Journal of Computational Science 23 (2017) 181–191

Contents lists available at ScienceDirect

Journal of Computational Science

journal homepage: www.elsevier.com/locate/jocs

FARE: FDD-based firewall anomalies resolution tool

Amina Saâdaoui ∗ , Nihel Ben Youssef Ben Souayeh, Adel Bouhoula
Digital Security Research Unit, Higher School of Communication of Tunis (Sup’Com), University of Carthage, Tunisia

a r t i c l e i n f o a b s t r a c t

Article history: Problems arising from firewall misconfigurations are common and have dramatic consequences for net-
Received 1 December 2015 works operations. Therefore, the discovery and removal of these misconfigurations is a serious and
Received in revised form 5 June 2017 complex problem to solve. In this paper, we address this problem using a data structure (FDD: fire-
Accepted 3 September 2017
wall decision diagram). We propose a new approach to rule-set optimization and clean-up, by removing
Available online 14 September 2017
superfluous rules from a simple firewall and a totally automatic method to detect and fix misconfigura-
tions. We present also a new classification of anomalies in multi-firewall environment bringing out real
Keywords:
configurations errors. We proved the correctness and completeness of our method and demonstrated its
Firewall misconfigurations
Security policy
scalability and applicability on configurations provided by the Tunisian Ministry of Finance Computer
Firewall decision diagram Centre (CIMF), and found promising results.
Automatic resolution © 2017 Elsevier B.V. All rights reserved.
Inference system

1. Introduction • In a multi-firewall environment, they consider anomalies

Firewall configurations are inherently difficult to manage. Stud-
ies [1–3] regularly report insufficient quality of firewall rulesets and
highlight the critical problem of firewall misconfigurations. Since
companies rely only on the availability of their networks, such mis-
configurations are costly. Due to the magnitude of this problem, our
goal is to develop a method that allows to automatically identify
and correct configuration errors among the set of firewall rules with
respect to the security policy. As an example, consider an enterprise
network shown in Fig. 1. We have three firewalls delimiting three
subdomains. The global security policy that should be implemented
is described as follows:
• Allow access from Zone C to other zones except traffic from
machine 172.16.0.25.
• Deny all traffic from Zone B to Zone C.
• Allow access from Zone A to other zones except http access from
machine 192.168.4.3 to subzone 172.13.14.0/24.
• Accept all traffic from Zone B to Zone A except traffic from sub-
zoneB1 .
To deal with firewall rules analysis problem, many solutions
have been proposed but they have, essentially, the following draw-
backs:
∗ Corresponding author at: 93 Avenue Hedi Chaker, 1002 Tunis, Tunisia.
E-mail address: saadaoui.amina@gmail.com (A. Saâdaoui).
between only two firewalls in a given network path which can-
not give a precise idea on real conflicts that can arise between
different rules of different firewalls and obviously will not help
to fix them.
• In [4] authors deal only with pairwise filtering rules. In such
way, some other classes of configuration anomalies could be
uncharted. For example, we note that the rule r5 in Firewall2 is
partially shadowed (masked) by rule r1 and partially redundant
to rule r7 . Thus, removing this rule will not affect the firewall
behavior and therefore this rule could be considered as unused.
• Some studies did not distinguish between intentional syntactic
anomalies and real configuration errors. For instance, we can note
that in the network path composed by firewalls Firewall3 and
Firewall2, respectively, packets from machine 172.27.0.25 will
be rejected because they match rule r8 from Firewall2 which is
conform to the global security policy SP. Although no miscon-
figurations are identified, most related studies [5–7] present the
conflict between r8 from Firewall2 and r3 from Firewall3 as a
purely syntactic anomaly, since these two rules handle common
packets with different actions.
• We can note also that the third rule r10 in the firewall config-
uration Firewall1, shown in Table 1, is configured to accept all
the traffic from sub-zoneA2 to the Zone C which is conform to the
global security policy. But even if this rule is correct by itself, the
Firewall will reject the flow from sub-zoneA2 to 172.13.14.0/24
because it matches some common packets with the rule before
(i.e. packets mapped by r5 ). So, in this case, this anomaly is an

http://dx.doi.org/10.1016/j.jocs.2017.09.003
1877-7503/© 2017 Elsevier B.V. All rights reserved.
182 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191

Table 1 2. Related work

Firewall configuration-Firewall1.

