Tri-modularization of firewall policies

Haining Chen; Omar Chowdhury; Ninghui Li; Warut Khern-Am-Nuai; Suresh Chari; Ian Molloy; Youngja Park

doi:10.1145/2914642.2914646

Tri-modularization of firewall policies

Haining Chen
, Omar Chowdhury
, Ninghui Li
, Warut Khern-Am-Nuai
, Suresh Chari
, Ian Molloy
, Youngja Park

Computer Science

Stony Brook University

Purdue University
IBM

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.

Original language	English
Title of host publication	SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies
Publisher	Association for Computing Machinery
Pages	37-48
Number of pages	12
ISBN (Electronic)	9781450338028
DOIs	https://doi.org/10.1145/2914642.2914646
State	Published - Jun 6 2016
Event	21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016 - Shanghai, China Duration: Jun 6 2016 → Jun 8 2016

Publication series

Name	Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
Volume	06-08-June-2016

Conference

Conference	21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016
Country/Territory	China
City	Shanghai
Period	06/6/16 → 06/8/16

Keywords

Firewall policies
Firewall tool
Modularization

Access to Document

10.1145/2914642.2914646

Cite this

Chen, H., Chowdhury, O., Li, N., Khern-Am-Nuai, W., Chari, S., Molloy, I., & Park, Y. (2016). Tri-modularization of firewall policies. In SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies (pp. 37-48). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT; Vol. 06-08-June-2016). Association for Computing Machinery. https://doi.org/10.1145/2914642.2914646

@inproceedings{df652e13e7f64245be4dc058f749333f,

title = "Tri-modularization of firewall policies",

abstract = "Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.",

keywords = "Firewall policies, Firewall tool, Modularization",

author = "Haining Chen and Omar Chowdhury and Ninghui Li and Warut Khern-Am-Nuai and Suresh Chari and Ian Molloy and Youngja Park",

note = "Publisher Copyright: {\textcopyright} 2016 ACM.; 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016 ; Conference date: 06-06-2016 Through 08-06-2016",

year = "2016",

month = jun,

day = "6",

doi = "10.1145/2914642.2914646",

language = "English",

series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

publisher = "Association for Computing Machinery",

pages = "37--48",

booktitle = "SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies",

}

Chen, H, Chowdhury, O, Li, N, Khern-Am-Nuai, W, Chari, S, Molloy, I & Park, Y 2016, Tri-modularization of firewall policies. in SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, vol. 06-08-June-2016, Association for Computing Machinery, pp. 37-48, 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016, Shanghai, China, 06/6/16. https://doi.org/10.1145/2914642.2914646

Tri-modularization of firewall policies. / Chen, Haining; Chowdhury, Omar; Li, Ninghui et al.
SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2016. p. 37-48 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT; Vol. 06-08-June-2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Tri-modularization of firewall policies

AU - Chen, Haining

AU - Chowdhury, Omar

AU - Li, Ninghui

AU - Khern-Am-Nuai, Warut

AU - Chari, Suresh

AU - Molloy, Ian

AU - Park, Youngja

PY - 2016/6/6

Y1 - 2016/6/6

N2 - Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.

AB - Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.

KW - Firewall policies

KW - Firewall tool

KW - Modularization

UR - https://www.scopus.com/pages/publications/84977136877

U2 - 10.1145/2914642.2914646

DO - 10.1145/2914642.2914646

M3 - Conference contribution

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 37

EP - 48

BT - SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

T2 - 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016

Y2 - 6 June 2016 through 8 June 2016

ER -

Chen H, Chowdhury O, Li N, Khern-Am-Nuai W, Chari S, Molloy I et al. Tri-modularization of firewall policies. In SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery. 2016. p. 37-48. (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). doi: 10.1145/2914642.2914646

Tri-modularization of firewall policies

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this