. Suri, G. Varghese: Packet Filtering in High Speed Networks (SODA, 1999)
Scott Hazelhurst: Algorithms for Analysing Firewall and Router Access Lists (CoRR, 2000)
T.Y.C. Woo: A modular approach to packet classification: algorithms and results, Proc. IEEE INFOCOM ’00 (2000)
E.W. Fulp, S.J. Tarsa: Trie-Based Policy Representations for Network Firewalls, Proc. 10th IEEE Symposium on Computers and Communications ISCC 2005 (IEEE Comput. Soc., 2005) pp. 434–441
P. Gupta, N. McKeown: Packet Classification on Multiple Fields (SIGCOMM, 1999)
H. Adiseshu, S. Suri, G.M. Parulkar: Detecting and Resolving Packet Filter Conflicts (INFOCOM, 2000)
D. Eppstein, S. Muthukrishnan: Internet Packet Filter Management and Rectangle Geometry (CoRR, 2000)
H. Lu, S. Sahni: Conflict detection and resolution in two-dimensional prefix router tables, IEEE/ACM Trans. Netw. 13(6), 1353–1363 (2005)
E.S. Al-Shaer, H.H. Hamed: Discovery of Policy Anomalies in Distributed Firewalls (INFOCOM, 2004)
E. Lupu, M. Sloman: Conflict Analysis for Management Policies, Proc. 5th International Symposium on Integrated Network Management IM’97 (Chapman & Hall, 1997)
I.S. Pabla: A New Architecture For Conflict-Free Firewall Policy Provisioning (RMIT University, 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Pabla, I., Khalil, I., Hu, J. (2010). Intranet Security via Firewalls. In: Stavroulakis, P., Stamp, M. (eds) Handbook of Information and Communication Security. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04117-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-04117-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04116-7
Online ISBN: 978-3-642-04117-4
eBook Packages: EngineeringEngineering (R0)