Order Srce @ Dest @ Protocol Dest Port Action 2.1. Intra and inter firewalls anomalies detection
r1 Accept 10.0.0.3 80 172.13.14.1 *
r2 Accept 10.0.0.0/16 80 172.13.14.0/24 TCP Al Shaer et al. [5] introduced a framework for discovering
r3 Accept 192.168.0.3 22 172.13.14.0/24 TCP anomalies in simple and distributed firewalls. They also presented a
r4 Deny 192.168.2.0/24 80 172.13.14.0/24 TCP new tool in [10] called PolicyVis, this tool allows inspecting firewall
r5 Deny 192.168.1.0/24 80 172.13.14.0/24 TCP
policies by discovering anomalies in simple or distributed firewalls.
r6 Deny 10.0.0.3 80 172.13.0.0/16 TCP
r7 Deny 10.0.0.3 * 172.13.14.0/24 TCP In their approach, they analyzed relations between rules using a
r8 Accept 192.168.2.0/24 80 172.13.0.0/16 TCP state diagram that allows identifying anomalies and couple of rules
r9 Deny 192.168.1.0/24 80 172.13.14.0/24 * involved in these anomalies or couple of firewalls (in case of inter-
r10 Accept 192.168.1.0/24 80 172.13.0.0/16 TCP
firewalls anomalies detection), this differs from our method that
r11 Accept 192.168.4.0/24 80 172.13.14.0/24 TCP
r12 Deny 192.168.4.0/24 80 172.13.0.0/16 TCP considers all rules and not only pairwise ones.
Hu et al. [11,12] proposed a new anomaly management
framework (FAME) that facilitates the systematic detection and
resolution of firewall policy anomalies by considering the analy-
sis of relations between all rules in the firewall configuration. To
resolve anomalies they assigned an action constraint that defines a
desired action (either Allow or Deny) to each conflicting segment
between rules. To generate these action constrains they used a “Risk
level” which is determined based on the vulnerability assessment
of the network. They automated this process but in some cases,
they selected manually the desired action. So, the administrator
decides manually if an anomaly is a misconfiguration. Unlike that,
our method incorporates the security policy which allows deciding,
automatically, whether an anomaly is intentional or a real config-
uration error.
In [13] authors introduced a modal logic, called visibility logic
(VL), which can be used to express arbitrary patterns between rules
inside a firewall. Then, they propose a model checker which allows
Fig. 1. Network topology. the verification of any formula expressed in visibility logic. In this
study, anomalies are detected between two rules only except for
generalization which is detected between three rules and called
effective misconfiguration since the security policy is not cor-
“second-degree generalization”. Also, this approach did not answer
rectly implemented.
the need for ways to correct anomalies already discovered.
Authors in [6,14] introduced a method of analyzing packets from
In this paper, we propose a new approach to correct discov- the filtering rule list by using the concept of Relational Algebra and a
ered misconfigurations in real-case firewall configurations already 2D box model to show a simulation of packets by rectangular boxes
designed to protect a given Network, and this will be done by mod- and identify anomalies and relations between rules. In opposition,
ifying some field of rules, changing their order, removing some in our work we also represent relations between rules in a data
rules . . . without increasing the configuration complexity. We also structure, but additionally we identify anomalies by considering
demonstrate its applicability and scalability by the use of a satisfi- all relations between all rules.
ability solver. The major differences of the present work compared Authors in [11] proposed methods to manage a single firewall
to our earlier works, presented in [8], have been stated as follows: rules. This differs from our method that takes into account all fire-
in this work we prove formally the correctness and the complete- walls in a given path in the network because even if each firewall
ness of proposed inference systems using formal specification. We in the network is well configured, anomalies could arise between
propose a method to rule-sets optimization in a simple firewall by rules of different firewalls.
removing unused rules. We extract and decide if an anomaly is a Cuppens et al. presented in [15,16] an audit process to manage
real misconfiguration or an intended anomaly in distributed envi- intra-firewall policy anomalies. By using relationships between the
ronment by using the FDD (firewall decision diagram). We present attributes of filtering rules (such as coincidence, disjunction and
a tool that could provide initial results on the speed and accuracy of inclusion), they succeed to detect and remove the configuration
the proposed method in real-world conditions. Our tool uses Lim- anomalies. The data structure used in their work is a linked list of
boole SAT (satisfiability) solver [9] as a verification tool which can initial size n, where n is the number of filtering rules. Each element
handle large set of non-quantified Boolean clauses in reasonably is an associative array with the strings condition, decision, shadow-
good time. ing and redundancy as keys to access each necessary value. Authors
This paper is organized as follows: Section 2 presents a summary in [17,18] addressed the problem of intra and inter-component
of related work. Section 3 overviews the formal representation of anomalies discovering, their approach allows detecting anomalies
firewall configurations and security policies and details FDD struc- in network security policies deployed over firewalls and network
ture. In Section 4, we present our method to discover and remove intrusion detection systems. Their approach has the advantage
superfluous rules. In Section 5, we present our approach to discover to analyze the whole set of rules and not only the relationship
simple and distributed firewalls misconfigurations. In Section 6, between two rules. For intra-component they detect three anoma-
we articulate our approach to resolve simple firewall misconfig- lies: shadowing, redundancy and irrelevance. Then they propose
urations. In Section 7, we present first a study of the complexity an algorithm that allows removing automatically these anoma-
of our inference systems, and then we address the implementation lies. This differs from our method that considers other types of
and evaluations of our tool. Finally, we present our conclusions and anomalies like correlation and generalization caused by overlapped
discuss our plans for future work. conflicting rules.
 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191
Prior work on inter-firewalls rules analysis [19,20] focused on
the analysis of relations between pairwise rules of two firewalls
in a given network path. However, in reality, it is common that
a network path contains more than two firewalls and anomalies
could happen between more than two rules in these firewalls. The
precise indication of all firewalls and all rules involved in a mis-
configuration will help to fix them easily without creating new
misconfigurations.
In [21] authors present a firewall analysis engine named Fang
which is a query-based tool for firewall policy analysis. It allows
user queries to the purpose of analysis and management of fire-
wall policies. Even though this tool can be extended to run queries
to analyze network security policies, it could not provide a com-
prehensive examination of policy misconfigurations. Also this
approach did not provide a method to fix discovered problems.
FIREMAN [22] is a static analysis toolkit allows to check anomalies
in firewalls. The tool can handle large set of firewall rules since it
uses an efficient BDD. This tool can only show that there are anoma-
lies between one filtering rule and preceding rules, and cannot
identify all rules involved in the anomaly.
2.2. Firewall configuration verification
Liu [23] proposed a firewall verification method. The method
takes as input a firewall configuration and a given property, then
outputs whether the firewall configuration satisfies the property.
Matsumoto and Bouhoula [24] propose a SAT based approach for
verifying firewall configurations with respect to the security policy
requirements. This method checks the correctness of the firewall
configuration whether it contains anomalies or not. FINSAT [25,26]
incorporates ACL (access control list) conflict analysis procedure
for detecting various types of ACL rule conflicts in the model using
Boolean satisfiability (SAT) analysis. The conflicts are reported as
“error(s)” in case of SAT result with satisfiable instances. Then, the
Network administrator needs to reconfigure by himself the ACL
rules depending on the results. The objectives of our work are differ-
ent. We aim first to optimize the firewall configuration by removing
unused rules then to discover all misconfigurations by considering
the requirement of the security policy. So, our work involves two
aspects: Rule analysis aspect and firewall verification aspect.
Proving the correctness and completeness of proposed tech-
niques is an unavoidable step. Nevertheless, most existing studies
and algorithm ignore to prove these two properties. In our work,
by using formal representation and inference systems we proved
their completeness and correctness.
3. Preliminaries
In what follows, we define, formally, some key notions.
3.1. Firewall configuration
A simple firewall configuration is a finite sequence of filter-
ing rules of the form FR = (ri ⇒ Ai )0<i<N+1 . These rules are tried
in order, up to the first matching one. A filtering rule consists of
a precondition ri which is a region of the packet’s space P, usu-
ally, consisting of source address, destination address, protocol
and destination port. Each right member Ai of a rule of FR is an
action defining the behavior of the firewall on filtered packets:
Ai ∈ {accept, deny}.
3.2. Security policy
A security policy SP is presented as a finite unordered set of
directives, as showed in the example of the Introduction, defining
whether packets are accepted or denied. We consider also two sets,
183
Fig. 2. Firewall decision diagram-Firewall2.
SP accept and SP deny where SP accept consists of packets accepted
to pass through the set of directives SP and SP deny is the subset of
denied packets. In this work we suppose that SP is consistent, i.e.
SP accept ∩ SP deny =∅.
3.3. Firewall decision diagram (FDD) of a simple firewall
The firewall decision diagram (fdd) as defined in [27,28] is an
acyclic and directed graph that has the following properties: There
is exactly one node in fdd that has no incoming edges. This node
is called the root of fdd. The nodes in fdd that have no outgoing
edges are called terminal nodes. fdd is the union of direct paths dpi .
The algorithm used to construct an fdd is detailed in [27,28]. So we
have:

fdd = dpi .
i(i:1→m)
dpi = dpi .srce ∧ dpi .protocol ∧ dpi .dest ∧ dpi .port ∧ dpi .rules ∧ dpi .action.
• dpi . src is the range of source address represented by the direct
path dpi .
• dpi . dst is the range of destination address represented by the
direct path dpi .
• dpi . port is the range of port number represented by the direct
path dpi .
• dpi . protocol is the range of protocols represented by the direct
path dpi .
• dpi . rules is the set of rules from the firewall configuration that
match the domain of packets represented by this direct path,
dpi .rules = {rki }(k:1→l) , where r1i is the first rule in the firewall
configuration applied on the domain of dpi . The action of this
direct path is the action applied by r1i .
• dpi . action = the action of this direct path dpi .
Figs. 2 and 3 show the firewall decision diagrams of the simple
firewalls configurations showed in Tables 1 and 2 respectively.
3.4. FDD of a path in a distributed environment
A network path pathi [src, dst] is composed of an ordered set of
firewalls through which the traffic flows from the source src to the
destination dst. pathi = {fcj , n <= j <= m}. Let Paths be the set of all
possible paths in our network. Paths = {pathi , 1 <= i <= k}.
A firewall decision diagram of a path pathi is constructed
using the collection of rules of different firewalls fcj belong-
ing to this path. Therefore, The firewall decision diagram of
the set Paths of our network could be represented as follows:
184 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191

Fig. 3. FDD-Firewall1.
Fig. 4. Firewall decision diagram-distributed firewall-path (Firewall3,Firewall2).

