Model Checking Firewall Policy Configurations

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Alan Jeffrey Articles by Taghrid Samak

2009 IEEE International Symposium on Policies for Distributed Systems and Networks

London, UK

July 20-July 22

ISBN: 978-0-7695-3742-9

	ASCII Text	x
	Alan Jeffrey, Taghrid Samak, "Model Checking Firewall Policy Configurations," Policies for Distributed Systems and Networks, IEEE International Workshop on, pp. 60-67, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, 2009.

	BibTex	x
	@article{ 10.1109/POLICY.2009.32, author = {Alan Jeffrey and Taghrid Samak}, title = {Model Checking Firewall Policy Configurations}, journal ={Policies for Distributed Systems and Networks, IEEE International Workshop on}, volume = {0}, year = {2009}, isbn = {978-0-7695-3742-9}, pages = {60-67}, doi = {http://doi.ieeecomputersociety.org/10.1109/POLICY.2009.32}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Policies for Distributed Systems and Networks, IEEE International Workshop on TI - Model Checking Firewall Policy Configurations SN - 978-0-7695-3742-9 SP60 EP67 A1 - Alan Jeffrey, A1 - Taghrid Samak, PY - 2009 KW - Model checking KW - firewalls KW - SAT KW - BDD VL - 0 JA - Policies for Distributed Systems and Networks, IEEE International Workshop on ER -

Alan Jeffrey

Taghrid Samak

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/POLICY.2009.32

The use of firewalls to enforce access control policies can result in extremely complex networks. Each individual firewall may have hundreds or thousands of rules, and when combined in a network, they may result in unexpected combined behavior. To mitigate this problem, there has been recent interest in the use of model checking techniques for analyzing the behavior of firewall policy configurations, and reporting anomalies. Existing techniques for firewall policy analysis are based on decision diagrams, most normally reduced ordered Binary Decision Diagrams (BDDs). BDDs are a rich data structure, supporting more logical operations than just solving boolean formulae. Typically, search algorithms for boolean satisfiability (so-called SAT-solvers) outperform BDDs. In this paper, we show that the extra structure provided by BDDs is not necessary for firewall policy analysis, and that SAT solvers are sufficient. This argument is supported both by theoretical analysis and by experimental data.

Index Terms:

Model checking, firewalls, SAT, BDD

Citation:

Alan Jeffrey, Taghrid Samak, "Model Checking Firewall Policy Configurations," policy, pp.60-67, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, 2009

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.