Management of stateful firewall misconfiguration

Management of stateful firewall misconfiguration

Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. S...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2013-11, Vol.39 (11), p.64-85
Hauptverfasser: Garcia-Alfaro, Joaquin, Cuppens, Frédéric, Cuppens-Boulahia, Nora, Martinez, Salvador, Cabot, Jordi
Format: Artikel
Sprache:eng
Schlagworte:
Access control
Anomalies
Computer information security
Computer Science
Dynamics
Errors
Feasibility
Firewalls
Handles
Iptables
Management
Mathematical problems
Misconfiguration
Model-driven engineering
Netfilter
Network security
Permissible error
Proposals
Protocol
Prototypes
Software Engineering
Stateful rules
Stateless rules
Studies
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2013.01.004