Table 2
Firewall configuration-Firewall2.
- remove(r, fdd): This function removes the rule r from each direct
Order Srce @ Dest @ Protocol Dest Port Action path dpi that contains this rule.
r1 10.0.0.0/16 192.168.0.0/23 * * Accept - dom(dpi ) is a function that maps each dpi into the subset of
r2 192.168.0.0/23 * * * Deny packets p ∈ P and represents the set of packets handled by dpi .
r3 192.168.1.0/24 * * * Deny dom(dpi ) = Packets{dpi . srce ∧ dpi . protocol ∧ dpi . dest ∧ dpi . port}.
r4 192.168.0.0/24 * * * Deny
- dom(r) is a function that maps each rule r into the subset of packets
r5 10.0.0.0/15 192.168.0.0/23 * * Deny
r6 192.168.0.0/23 * TCP * Accept p ∈ P handled by this rule.
r7 10.1.0.0/16 192.168.0.0/23 * * Deny - lst ruleact (dpi ) this function returns first rules that apply the
r8 172.13.0.0/16 * * * Deny action deny on the packets handled by the direct path dpi on each
r9 * * * * Accept firewall.
- action(p, FC) returns the action applied on the packet p ∈ P by the
Table 3 firewall configuration FC.
Firewall configuration-Firewall3. - modifyaction (r, FDD): Changes the action of the rule r in FDD.
Order Srce @ Dest @ Protocol Dest Port Action
- swapFDD (ri , rj ): Modifies FDD by swapping the rules ri and rj .
- index(r): Returns the index of the rule r in the firewall configura-
r1 192.168.1.0/24 * * * Accept
tion.
r2 192.168.0.0/23 * * * Deny
r3 172.13.0.25 * * * Accept - update(i, DP ): This function allows to update the firewall decision
r4 172.13.0.0/16 * * * Deny diagram by replacing the direct path DPi by the new direct path
r5 * * * * Accept DP .


FDD(Paths) = FDD = {0<i<N+1} fddi , where each fddi is the firewall 4. Superfluous rules identification
decision diagram of the path pathi , so FDD is the union of fddi of
each path in the network. We construct fddi by using the same To verify if a rule is superfluous, we need to ensure that removing
algorithm depicted in Section 3.3 for the collection of rules of each it from each direct path will not affect the action of this path. So we
pathi . The proprieties already defined for a direct path in a simple define a superfluous rule in a simple firewall as follows:
firewall remains the same, only for sets dpi . rules and dpi . action. In
Definition. A rule is considered to be superfluous in a simple fire-
fact, we have to precise for each rule the firewall that belongs to it.
wall, if this rule exists in the set of rules handled by a direct path
Therefore, we define direct path dpj ∈ fddi as follows:
then this rule is shadowed (i.e. it is not the first rule to be applied
dpj = dpj .srce ∧ dpj .dest ∧ dpj .port ∧ dpj .protocol ∧ dpj .rules ∧ dpj .action in this direct path) or redundant to the second rule in this path.
Formally, A rule ri is superfluous iff ∀dpj ∈ fdd, if ri ∈ dpj . rules then
where dpj .rules = {rh kj } here k is the index of each firewall through ri verifies one of these two conditions:
which the traffic flows in the path pathi .
The action of each direct path depends on the actions of each
1. ri =
/ r1j .
first rule handled by this direct path from each firewall in this path,
2. ri = r1j and action(ri ) = action(r2j ).
so we have:

• dpj . action = accept if ∀r1 k ∈ dpj .rules, action(r1 k ) = accept.
j j
• dpj . action = deny if ∃!r1 k ∈ dpj .rules, action(r1 k ) = deny.
j j
Fig. 4 shows the firewall decision diagrams of Path[zoneB ,
zoneC ] = {Firewall3, Firewall2} (Configurations are shown in
Tables 3 and 2 respectively) for the network shown in Fig. 1.
We consider the following functions:
- act(rj ki ): This function returns the action of the rule rj ki belonging
to the firewall configuration fck .
To address this challenge, we use the inference system shown
in Fig. 5. The rules of this inference system are applied to three
components (fc, fcf , fdd), the first component fc is the initial fire-
wall configuration, the second component fcf is the updated version
of fc by removing all superfluous rules and the third component
fdd is the set of direct paths that represents relations between fc
rules. Remove is the main inference rule in this inference system.
It deals with each rule ri from the firewall configuration fc. Applying
this inference rule implies updating the set of rules fcf by removing
superfluous rules. The inference rule Stop is applied when we parse
all the filtering rules of fc. Thus, we conclude that this process pro-
 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191 185

Fig. 5. Discovering and removing superfluous rules in a simple firewall.

