On Assisted Packet Filter Conflicts Resolution: An Iterative Relaxed Approach

With the dramatic growth of network attacks, a new set of challenges has raised in the field of electronic security. Undoubtedly, firewalls are core elements in the network security architecture. However, firewalls may include policy anomalies resulting in critical network vulnerabilities. A substantial step towards ensuring network security is resolving packet filter conflicts. Numerous studies have investigated the discovery and analysis of filtering rules anomalies. However, no such emphasis was given to the resolution of these anomalies. Legacy work for correcting anomalies operate with the premise of creating totally disjunctive rules. Unfortunately, such solutions are impractical from implementation point of view as they lead to an explosion of the number of firewall rules. In this paper, we present a new approach for performing assisted corrective actions, which in contrast to the-state-of-the-art family of radically disjunctive approaches, does not lead to a prohibitive increase of the firewall size. In this sense, we allow relaxation in the correction process by clearly distinguishing between constructive anomalies that can be tolerated and destructive anomalies that should be systematically fixed. This distinction between constructive and destructive anomalies is assisted by the network administrator which supports the fact that he has a major role in the heart of the corrective process. To the best of our knowledge, such assisted approach for relaxed resolution of packet filter conflicts was not investigated before. We provide theoretical analysis that demonstrate that our scheme results is sound and indeed result into a conflict-free policy. In addition, we have implemented our solution in a user friendly tool.