Algorithms for Analysing Firewall and Router Access Lists

Network firewalls and routers use a rule database to decide which packets will be allowed from one network onto another. By filtering packets the firewalls and routers can improve security and performance. However, as the size of the rule list increases, it becomes difficult to maintain and validate the rules, and lookup latency may increase significantly. Ordered binary decision diagrams (BDDs) - a compact method of representing and manipulating boolean expressions - are a potential method of representing the rules. This paper presents a new algorithm for representing such lists as a BDD and then shows how the resulting boolean expression can be used to analyse rule sets.

• Publication year

  2000

• Venue

  arXiv.org

• Publication date

  2000-08-09

• Fields of study

  Computer Science

• Identifiers
  arXiv cs/0008006
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• BINARY DECISION DIAGRAM REPRESENTATIONS OF FIREWALL AND ROUTER ACCESS LISTS

  1998influential reference
• Improving the Variable Ordering of OBDDs Is NP-Complete

  1996cited by this paper
• VOSS - A Formal Hardware Verification System User''s Guide

  1993influential reference
• Symbolic Boolean manipulation with ordered binary-decision diagrams

  1992influential reference
• On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication

  1991cited by this paper

• Boolean Expressions in Firewall Analysis

  2022cites this paper
• TEE-based Privacy-Preserve in Collaborative Traffic Policy Compilation for Programmable Devices

  2021cites this paper
• Hybrid Tree-Rule Firewall for High Speed Data Transmission

  2020cites this paper
• Investigating the Creation of an Evolvable Firewall Rule Base and Guidance for Network Firewall Architecture, using the Normalized Systems Theory

  2020cites this paper
• PATTERNS 2019 Proceedings

  2020cites this paper
• Using Normalized Systems to Explore the Possibility of Creating an Evolvable Firewall Rule Base

  2019cites this paper
• High Speed Data Transmission Using Efficient Multi-Dimensional Range Matching

  2017cites this paper
• A Study on Home Office Firewall

  2016cites this paper
• An Improvement of Tree-Rule Firewall for a Large Network: Supporting Large Rule Size and Low Delay

  2016cites this paper
• Firewall configuration: An application of multiagent metalevel argumentation

  2016cites this paper
• Tree rule firewall

  2016cites this paper
• A security Policy Query Engine for fully automated resolution of anomalies in firewall configurations

  2016cites this paper
• Packet filter performance monitor (anti-DDOS algorithm for hybrid topologies)

  2016cites this paper
• Reducing Packet Delay through Filter Merging

  2016cites this paper
• Improving cloud network security using the Tree-Rule firewall

  2014cites this paper
• A Protective Model of Distributed Denial-of-Service in Internet For Lack of Variations

  2014cites this paper
• Firewall Rule Set Analysis and Visualization

  2014cites this paper
• A Mining Based Inference Handling Approach for Message Blocking Filterset Policies of OSN User Wall

  2014cites this paper
• Modelling of integrated trust, governance and access safi.re: Information Sharing Architecture.

  2013cites this paper
• Evaluation of binary decision diagrams for redundancy, shadowing, generalisation and correlation in an Information sharing model.

  2013cites this paper
• Modelling of Integrated Trust, Governance and Access

  2013cites this paper
• Detecting Policy Anomalies in Firewalls by Relational Algebra and Raining 2D-Box Model

  2013cites this paper
• A rule relation calculus for verification and validation of firewalls

  2013cites this paper
• Artificial Intelligence and Law A Trust and Governance Architecture for Information Sharing across Domains

  2013cites this paper
• Limitation of Listed-Rule Firewall and the Design of Tree-Rule Firewall

  2012cites this paper
• Formal Checking of Multiple Firewalls

  2012cites this paper
• An approach to improve performance of a packet-filtering firewall

  2012cites this paper
• Formal security policy implementations in network firewalls

  2012cites this paper
• Distributed Denial of Service Prevention Techniques

  2012cites this paper
• Review of Security Policy Implementations

  2011cites this paper
• A Fully Automatic Approach for Fixing Firewall Misconfigurations

  2011cites this paper
• Symbolic analysis of network security policies using rewrite systems

