Detection and Removal of Firewall Misconfiguration

F. Cuppens, N. Cuppens-Boulahia (France), and J. García-Alfaro (Spain)


Network Security, Firewalls, Filtering Rules, Redundancy, Shadowing of Rules


To police network traffic, firewalls must be config ured with a set of filtering rules. The existence of errors in this set is very likely to degrade the network security policy. The management of these configuration errors is a serious and complex problem to solve. In this paper, we present a set of algorithms to manage rules that never apply or are redundant in a firewall configuration. Our approach is based on the analysis of relationships between the set of filtering rules. Then, a subsequent rewriting of rules will derive from an initial firewall setup to an equivalent one completely free of errors. At the same time, the algorithms will detect both shadowed and redundant rules in the initial firewall configuration.

Important Links:

Go Back