TY - GEN
T1 - Tri-modularization of firewall policies
AU - Chen, Haining
AU - Chowdhury, Omar
AU - Li, Ninghui
AU - Khern-Am-Nuai, Warut
AU - Chari, Suresh
AU - Molloy, Ian
AU - Park, Youngja
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/6/6
Y1 - 2016/6/6
N2 - Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.
AB - Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.
KW - Firewall policies
KW - Firewall tool
KW - Modularization
UR - https://www.scopus.com/pages/publications/84977136877
U2 - 10.1145/2914642.2914646
DO - 10.1145/2914642.2914646
M3 - Conference contribution
AN - SCOPUS:84977136877
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 37
EP - 48
BT - SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016
Y2 - 6 June 2016 through 8 June 2016
ER -