Misconfiguration Management of Network Security Components
This addresses network security management for organizations using firewalls, but it appears incremental as it builds on existing rule analysis methods.
The paper tackles the problem of misconfigurations in firewall rule sets, which degrade network security, by presenting algorithms that analyze rule relationships and rewrite configurations to eliminate errors and detect useless rules.
Many companies and organizations use firewalls to control the access to their network infrastructure. Firewalls are network security components which provide means to filter traffic within corporate networks, as well as to police incoming and outcoming interaction with the Internet. For this purpose, it is necessary to configure firewalls with a set of filtering rules. Nevertheless, the existence of errors in a set of filtering rules is very likely to degrade the network security policy. The discovering and removal of these configuration errors is a serious and complex problem to solve. In this paper, we present a set of algorithms for such a management. Our approach is based on the analysis of relationships between the set of filtering rules. Then, a subsequent rewriting of rules will derive from an initial firewall setup -- potentially misconfigured -- to an equivalent one completely free of errors. At the same time, the algorithms will detect useless rules in the initial firewall configuration.