vides configuration optimization, which reduces the firewall rule
size and subsequently improves its performance.
In the configuration shown in Table 2 we can identify three
superfluous rules, r2 which is redundant to rules r3 and r4 ; r6 which
is by itself shadowed by the union of rules r3 and r4 and finally r5
which is partially shadowed by rule r1 and partially redundant to
rule r7 . If we use fdd shown in Fig. 2 we can easily identify them. In
fact, rules r2 , r5 and r6 verify the conditions depicted in Section 4 in
one of these direct paths: r2 in dp5 and dp6 , r5 in dp1 and dp3 and
r6 in dp5 and dp6 .
path apply a different action from the one applied in SP on these
packets.
Definition. (PMC)
A direct path DPi ∈ FDD is partially misconfigured iff ∃rm i ∈
DP i .R where action(rm i ) =
/ DP i .action and some packets mapped by
this path apply a different action as applied in SP on these packets.
In Fig. 6 we propose an inference system that presents necessary
and sufficient steps to discover total and partial misconfigurations.
The rules of this inference system apply to triple (FDD, TMC, PMC).
We write C  FC C : C is obtained from C by application of one of The first component FDD represents the direct paths extracted
the inference rules of Fig. 5 and we denote by ∗fc the reflexive and from the firewall configuration as explained in the previous sec-
transitive closure of fc . In order to prove the correctness of our
approach, we start by the following definition:
Definition. Two firewall configurations fc1 and fc2 are semanti-
cally equivalent (fc1 ≡ fc2 ) iff for all packets p if p is matched by fc1
then p is matched by fc2 and action(p, fc1) = action(p, fc2).
Theorem. (Correctness)
tion, FDD = {DP i }(i:1→n) . The second component TMC is the set of
extracted total misconfigurations and the third component PMC
represents the set of partial misconfiguration. Extract TMC and
Extract PMC are the main inference rules for the inference system.
The first one detects total misconfigurations. It deals with each DPi
from FDD and verifies if this DPi applies totally the same action in
the firewall configuration as applied in SP, so we test if this DPi is
included in the set of SP !(action(r1 i )) , if it is the case, DPi is considered
If (fc, fc f , fdd)∗fc fc f then fc and fcf are semantically equivalent.
to be a total misconfiguration, because the action of DPi , which is
  equal to action(r1i ), is different from the action applied by SP on
Proof. If (fc, fc f , fdd)∗fc fc f then, fc = fc f ( i{ri }
) where (
the set of removed rules. If we suppose that there exists a packet p
where action(p, fc) = / action(p, fcf ). p is matched by fc i.e. ∃ at least
r where p is included by the domain of r (p ∈ dom(r)), we suppose
that r is the first rule to be applied on the packet p, then action(p,
fc) = action(r). We have two cases: (1) The rule r is removed then
{r} ∈ / fcf : In this case the rule is superfluous and has been removed,
so it verifies the precondition of the inference rule remove, so in each
dpj , r is the first rule to be applied and action(r) = action(r2j ) implies
that action(p, fc) = action(p, fcf ) which is a contradiction. (2) The rule
{r} ∈ fcf , therefore action(p, fc) = action(p, fcf ) which is a Contradic-
tion. Therefore, we conclude that for all p, action(p, fc) = action(p,
fcf ) then fc and fcf are semantically equivalent.
5. Misconfigurations detection
Once all firewall configurations have been updated by remov-
ing all superfluous rules, we can start the process of detection of
misconfigurations in both simple and distributed firewalls.
5.1. Discovering simple firewall misconfigurations
In a simple firewall configuration an anomaly could happen
between filtering rules if they apply different actions on the same
traffic. Therefore, by using the data structure FDD, we can deter-
mine if a direct path contains an anomaly and by using the security
policy we determine if this anomaly is a real misconfiguration.
We have two types of misconfigurations in a simple firewall:
partial and total misconfigurations.
Definition. (TMC)
A direct path DPi ∈ FDD is totally misconfigured iff ∃rm i ∈ DP i .R
where action(rm i ) =
/ DP i .action and all the packets mapped by this
i{ri }
) is
this direct path, so we add DPi to TMC. The same for the second,
Extract PMC, but here we will extract partial misconfigurations. In
fact, for each DPi we test if a part from the domain of this direct path
apply a different action on the packets matched by this domain as
applied in SP, if it is the case we will add DPi to the set of partial
misconfigurations PMC. The inference rule Pass is applied when DPi
does not contain an anomaly between its rules, or when it contains
an anomaly and the action applied on this direct path in FDD is
same action undertaken by the security policy. So, in this case this
anomaly is considered to be intentional and not a misconfiguration.
Hence, the repeated application of these inference rules ensures
the extraction of all misconfigurations (partial or total) from the
firewall configuration. The rule Stop is applied when we parse all
the direct paths of FDD.
In the FDD shown in Fig. 3 we have five misconfigurations.
Total misconfigurations: in DP1 , DP3 ,DP8 and DP10 . Partial mis-
configuration: in DP13 . Once all misconfigurations are discovered,
the resolution process is performed in Section 6, we discuss our
approach for each correction technique, respectively.
5.2. Discovering distributed firewalls misconfigurations
In multi-firewalls enterprise networks, the potential of exis-
tence of misconfigurations between rules from different firewalls
significantly increases. So even if every configuration is anomalies-
free and fixed, there could be misconfigurations between rules of
different firewalls.
Generally, an anomaly could happen between different firewalls
in a network path if they apply different actions on the same traffic.
Therefore, by using the data structure FDD already defined for each
path, we can determine if a direct path in a given fddn contains an
anomaly and if this anomaly is a real misconfiguration. So we define
anomaly in distributed environment as follows:
186 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191

Fig. 6. Discovering simple firewall misconfigurations.

• Definition: A direct path dpi ∈ FDD presents an anomaly iff ∃rm k ∈ Definition. FDD is called misconfiguration-free iff for all dpi in
i
dpi .rules where act(rm ki ) =
/ act(rm hi ) where h =
/ k. fddn where fddn is in FDD, if dpi present an anomaly then dom(dpi ) ⊆
SP dpi .act .

Theorem. Completeness-success
So we have two types of misconfigurations: Total and partial
misconfigurations.
• TMC: A direct path dpi ∈ fddn is totally misconfigured iff it
presents an anomaly and all the packets mapped by this path
apply a different action as applied in the security policy SP on
these packets.
• PMC: A direct path dpi ∈ fddn is partially misconfigured iff it
presents an anomaly and some packets mapped by this path
apply a different action as applied in the security policy SP on
If FDD is misconfiguration-free then (FDD, ∅, ∅, ∅)∗FDD Success.
Proof. If FDD is misconfiguration-free, then for all dpi ∈ fddn
p
where fddn ∈ FDD; if there exists a rule rj i from the firewall config-
uration fcp , matched by a direct path dpi and this rule is overlapped
q
and have a different action to another rule rm i from another fire-
wall configuration fcq and belonging to the same direct path, then
dpi applies the same action as defined in SP (SP dom(dpi ) ⊆ SP dpi .act )
because we supposed that FDD is misconfiguration-free. It follows
that the precondition of the inference rule Detect misc is not veri-
fied for dpi . It implies that for all steps Pass inference rule is applied.
these packets.
In Fig. 7 we propose an inference system to discover total and
partial misconfigurations. Inference rules are applied on quadruple
(FDD, fddn , TMC, PMC), where FDD is the set of all firewall decision
diagrams of all paths in our network. fddn is a temporary variable,
we use it to parse direct paths of each fddn ∈ FDD, TMC and PMC
are the sets of total and partial misconfigurations respectively. The
main inference rule in this system is Detect misc, it deals with each
direct path and verifies first if it present an anomaly by inspecting
the direct path field dpi . rules, then it compares the domain of this
direct path with the set of packets of the security policy that applies
the same action as this direct path, if it is totally included by it then
this anomaly is not a misconfiguration, and if it is partially or not
included by it then we have a partial or a total misconfiguration.
The Success rule is applied when we parse all direct paths of all
fdds in our network without identifying a misconfiguration (total
or partial). Failure is applied when at least one configuration error
is identified.
Once ensured that all superfluous rules are removed from the
firewall configuration, we proceed to the discovering of misconfig-
urations using the inference system previously described in Section
5.2. We parse all paths of all FDDs, for each path we verify if we
have anomaly or not and whether this anomaly is an effective mis-
configuration. For example, in path Path[zoneB , zoneC ] = {Firewall3,
Firewall2}: In this path we have three total misconfigurations (col-
ored in red in Fig. 4), in direct paths dp1 , dp3 and dp6 . Also we have a
partial misconfiguration on direct path dp8 , in fact, the traffic from
machine 172.16.0.25 will be rejected by direct path dp8 even if we
precisely indicated in the security policy that this traffic should be
accepted, this misconfiguration is partial because other traffic from
zone C will be rejected which is conform to the security policy. The
security policy is partially violated in this case.
Direct paths colored in green are paths that present anomalies
between rules and are not misconfigurations because they apply
the same action required by the security policy.
Therefore, TMC = ∅ and PMC = ∅. Hence, (FDD, ∅, ∅, ∅)∗FDD Success.
6. Simple firewall misconfigurations resolution techniques
Our objective is to correct each misconfiguration by a minimum
number of modifications and by minimum number of generated
rules. In our approach, for each step, we try to correct a miscon-
figuration (total or partial). To determine which correction method
should be used at each case; we test if the condition of each cor-
rection technique is verified. In fact, we parse the set of total and
partial misconfigurations then we try to correct them by using one
of the inference systems detailed in the next section. For total mis-
configurations, we can use the delete-rule inference system, if this
method could not be applied then we use the modify-action infer-
ence system and if the condition of the last method is not verified
we use the swap-rules inference system. If none of them could be
applied, we apply the field-modification inference system which is
also used to correct partial misconfigurations. Then after fixing all
misconfigurations we generate the new set of rules using this key
property:
• Each rule rk from the firewall configuration could be represented

