A Fully Automatic Approach for Fixing Firewall Misconfigurations

Firewalls are among the most important mechanisms used to enforce network security policies. However, It has been observed that most firewall policies on the Internet are poorly designed. A firewall error may allow the spread of malicious traffic or block legitimate one causing serious damages. A major source of firewall misconfigurations stem from the logically entangled nature of firewall filtering rules. Moreover, updating filtering rules could induce to faults and in turn could lead to irreparable consequences. Despite of the importance of automatic correction of firewall configurations, this problem has not been explored in previous work. In this paper, we propose a formal and fully automatic approach for correcting a firewall during execution. We prove that our method is both correct and safe. To a better efficiency, we also propose a rule-based optimization approach. Finally, our methods have been implemented in a prototype. The first results are very promising.

Перевод пока недоступен