On the safety and efficiency of firewall policy deployment

Charles C. Zhang; Marianne Winslett; Carl A. Gunter

doi:10.1109/SP.2007.32

On the safety and efficiency of firewall policy deployment

Charles C. Zhang, Marianne Winslett, Carl A. Gunter

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Firewall policy management is challenging and error-prone. While ample research has led to tools for policy specification, correctness analysis, and optimization, few researchers have paid attention to firewall policy deployment: the process where a management tool edits a firewall's configuration to make it run the policies specified in the tool. In this paper, we provide the first formal definition and theoretical analysis of safety in firewall policy deployment. We show that naive deployment approaches can easily create a temporary security hole by permitting illegal traffic, or interrupt service by rejecting legal traffic during the deployment. We define safe and most-efficient deployments, and introduce the shuffling theorem as a formal basis for constructing deployment algorithms and proving their safety. We present efficient algorithms for constructing most-efficient deployments in popular policy editing languages. We show that in certain widelyinstalled policy editing languages, a safe deployment is not always possible. We also show how to leverage existing diff algorithms to guarantee a safe, mostefficient, and monotonic deployment in other editing languages.

Original language	English (US)
Title of host publication	Proceedings - S and P 2007
Subtitle of host publication	2007 IEEE Symposium on Security and Privacy, SP'07
Pages	33-47
Number of pages	15
DOIs	https://doi.org/10.1109/SP.2007.32
State	Published - 2007
Event	S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07 - Berkeley, CA, United States Duration: May 20 2007 → May 23 2007

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011

Other

Other	S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07
Country/Territory	United States
City	Berkeley, CA
Period	5/20/07 → 5/23/07

ASJC Scopus subject areas

Engineering(all)

Online availability

10.1109/SP.2007.32

Library availability

Discover UIUC Full Text

Cite this

Zhang, CC, Winslett, M & Gunter, CA 2007, On the safety and efficiency of firewall policy deployment. in Proceedings - S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07., 4223212, Proceedings - IEEE Symposium on Security and Privacy, pp. 33-47, S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07, Berkeley, CA, United States, 5/20/07. https://doi.org/10.1109/SP.2007.32

@inproceedings{a97348d4a9e04057bbfb6ba54e9c5acc,

title = "On the safety and efficiency of firewall policy deployment",

abstract = "Firewall policy management is challenging and error-prone. While ample research has led to tools for policy specification, correctness analysis, and optimization, few researchers have paid attention to firewall policy deployment: the process where a management tool edits a firewall's configuration to make it run the policies specified in the tool. In this paper, we provide the first formal definition and theoretical analysis of safety in firewall policy deployment. We show that naive deployment approaches can easily create a temporary security hole by permitting illegal traffic, or interrupt service by rejecting legal traffic during the deployment. We define safe and most-efficient deployments, and introduce the shuffling theorem as a formal basis for constructing deployment algorithms and proving their safety. We present efficient algorithms for constructing most-efficient deployments in popular policy editing languages. We show that in certain widelyinstalled policy editing languages, a safe deployment is not always possible. We also show how to leverage existing diff algorithms to guarantee a safe, mostefficient, and monotonic deployment in other editing languages.",

author = "Zhang, {Charles C.} and Marianne Winslett and Gunter, {Carl A.}",

year = "2007",

doi = "10.1109/SP.2007.32",

language = "English (US)",

isbn = "0769528481",

series = "Proceedings - IEEE Symposium on Security and Privacy",

pages = "33--47",

booktitle = "Proceedings - S and P 2007",

note = "S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07 ; Conference date: 20-05-2007 Through 23-05-2007",

}

TY - GEN

T1 - On the safety and efficiency of firewall policy deployment

AU - Zhang, Charles C.

AU - Winslett, Marianne

AU - Gunter, Carl A.

PY - 2007

Y1 - 2007

N2 - Firewall policy management is challenging and error-prone. While ample research has led to tools for policy specification, correctness analysis, and optimization, few researchers have paid attention to firewall policy deployment: the process where a management tool edits a firewall's configuration to make it run the policies specified in the tool. In this paper, we provide the first formal definition and theoretical analysis of safety in firewall policy deployment. We show that naive deployment approaches can easily create a temporary security hole by permitting illegal traffic, or interrupt service by rejecting legal traffic during the deployment. We define safe and most-efficient deployments, and introduce the shuffling theorem as a formal basis for constructing deployment algorithms and proving their safety. We present efficient algorithms for constructing most-efficient deployments in popular policy editing languages. We show that in certain widelyinstalled policy editing languages, a safe deployment is not always possible. We also show how to leverage existing diff algorithms to guarantee a safe, mostefficient, and monotonic deployment in other editing languages.

AB - Firewall policy management is challenging and error-prone. While ample research has led to tools for policy specification, correctness analysis, and optimization, few researchers have paid attention to firewall policy deployment: the process where a management tool edits a firewall's configuration to make it run the policies specified in the tool. In this paper, we provide the first formal definition and theoretical analysis of safety in firewall policy deployment. We show that naive deployment approaches can easily create a temporary security hole by permitting illegal traffic, or interrupt service by rejecting legal traffic during the deployment. We define safe and most-efficient deployments, and introduce the shuffling theorem as a formal basis for constructing deployment algorithms and proving their safety. We present efficient algorithms for constructing most-efficient deployments in popular policy editing languages. We show that in certain widelyinstalled policy editing languages, a safe deployment is not always possible. We also show how to leverage existing diff algorithms to guarantee a safe, mostefficient, and monotonic deployment in other editing languages.

UR - http://www.scopus.com/inward/record.url?scp=34548792398&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548792398&partnerID=8YFLogxK

U2 - 10.1109/SP.2007.32

DO - 10.1109/SP.2007.32

M3 - Conference contribution

AN - SCOPUS:34548792398

SN - 0769528481

SN - 9780769528489

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 33

EP - 47

BT - Proceedings - S and P 2007

T2 - S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07

Y2 - 20 May 2007 through 23 May 2007

ER -

On the safety and efficiency of firewall policy deployment

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this