as follow: rk = i DPi where rk ∈ DPi . R.
6.1. Inference system for removing rules
The rules of the system shown in Fig. 8 apply to triple (TMC,
FDD, TMCr ) whose first component TMC is the set of total miscon-
figurations discovered, whose second component FDD represents
the union of direct paths DPi and whose third component TMCr is
an updated version of TMC by removing all DPj (total misconfig-
urations) fixed using the inference rule Delete which is the main
inference rule for this system. It deals with each total misconfigu-
ration DPi ∈ TMC and verifies if we can remove the first rule from
this DPi to correct it, i.e. the precondition of the rule Delete is veri-
fied. This is the case of rule r4 in FDD shown in Fig. 3, which exists
only in DP8 and the second rule in this path r8 has a different action
 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191 187

Fig. 7. Discovering distributed firewalls misconfigurations.

Fig. 8. IS for removing rules.

Fig. 10. IS for swapping rules.

Fig. 9. IS for modifying rules actions.
DPj and this direct path is in TMC then we can modify the action
of this rule, and by this modification we ensure that we correct all
DPk ∈ TMC that have the first rule r1i . For instance, r5 exists only
in the direct path DP10 . So by changing the action of this rule (i.e.,
r5 ) we will correct this misconfiguration and we will not generate
new misconfigurations. The rule Stop is applied when we parse all
the direct paths of TMC.

Definition. A rule r is called totally well-configured iff for all DPi

from r4 , so by removing r4 we will correct this misconfiguration. in FDD where r1i = r, dom(DPi ) ⊆ SPaction(r) .
The Success rule is applied when we parse and fix all the direct
paths from the set TMC. And Failure is applied when at least one of Theorem. if (TMC, FDD, TMC)  * STOP and if TMCm =∅, then for all
the TMC could not be fixed using this method. DPi in TMC, r1i is totally well-configured.
In order to prove the correctness of our approach, we start by
the following definition: Proof. if (TMC, FDD, TMC)  * STOP then for all DPi in TMC,
dom(DP i ) ⊆ SP !action(r1 i ) and if we suppose that TMCm =∅ then for all
Definition. DPi is well configured with respect to SP iff dom(DP i ) ⊆ DPh in FDD where r1h = r1i DPh ∈ / TMCm , then DPh is not totally mis-
SP action(r1i ) . configured then dom(DP h ) ⊂ SP action(r1 h ) . Therefore, r1i , (r1h = r1i ),
is totally well-configured.
Theorem. (Correctness)
If (TMC, FDD, TMC)  * Success, then for all dpi in TMC, DPi is well
configured with respect to the security policy after applying our infer- 6.3. Inference system for swapping rules
ence system.
In Fig. 10 we propose an inference system that presents steps
Proof. If (TMC, FDD, TMC)  * Success then we have (TMC, FDD, to correct TMC by swapping two rules. The rules of this infer-
− TMC)  (TMC1, FDD1, TMCr 1)  (TMC2, FDD2, TMCr 2) · · · (TMCk, ence system apply to quadruple (TMC, FDD, CLi , TMCs ), CLi is the
− FDDn, TMCr n)  Success, where TMCr n = ∅, all the steps but the
last one are Delete. We can show easily by induction on i that for
all 1 ≤ i ≤ n, if DPi is in TMC then r1i is removed from DPi . There-
fore, action(DP i ) = action(r2i ) =
/ action(r1i ) which is conform to the
action applied by SP on the packets matched by DPi . Then, if (TMC,
candidate-rules list used to correct TMC. In fact, for each DPi , CLi is
composed by rules belonging to the same direct paths as r1i and
having different action to this rule. This set is sorted from lower to
higher order priority as applied on the firewall configuration. The
fourth component TMCs is an updated version of TMC by removing
FDD, TMC)  * Success, then for all dpi in TMC, DPi is well configured
with respect to the security policy.
6.2. Inference system for modifying rules actions
The rules of the system shown in Fig. 9 apply to three compo-
nents: (TMC, FDD, TMCm ). The third component TMCm is an updated
version of TMC by removing all fixed DPj . Modify is the main infer-
ence rule for the inference system. It deals with each DPi from the
all DPj (total misconfigurations) fixed by using the inference rule
Swap which is the main inference rule that will be applied iff the
precondition shown in Fig. 11 is verified. For example, for the mis-
configuration in DP1 , the set of candidate rules CL = {r7 , r6 }. So, we
will first start by verifying if we can use r7 to correct this miscon-
figuration, according to the FDD swapping r1 and r7 will not correct
only this misconfiguration but also the second misconfiguration
between r2 and r6 in DP2 .
set TMC, and verifies if we can modify the action of the first rule in Theorem. (TMC, FDD, ∅, TMC)  * SUCCESS then ∀DPi ∈ TMC, DPi is
this direct path. If the first rule of DPi exists as a first rule in another well configured with respect to SP.
188 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191

Fig. 11. Condition for swapping rules.

Fig. 12. IS for rules fields modification.

Proof. if (TMC, FDD, ∅, TMC)  * SUCCESS then we have (TMC, sented by these values: [@ srce, port, @ dest, protocol] = [192.168.4.3,
− FDD, ∅, TMC)  (TMC1, FDD1, CL1, TMCs 1)  (TMC2, FDD2, CL2, 80, 172.13.14.0/24, TCP]. Therefore, DP13 could be represented as
− TMCs 2) · · · (TMCn, FDDn, CLn, TMCs n)  SUCCESS where TMCs n =∅.
We can show by induction on i, 1 ≤ i ≤ n, that, at each step, the
precondition of the inference rule Swap is verified, then we have
two cases. The first case when a candidate rule rc ∈ CLi is the new
first rule in DPi . R instead of r1i and we have action(rc ) = / action(r1i )
and according to the definition of TMC, DPi ∈ TMC then dom(DP i ) ⊆
SP !action(r1i ) it follows that DP i ⊆ SP action(rc ) , where rc is the new
first rule to be applied in DPi so this direct path applies the same
action as applied in SP. Thus DPi is well configured with respect
to SP. The second case is when r2i is the new first rule in DPi .
R and according to the precondition of the inference rule Swap,
action(r2 i) = / action(r1i ) it follows that DPi applies the same action
follow: DP13 = (DP13 \ BSP) ∪ (DP13 ∩ BSP). Then using our inference
system, we use first the inference rule Correct P MC1 to divide this
direct path into two sub-FDDs where the first (DP13 \ BSP) repre-
sents paths which are conform to SP and the second one DP13 ∩ BSP
is the totally misconfigured path. Then to correct DP13 ∩ BSP we use
Correct P MC2.
Definition. (Completeness) FDD is complete with respect to
SP in term of misconfigurations iff ∀DPi ∈ FDD if ∃rm i ∈ DP i
where action(rm i ) =
/ DP i .action then dom(DP i ) ⊆ SP action(r1i ) , i.e., DPi
applies the same action as defined by SP.
as applied in SP. Therefore ∀DPi ∈ TMC, DPi is well configured with Theorem. (Completeness) If (TMC, PMC, FDD, ∅)  * STOP then FDD
respect to SP. is complete with respect to SP in term of misconfigurations.

