Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. The project: netfilter/nftables project, The project: netfilter/iptables project,
ACM SIGCOMM Computer Communication Review 42(4), 13–24 (2012) Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: Network processing as a cloud service. Renard, B.: cisco-acl-to-iptables (2013), (retrieved September 2014) Pozo, S., Ceballos, R., Gasca, R.M.: CSP-based firewall rule set diagnosis using security policies, pp. Springer, Heidelberg (2002), (last updated 2014) Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Nipkow, T., Klein, G.: Concrete Semantics. In: Large Installation System Administration Conference. Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The margrave tool for firewall analysis. In: Large Installation System Administration Conference, vol. 6, p. Marmorstein, R.M., Kearns, P.: Firewall analysis with policy-based host classification. In: USENIX Annual Technical Conference, FREENIX Track, pp. Marmorstein, R.M., Kearns, P.: A tool for automated iptables firewall analysis. In: Proceedings of the Ninth International Symposium on Visualization for Cyber Security, VizSec 2012, pp. Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. Leblond, E.: Why you will love nftables (January 2014), Kleene, S.C.: Introduction to Metamathematics. In: Networked Systems Design and Implementation, pp. Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Policies for Distributed Systems and Networks, pp. Jeffrey, A., Samak, T.: Model checking firewall policy configurations. Hewlett Packard: IP firewall configuration guide (2005), Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. RFC 4632 (Best Current Practice) (August 2006), Springer, Heidelberg (2014)Įastep, T.M.: iptables made easy – shorewall (2014), Įngelhardt, J.: Towards the perfect ruleset (May 2011), įuller, V., Li, T.: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan. 20–34 (May 2014)ĭiekmann, C., Posselt, S.-A., Niedermayer, H., Kinkelin, H., Hanka, O., Carle, G.: Verifying security policies using host attributes. In: Third International Workshop on Engineering Safety and Security Systems. Springer, Heidelberg (2008)ĭiekmann, C., Hupel, L., Carle, G.: Directed security policies: A stateful network implementation. In: Suzuki, K., Higashino, T., Ulrich, A., Hasegawa, T. IEEE (1999)īrucker, A.D., Brügger, L., Wolff, B.: Model-based firewall conformance testing.
In: Symposium on Security and Privacy, pp. Document ID: 23602 (December 2007), īartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. IPTables Example Config, (retrieved September 2014)Ĭisco IOS firewall – configuring IP access lists. Using the Isabelle theorem prover, we formally show that all our algorithms preserve the firewall’s filtering behavior. These transformations enable existing tools to understand real-world firewall rules, which we demonstrate on four decently-sized rulesets.
We reduce the execution model to a simple list model and use ternary logic to abstract over all unknown match conditions. In this paper, we provide algorithms to transform firewall rulesets. This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open source tools. However, we found that none of the available tools could handle typical, real-world iptables rulesets. Therefore, there are many tools to analyze them. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. The security provided by a firewall for a computer network almost completely depends on the rules it enforces.
0 kommentar(er)