  2011cites this paper
• Performance analysis of range algorithm

  2011cites this paper
• Rule Anomalies Detection in Firewalls

  2011cites this paper
• Tree Automata Based Semantics of Firewalls

  2011cites this paper
• Efficient Algorithms for Dynamic Detection and Resolution of IPSec/VPN Security Policy Conflicts

  2010cites this paper
• Intranet Security via Firewalls

  2010cites this paper
• Automatic Conformance Verification of Distributed Firewalls to Security Requirements

  2010cites this paper
• Management of heterogeneous security access control configuration using an ontology engineering approach

  2010cites this paper
• Network attacks and securing streaming content

  2010cites this paper
• Automated method for constructing of network traffic filtering rules

  2010cites this paper
• Analysis of firewall policy rules using traffic mining techniques

  2010cites this paper
• Modeling and Analysis of Firewalls by (Tissue-like) P Systems

  2010cites this paper
• Defending against Distributed Denial of Service Attacks : Issues and Challenges

  2009cites this paper
• The International Journal on Advances in Security is published by IARIA

  2009cites this paper
• Specification, Analysis and Resolution of Anomalies in Firewall Security Policies

  2009cites this paper
• Defending against Distributed Denial of Service Attacks: Issues and Challenges

  2009cites this paper
• Automatic verification of conformance of firewall configurations to security policies

  2009cites this paper
• Techniques and algorithms for access control list optimization

  2009cites this paper
• An Interval Decision Diagram Based Firewall

  2009influential citation
• An integrated firewall policy validation tool.

  2009cites this paper
• Firewall filtering rules analysis for anomalies detection

  2008cites this paper
• Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements

  2008influential citation
• A formal logic approach to firewall packet filtering analysis and generation

  2008cites this paper
• Comparing and debugging firewall rule tables

  2007cites this paper
• Structured firewall design

  2007cites this paper
• Tuple Based Approach for Anomalies Detection within Firewall Filtering Rules

  2007cites this paper
• XML based open tool for anomalies detection in firewall filtering rules

  2007cites this paper
• Analysis And Classification of IPSec Security Policy Conflicts

  2006cites this paper
• A Calculus for Distributed Firewall Specification and Verification

  2006cites this paper
• Firewall Rules Analysis

  2006cites this paper
• Analysis of Firewall Policy Rules Using Data Mining Techniques

  2006cites this paper
• Taxonomy of conflicts in network security policies

  2006cites this paper
• FireCrocodile: A Checker for Static Firewall Configurations

  2006influential citation
• Modeling and Performance Evaluation of List Structures

  2006cites this paper
• Detection and Resolution of Anomalies in Firewall Policy Rules

  2006cites this paper
• Handling Anomalies in Distributed Firewalls

  2006cites this paper
• Conflict classification and analysis of distributed firewall policies

  2005cites this paper
• Automatic Detection of Anomalies for Efficient Firewall Policies

  2005cites this paper
• Using Decision Diagrams for Packet Filtering

  2004cites this paper
• Discovery of policy anomalies in distributed firewalls

  2004cites this paper
• Management and Verification of Firewall and Router Access Lists

  2004cites this paper
• An MTIDD Based Firewall

  2004cites this paper
• High Cost Elimination Method for Best Class Permutation in Acces Lists

  2004cites this paper
• Design and Implementation of Firewall Policy Advisor Tools

  2004cites this paper
• An MTIDD Based Firewall Using Decision Diagrams for Packet Filtering

  2004cites this paper
• Modeling and Management of Firewall Policies

  2004cites this paper
• Effects of Ordered Access Lists in Firewalls

  2003cites this paper
• A multi-view tool for checking the security semantics of router configurations

  2003cites this paper
• Approaches for Analysing and Comparing Packet Filtering in Firewalls

  2003cites this paper
• CROCODILE - Ein Werkzeug zur sichtenbasierten Sicherheitsprüfung von Router-Konfigurationen

  2003cites this paper
• Heiß Approaches for Analysing and Comparing Packet Filtering in Firewalls Diploma

  2003cites this paper
• Firewall Policy Advisor for anomaly discovery and rule editing

  2003cites this paper
• Management and translation of filtering security policies

  2003cites this paper
• An expert system for analyzing firewall rules

  2001cites this paper