6.4. Inference system for rules fields modification
In Fig. 12 we propose an inference system that presents steps
to correct TMC and PMC. The rules of this inference system apply
to quadruple (TMC, PMC, FDD, DP i ). The first component TMC is
the misconfigurations not fixed using previous inference systems.
The second component PMC is the set of partial misconfigura-
tions. The fourth component DP i is a variable used to separate
DPj ∈ PMC into a set configured with respect to the security policy
and another set that represents the Partial problem. The infer-
ence rule Correct TMC is used to correct TMC, it deals with each
DPi from the set TMC and removes all rules from DPi . rules that
have the same action as r1i , so this inference rule will change the
action of DPi . The inference rule Correct PMC1 is used to divide
DPi , into two sets, the first is the set that has the correct action as
defined in the security policy, the second DP i represents the sub-
set of DPi that should be fixed. The inference rule Correct PMC2 is
used to correct the action of this path DP i . The function update(i,
DP ) used in this inference system allows to update the FDD by
replacing DPi by the new direct path DP . For example, for the
PMC discovered in DP13 , The intersection between DP13 and SPdeny
can be represented as follow: BSP = DP13 ∩ SPdeny = branch repre-
Proof. If (TMC, PMC, FDD, ∅)  * STOP then if we suppose that
there exists DPi in FDDn and exists a rule rm i in DPi where
action(rm i ) = / action(DP i ). Then we have three cases: (1) DP i ⊆
SP action(r1 i ) , (2) DP i ⊆ SP !action(r1 i ) , then DPi ∈ TMC which is a con-
tradiction because TMC =∅, (3) DP i ∩ SP !action(r1i ) = / ∅ and DP i 
SP action(r1 i ) , then DPi ∈ PMC which is a contradiction because
PMC =∅. It follows that we have obligatory only one case: DP i ⊆
SP action(r1 i ) . Thus for all DPi in FDD if exists rm i in DPi where
action(rm i ) = / action(DP i ) then DP i ⊆ SP action(r1i ) . Therefore FDDf is
complete with respect to SP in term of misconfigurations.
After fixing all misconfigurations, we will obtain the new FDD
shown in Fig. 13. Then, we generate the sequence of rules; these
rules are misconfigurations-free. As we explained in Section 6 each
rule is the union of direct paths that match this rule. The configura-
tion obtained after the modification of FDD is shown in Fig. 13. We
note that what we get after resolving misconfigurations is a simple
firewall configuration. For each rule we could have in some cases
an interval of disjoint values that represents DPi . srce, DPi . proto-
col, DPi . dest and DPi . port. Some existing firewall products, such as
iptables [29], require that those values are non-disjoint so we can
use our approach to fix misconfigurations and then we generate a
new configuration with non-disjoint interval values (Table 4). For
 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191 189

Fig. 14. IP address reduction.

Table 5
Number of discovered misconfigurations.

Number of rules Number of Number of mis-

superfluous rules configurations

100 18 21
778 47 35
Fig. 13. Modified firewall decision diagram-Firewall1. 1418 85 62
2057 67 113

Table 4
New firewall configuration-Firewall1.
7.2. FARE-implementation
Order Srce @ Dest @ Protocol Dest Port Action

