| A firewall is a security guard between the entry of a private network and the outside Internet so that all incoming and outgoing packets have to pass through it.Firewalls are safety critical systems that secure most networks. An error in a firewall either leaks secret information from its network or disrupts legitimate communication between its network and the rest of the Internet. How to design a correct firewall is therefore an essential issue. Much of the security policy enforcement at the network level involves configuring the packet classification strategies using Access Control List(ACL). A gateway device performing traffic filtering can deploy ACLs with thousands of rules. Due to the difficulties of ACL configuration language, large ACLs can easily become redundant, inconsistent, and difficult to optimize or even understand.Firewalls are core elements in network security. However, managing firewall rules,has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition,inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and other rules in order to determine the proper order of this rule and commit the updates. In this paper, we present a set of techniques and algorithms that provide (1) automatic anomaly detection for discovering rule conflicts and potential problems in legacy firewalls, (2) anomaly-free policy editing for rule insertion,modification and removal, and (3) concise translation of filtering rules to high-level textual description for user visualization and verification. This is implemented in a user-friendly tool called "Firewall Policy Advisor." The firewall policy advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule configuration error.This thesis also implements an optimization method for conflicting and redundant ACLs. The conflict and redundancy problems in ACL rules are ignored in the existing Firewall Decision Diagram. Based on the Firewall Decision Diagram, we studied the conflict and redundancy algorithm of detecting ACL rules. On this basis, we have optimized the construction algorithm of the original Firewall Decision Diagram, and proposed a new algorithm of Firewall Decision Diagram by reducing the redundancy and conflict avoidance to reduce the isomorphic nodes, so that the number of access control list rules have been greatly reduced,query performance has also been greatly improved. We have experimented with specific experiments to verify the feasibility of our improved Firewall Decision Diagram with higher efficiency. |
PDF Full Text Request