Management of stateful firewall misconfiguration

García-Alfaro Joaquin 1 Cuppens Frédéric 2, 3 Cuppens-Boulahia Nora 2, 3 Salvador Martínez Pérez 4, 5 Jordi Cabot 4
3 Lab-STICC_TB_CID_SFIIS
Lab-STICC - Laboratoire des sciences et techniques de l'information, de la communication et de la connaissance
4 ATLANMOD - Modeling Technologies for Software Production, Operation, and Evolution
LINA - Laboratoire d'Informatique de Nantes Atlantique, Département informatique - EMN, Inria Rennes – Bretagne Atlantique
Abstract : Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.
Type de document :
Article dans une revue
Computers and Security, Elsevier, 2013, 39 (11), pp.64-85. 〈http://www.sciencedirect.com/science/article/pii/S0167404813000217〉
Liste complète des métadonnées

https://hal.inria.fr/hal-00869328
Contributeur : Salvador Martínez Pérez <>
Soumis le : jeudi 3 octobre 2013 - 00:03:51
Dernière modification le : mardi 16 janvier 2018 - 15:54:26

Identifiants

  • HAL Id : hal-00869328, version 1

Citation

García-Alfaro Joaquin, Cuppens Frédéric, Cuppens-Boulahia Nora, Salvador Martínez Pérez, Jordi Cabot. Management of stateful firewall misconfiguration. Computers and Security, Elsevier, 2013, 39 (11), pp.64-85. 〈http://www.sciencedirect.com/science/article/pii/S0167404813000217〉. 〈hal-00869328〉

Partager

Métriques

Consultations de la notice

454