R1 deny 10.0.0.3 * 172.13.14.0/24 TCP

In order to better assess the effectiveness of our approach, we
R2 Accept 10.0.0.0/16 80 172.13.14.0/24 TCP implemented the techniques and inference systems described ear-
R3 Accept 192.168.0.3 22 172.13.14.0/24 TCP lier in a software tool, using a Boolean satisfiability (SAT) based
R4 Accept 192.168.1.0/24 80 172.13.14.0/24 TCP approach. This approach reduces the verification problem into
R5 Accept 10.0.0.3 80 172.13.14.1 *
Boolean formula and checks its satisfiability. In our case, in order
R6 Deny 10.0.0.3 80 172.13.0.0/16 TCP
R7 Accept 10.0.0.3 80 172.13.14.1 * to verify if an anomaly is a partial or total misconfiguration, we test
R8 Deny 192.168.1.0/24 80 172.13.14.0/24 * if the domain of the direct path reduced into Boolean formula is
R9 Accept 192.168.1.0/24 80 172.13.0.0/16 TCP included or not in the the domain of the security policy reduced
R10 Accept 192.168.4.0-2 80 172.13.14.0/24 TCP into two sub-domains SP deny and SP accept as explained in Sec-
192.168.4.4-255
R11 Deny 192.168.4.0/24 80 172.13.0.0/16 TCP
tion 3. So, our formalism for specifying the firewall configuration
and the security policy is a Boolean-based specification language.
For example, the functional mapping of precondition ri components
into Boolean variables is shown below:
other products like Cisco [30], the use of object groups resolves the
problem.
• We model the source and destination IP addresses with 32
Boolean variables each, namely, (s0, s1, . . ., s31) and (d0, d1, . . .,
7. Firewall anomalies resolution (FARE) tool d31);
• Addressing ranges with masks can be reduced by bit-wise ANDing
7.1. Complexity the masks with the base addresses;
• We have 32 different protocols so protocol type can be reduced
For n rules in FC, there can be a maximum of 2n − 1 outgoing using 5 variables (p0, p1, . . ., p4);
edges for a node. Therefore, the maximum number of paths in a • We have 65356 different ports number, so in our formalism port
constructed FDD is (2n − 1)d , where d is the number of fields in numbers are mapped into 16 Boolean variables, namely (n0, . . .,
each rule. After the construction of FDD and the discovering of mis- n15).
configurations, all resolution operations, explained in Section 6, are
done on direct paths elements DPi . R. Therefore, for the inference The example shown in Fig. 14 explains how we reduce an
system for removing rules, the complexity (without counting the ip address using our formalism:
elementary functions) is equivalent to the complexity of opera- We have chosen also the Java developing language. On the other
tions in an ordered list and equal in this case to the complexity hand, the verification of the satisfiability of Boolean expressions
of remove-element operation which is equal to O(m) (where m is is performed using Limboole [9]. This tool allows to check sat-
the size of a set). Thus, in our case, the complexity of this infer- isfiability respectively tautology on arbitrary structural formulas
ence system is equal to O(nd ). The same for the inference system and not just satisfiability for formulas in conjunctive normal form
for modifying rules actions, the operation of modification of a filed (CNF), and can handle large set of non-quantified Boolean clauses
in an ordered list has a time and space complexity equals to O(nd ). in reasonably good time.
For the inference system Swap-rules, the swap operation and all
comparisons are done on rules of the filed DPi . R. Therefore, the 7.3. FARE-experimental results
complexity of this inference system is equal to O(nd ). The fourth
inference system shown in Fig. 12, allows to modify FDD by insert- To evaluate a practical value of our inference systems, we have
ing some direct paths and by modifying the field DPi . R. Or, for two implemented them based on the FDD approach using the rule col-
calculated complexities O(g1 (n)) + O(g2 (n)) is equal to O(max(g1 (n), lections of the open-source rules available at emerging threats
g2 (n))). Therefore, the complexity of this inference system is equal (ETOpen) rule sets [31] and set of rules provided by the Tunisian
to the complexity of tree-set insertion operation (which is equal to Ministry of Finance Computer Centre (CIMF) [32]. By default, all
O(log(n))) plus O(nd ). Thus, the complexity of this inference system generated and distributed rules in [31] are deny (or DROP) rules
is equal to O(nd ). Given that d is typically small (generally we have 4 because it is considered to be the safest way for distribution and
or 5 fields) our inference systems have a reasonable response time it is up to each user to adjust them as needed for their network’s
in practice. The next section confirms the above remarks. needs. Table 5 presents the details of discovered misconfigurations
190 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191
Fig. 15. Superfluous rules disconvering and removing processing time.
Fig. 16. (FDD construction, MC detection & resolution) processing time.
and superfluous rules in a simple firewall. The results show espe-
cially the high percentage of superfluous rules which negatively
affect the firewall performance contributing to the complexity of
rule set and eventually lead to potential problems. Another inter-
esting observation is the number of discovered misconfigurations
in simple firewalls (Fig. 16) which is quite significant.
We have also conducted a set of experiments to measure the
performance of our inference systems. The experiments were run
on an Intel Dual core 1.6 GHz with 1 GB of RAM. It is supposed that
we have IPv4 addresses with net-masks and port numbers of 16
bit unsigned integer with range support. Figs. 15 and 16 summa-
rize our results. We consider time treatment factor that we review
by varying the number of rules. In overall terms, we consider the
average processing time, in seconds, of the main procedures of FDD
construction, misconfigurations detection and correction. At the
end, our tool proved a stable performance showing acceptable pro-
cessing time to the treatment of complex combination of filtering
rules.
8. Discussion
Although the work done on firewall rules management, most of
organizations would not easily allow that firewall configurations
are modified without human supervision. However, one of the most
intriguing finding from IBM’s “‘2014 Cyber Security Intelligence
Index”’ [33] is that over 95% of all security incidents investigated
involve human error, and one of the most commonly recorded form
of human errors includes network system misconfiguration, also
the research presented in [34], has identified that as the complex-
ity of the firewall configuration increases, the number of mistakes
increases. Therefore, it is clear that manual management of fire-
wall misconfiguration is the cause of security risk posed to the
enterprise. In fact, a typical organization may need to make fire-
wall configurations modifications hundreds of times in a month,
where each configuration change requires a lot of evaluation time.
Therefore, having an effective firewall configuration change man-
agement tool that allows detecting and correcting automatically
misconfigurations arising after these changes is a key. In our work
and by using the requirement of the security policy we facilitate
this task to these organizations, because a security policy change
may impact several firewalls and managing this impact by under-
standing which one of network firewall configurations need to be
modified is not a non-trivial task. By inspecting all paths of firewalls
and all relations between all firewalls we can help the network
administrator to automatically discover and correct these miscon-
figurations. Also, we believe that in addition to automated tools,
organizations must adopt a change workflow and automates each
step and not only firewall rule analysis. Such a process is beneficial
in improving the outcome of changes as well as in improving their
traceability.
9. Conclusion
We presented in this paper a set of inference systems for the
management of misconfigurations of firewall rule sets. More pre-
cisely, our proposal is intended for discovering and fixing these
misconfigurations by using a formal method and a data struc-
ture (FDD). Our approach allows also simple firewalls rule-sets
optimization by removing rules that are no longer needed (called
superfluous). The advantages of our proposal are the following:
First, The resolution approach is optimal, using the minimum
number of operations to fix misconfigurations, which allows to
decrease the configuration complexity. Second, we proved for-
mally the correctness and completeness of our approach. Third, we
demonstrated the efficacy of our implemented tool through exper-
imentations on real-case firewall configurations. While the current
approach primarily focuses on fixing intra-Firewall misconfigura-
tions, in our future work, we plan to resolve misconfigurations in a
distributed environment. We are also interested in analyzing and
