TY - GEN
T1 - Systematic structural testing of firewall policies
AU - Hwang, Jeehyun
AU - Xie, Tao
AU - Chen, Fei
AU - Liu, Alex X.
PY - 2008
Y1 - 2008
N2 - Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness of a firewall policy, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the policy under test. To achieve high structural coverage effectively, we have developed three automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), and the most sophisticated one based on global constraint solving (considering multiple rules globally in a policy). We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.
AB - Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness of a firewall policy, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the policy under test. To achieve high structural coverage effectively, we have developed three automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), and the most sophisticated one based on global constraint solving (considering multiple rules globally in a policy). We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.
UR - http://www.scopus.com/inward/record.url?scp=58149092995&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=58149092995&partnerID=8YFLogxK
U2 - 10.1109/SRDS.2008.34
DO - 10.1109/SRDS.2008.34
M3 - Conference contribution
AN - SCOPUS:58149092995
SN - 9780769534107
T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems
SP - 105
EP - 114
BT - Proceedings of the 27th IEEE International Symposium on Reliable Distributed Systems, SRDS 2008
T2 - 27th IEEE International Symposium on Reliable Distributed Systems, SRDS 2008
Y2 - 6 October 2008 through 8 October 2008
ER -