Fault localization for firewall policies

Jee Hyun Hwang; Tao Xie; Fei Chen; Alex X. Liu

doi:10.1109/SRDS.2009.38

Fault localization for firewall policies

Jee Hyun Hwang, Tao Xie, Fei Chen, Alex X. Liu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming. To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

Original language	English (US)
Title of host publication	Proceedings - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009
Pages	100-106
Number of pages	7
DOIs	https://doi.org/10.1109/SRDS.2009.38
State	Published - 2009
Externally published	Yes
Event	28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009 - Niagara Falls, NY, United States Duration: Sep 27 2009 → Sep 30 2009

Publication series

Name	Proceedings of the IEEE Symposium on Reliable Distributed Systems
ISSN (Print)	1060-9857

Other

Other	28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009
Country/Territory	United States
City	Niagara Falls, NY
Period	9/27/09 → 9/30/09

ASJC Scopus subject areas

Software
Theoretical Computer Science
Hardware and Architecture
Computer Networks and Communications

Online availability

10.1109/SRDS.2009.38

Library availability

Discover UIUC Full Text

Cite this

Hwang, JH, Xie, T, Chen, F & Liu, AX 2009, Fault localization for firewall policies. in Proceedings - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009., 5283420, Proceedings of the IEEE Symposium on Reliable Distributed Systems, pp. 100-106, 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009, Niagara Falls, NY, United States, 9/27/09. https://doi.org/10.1109/SRDS.2009.38

@inproceedings{bc88fb8dd8cf482594e6fe2e7a292b6b,

title = "Fault localization for firewall policies",

abstract = "Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming. To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.",

author = "Hwang, {Jee Hyun} and Tao Xie and Fei Chen and Liu, {Alex X.}",

year = "2009",

doi = "10.1109/SRDS.2009.38",

language = "English (US)",

isbn = "9780769538266",

series = "Proceedings of the IEEE Symposium on Reliable Distributed Systems",

pages = "100--106",

booktitle = "Proceedings - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009",

note = "28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009 ; Conference date: 27-09-2009 Through 30-09-2009",

}

TY - GEN

T1 - Fault localization for firewall policies

AU - Hwang, Jee Hyun

AU - Xie, Tao

AU - Chen, Fei

AU - Liu, Alex X.

PY - 2009

Y1 - 2009

N2 - Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming. To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

AB - Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming. To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

UR - http://www.scopus.com/inward/record.url?scp=74949116983&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=74949116983&partnerID=8YFLogxK

U2 - 10.1109/SRDS.2009.38

DO - 10.1109/SRDS.2009.38

M3 - Conference contribution

AN - SCOPUS:74949116983

SN - 9780769538266

T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems

SP - 100

EP - 106

BT - Proceedings - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009

T2 - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009

Y2 - 27 September 2009 through 30 September 2009

ER -

Fault localization for firewall policies

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this