Ponencia
Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets
Autor/es | Pozo Hidalgo, Sergio
Ceballos Guerrero, Rafael Martínez Gasca, Rafael Varela Vaca, Ángel Jesús |
Departamento | Universidad de Sevilla. Departamento de Lenguajes y Sistemas Informáticos |
Fecha de publicación | 2008 |
Fecha de depósito | 2022-02-16 |
Publicado en |
|
ISBN/ISSN | 2162-2108 |
Resumen | Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACLs could have inconsistencies, allowing traffic that
should be denied or vice versa. In this paper, we
analyze ... Firewalls provide the first line of defence of nearly all networked institutions today. However, Firewall ACLs could have inconsistencies, allowing traffic that should be denied or vice versa. In this paper, we analyze the inconsistency characterization problem as a separate problem of the diagnosis one, and propose formal definitions in order to characterize one-to-many inconsistencies. We identify the combinatorial part of the problem that generates exponential complexities in combined diagnosis and characterization algorithms proposed by other authors. Then we propose a decomposition of the combinatorial problem in several smaller combinatorial ones, which can effectively reduce the complexity of the problem. Finally, we propose an approximate heuristic and algorithms to solve the problem in worst case polynomial time. Although many algorithms have been proposed to address this problem, all of them are combinatorial. The presented algorithms are an heuristic way to solve the problem with polynomial complexity. There are no constraints on how rule field ranges are expressed. |
Agencias financiadoras | Ministerio de Educación y Ciencia (MEC). España |
Identificador del proyecto | DPI2006-15476-C02-01 |
Cita | Pozo Hidalgo, S., Ceballos Guerrero, R., Martínez Gasca, R. y Varela Vaca, Á.J. (2008). Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets. En SECURWARE 2008: Second International Conference on Emerging Security Information, Systems and Technologies (53-61), Cap Esterel, France: IEEE Computer Society. |
Ficheros | Tamaño | Formato | Ver | Descripción |
---|---|---|---|---|
SECURWARE08.pdf | 112.7Kb | [PDF] | Ver/ | |