Conference proceeding
Tri-Modularization of Firewall Policies
Proceedings of the 21st ACM on symposium on access control models and technologies, Vol.6-08-, pp.37-48
SACMAT '16
06/06/2016
DOI: 10.1145/2914642.2914646
Abstract
Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring , in this work we introduce three kinds of modules: primary, auxiliary , and template , which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.
Details
- Title: Subtitle
- Tri-Modularization of Firewall Policies
- Creators
- Haining ChenOmar ChowdhuryNinghui LiWarut Khern-am-nuaiSuresh ChariIan MolloyYoungja Park
- Resource Type
- Conference proceeding
- Publication Details
- Proceedings of the 21st ACM on symposium on access control models and technologies, Vol.6-08-, pp.37-48
- Series
- SACMAT '16
- DOI
- 10.1145/2914642.2914646
- Publisher
- ACM
- Grant note
- DOI: 10.13039/100009226, name: National Security Agency, award: H98230-14-C-0139
- Language
- English
- Date published
- 06/06/2016
- Academic Unit
- Computer Science
- Record Identifier
- 9984002301302771
Metrics
25 Record Views