verifying configurations of other network security components.
Acknowledgments
We are grateful to Mr. Khaled Ghorbel and to Mr. Mohamed
Aymen Messaoudi from the Tunisian Ministry of Finance Computer
Centre (CIMF) for their beneficial comments and support and espe-
cially, for providing us firewall rules collections used to evaluate
the practical value of our work.
References
[1] A. Wool, A quantitative study of firewall configuration errors, IEEE Comput.
37 (6) (2004) 62–67, http://dx.doi.org/10.1109/MC.2004.2.
[2] A. Wool, Trends in firewall configuration errors: measuring the holes in swiss
cheese, IEEE Internet Comput. 14 (4) (2010) 58–65, http://dx.doi.org/10.1109/
MIC.2010.29.
[3] C. Diekmann, L. Hupel, G. Carle, Semantics-preserving simplification of
real-world firewall rule sets, in: FM 2015: Formal Methods – 20th
International Symposium, Oslo, Norway, June 24–26, 2015, Proceedings,
2015, pp. 195–212, http://dx.doi.org/10.1007/978-3-319-19249-9 13.
[4] E. Al-Shaer, H. Hamed, Firewall policy advisor for anomaly discovery and rule
editing, IFIP/IEEE Eighth International Symposium on Integrated Network
Management, 2003 (2003) 17–30, http://dx.doi.org/10.1109/INM.2003.
1194157.
[5] E.S. Al-Shaer, H.H. Hamed, Modeling and management of firewall policies,
IEEE Trans. Netw. Serv. Manag. 1 (1) (2004) 2–10, http://dx.doi.org/10.1109/
TNSM.2004.4623689.
[6] T. Chomsiri, C. Pornavalai, Firewall rules analysis, in: Proceedings of the 2006
International Conference on Security & Management, SAM 2006, Las Vegas,
Nevada, USA, June 26–29, 2006, 2006, pp. 213–219 https://pdfs.
semanticscholar.org/39d2/14c7dc7f47a7cff4e2056c452ec470b7b996.pdf.
[7] F. Cuppens, N. Cuppens-Boulahia, J. Garcia Alfaro, Detection and removal of
firewall misconfiguration, in: CNIS IASTED, Phoenix, AZ, USA, November, 2005
https://pdfs.semanticscholar.org/c644/
7ffe218ad2a68f1df858900328534fe849ed.pdf.
[8] A. Saadaoui, N.B.Y.B. Souayeh, A. Bouhoula, Automated and optimized
FDD-based method to fix firewall misconfigurations, in: 14th IEEE
International Symposium on Network Computing and Applications, NCA
 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191
2015, Cambridge, MA, USA, September 28–30, 2015, 2015, pp. 63–67, http://
dx.doi.org/10.1109/NCA.2015.31.
[9] Limboole SAT Solver, 2015 http://fmv.jku.at/limboole/index.html.
[10] T. Tran, E.S. Al-Shaer, R. Boutaba, Policyvis: firewall security policy
visualization and inspection, in: Proceedings of the 21st Large Installation
System Administration Conference, LISA 2007, Dallas, Texas, USA, November
11–16, 2007, 2007, pp. 1–16 http://www.usenix.org/events/lisa07/tech/tran.
html.
[11] H. Hu, G.-J. Ahn, K. Kulkarni, Detecting and resolving firewall policy
anomalies, IEEE Trans. Dependable Secur. Comput. 9 (3) (2012) 318–331,
http://dx.doi.org/10.1109/TDSC.2012.20.
[12] H. Hu, G.-J. Ahn, k. Kulkarni, FAME: a firewall anomaly management
environment, in: SafeConfig, ACM, 2010, pp. 17–26 http://dblp.uni-trier.de/
db/conf/safeconfig/safeconfig2010.html.
[13] B. Khorchani, S. Hallé, R. Villemaire, Firewall anomaly detection with a model
checker for visibility logic, in: 2012 IEEE Network Operations and
Management Symposium, NOMS 2012, Maui, HI, USA, April 16–20, 2012,
2012, pp. 466–469, http://dx.doi.org/10.1109/NOMS.2012.6211932.
[14] N. Mukkapati, Ch.V. Bhargavi, Detecting policy anomalies in firewalls by
relational algebra and raining 2d-box model, IJCSNS International Journal of
Computer Science and Network Security, vol. 13 (2013) 94–99 http://paper.
ijcsns.org/07 book/201305/20130516.pdf.
[15] F. Cuppens, N. Cuppens-Boulahia, J. García-Alfaro, Detection and removal of
firewall misconfiguration, in: Proceedings of the 2005 IASTED International
Conference on Communication, Network and Information Security (CNIS
2005)., IASTED, Phoenix, AZ, USA, 2005, pp. 154–161, , ISBN: 0-88986-537-X
http://www-public.tem-tsp.eu/∼garcia a/web/papers/cnis05.pdf.
[16] F. Cuppens, N. Cuppens-Boulahia, J. Alfaro, Misconfiguration management of
network security components, IASTED International Conference on
Communication, Network, and Information Security (CNIS 2005) (2005) 1–10
http://www.deic.uab.es/∼joaquin/papers/ssi05.pdf.
[17] J. García-Alfaro, N. Boulahia-Cuppens, F. Cuppens, Complete analysis of
configuration rules to guarantee reliable network security policies, Int. J. Inf.
Secur. 7 (2) (2008) 103–122, http://dx.doi.org/10.1007/s10207-007-0045-7.
[18] J. García-Alfaro, F. Cuppens, N. Cuppens-Boulahia, Analysis of policy
anomalies on distributed network security setups, in: Computer Security –
ESORICS 2006, 11th European Symposium on Research in Computer Security,
Hamburg, Germany, September 18–20, 2006, Proceedings, 2006, pp. 496–511,
http://dx.doi.org/10.1007/11863908 30.
[19] E.S. Al-Shaer, H.H. Hamed, Discovery of policy anomalies in distributed
firewalls, in: Proceedings IEEE INFOCOM 2004, The 23rd Annual Joint
Conference of the IEEE Computer and Communications Societies, Hong Kong,
China, March 7–11, 2004, 2004 http://www.ieee-infocom.org/2004/Papers/
54 3.PDF.
[20] S. Hallé, E.L. Ngoupe, R. Villemaire, O. Cherkaoui, Distributed firewall anomaly
detection through LTL model checking, in: 2013 IFIP/IEEE International
Symposium on Integrated Network Management (IM 2013), Ghent, Belgium,
May 27–31, 2013, 2013, pp. 194–201 http://ieeexplore.ieee.org/xpl/freeabs
all.jsp?arnumber=6572986.
[21] A.J. Mayer, A. Wool, E. Ziskind, Fang: a firewall analysis engine, in: 2000 IEEE
Symposium on Security and Privacy, Berkeley, California, USA, May 14–17,
2000, 2000, pp. 177–187, http://dx.doi.org/10.1109/SECPRI.2000.848455.
[22] L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, P. Mohapatra, Fireman: A toolkit for
firewall modeling and analysis, in: Proceedings of the 2006 IEEE Symposium
on Security and Privacy, SP ‘06, Washington, DC, USA, IEEE Computer Society,
2006, pp. 199–213, http://dx.doi.org/10.1109/SP.2006.16.
[23] A.X. Liu, Formal verification of firewall policies, in: Proceedings of IEEE
International Conference on Communications, ICC 2008, Beijing, China, 19–23
May 2008, 2008, pp. 1494–1498, http://dx.doi.org/10.1109/ICC.2008.289.
[24] S. Matsumoto, A. Bouhoula, Automatic verification of firewall configuration
with respect to security policy requirements, in: Proceedings of the
International Workshop on Computational Intelligence in Security for
Information Systems, CISIS’08, Genova, Italy, October 23–24, 2008, 2008, pp.
123–130, http://dx.doi.org/10.1007/978-3-540-88181-0 16.
[25] P. Bera, S.K. Ghosh, P. Dasgupta, Integrated security analysis framework for an
enterprise network – a formal approach, IET Inf. Secur. 4 (4) (2010) 283–300,
http://dx.doi.org/10.1049/iet-ifs.2009.0174.
191
[26] P. Bera, S.K. Ghosh, P. Dasgupta, Policy based security analysis in enterprise
networks: a formal approach, IEEE: Trans. Netw. Serv. Manag. 7 (4) (2010)
231–243, http://dx.doi.org/10.1109/TNSM.2010.1012.0365.
[27] M.G. Gouda, A.X. Liu, Structured firewall design, Comput. Netw. 51 (4) (2007)
1106–1120, http://dx.doi.org/10.1016/j.comnet.2006.06.015.
[28] A.X. Liu, M.G. Gouda, Diverse firewall design, IEEE Trans. Parallel Distrib. Syst.
19 (9) (2008) 1237–1251, http://dx.doi.org/10.1109/TPDS.2007.70802.
[29] Netfilter-IPTables F, 2015 http://www.netfilter.org/.
[30] CISCO, 2015 www.cisco.com/.
[31] ETOpen Ruleset, 2015 http://rules.emergingthreats.net/fwrules/.
[32] The Tunisian Ministry of Finance Computer Center (CIMF), 2015 http://www.
portail.finances.gov.tn.
[33] IBM, IBM Security Services 2014 Cyber Security Intelligence Index, IBM Global
Technology services, 2014 http://fr.slideshare.net/ibmsecurity/2014-cyber-
security-intelligence-index.
[34] C.O. Sandeep Bhatt, P. Rao, Fast, Cheap and In Control: A Step Towards Pain
Free Security!, 111 Hewlett-Packard, September 21-2008 http://www.hpl.hp.
com/techreports/2008/HPL-2008-111.pdf/.
Amina Saâdaoui is a Ph.D.-student at the Higher School
of Communication of Tunis (Sup’Com). Amina’s research
concerns network security, access control, formal spec-
ification as well as formal validation and verification
techniques. She is a member of the Tunisian Association
of Digital Security (TADS).
Nihel Ben Youssef received her engineering degree in
computer science from the National Institute of Applied
Science and Technology and she received her Phd from
the Higher School of Communication of Tunis (Sup’Com).
Nihel Ben Youssef Ben Souayeh is currently an Assistant
Professor at the higher institute of computer science in
Tunisia. Her research interests include network security,
formal specification as well as formal validation and verifi-
cation techniques. She is the co-founder of the Association
of computer security (SECURINETS) in Tunisia. She is also
member of Tunisian Association of Digital Security (TADS).
Adel Bouhoula obtained his undergraduate degree in
computer engineering with distinction from the Univer-
sity of Tunis in Tunisia. He also holds a Masters, PhD
and Habilitation from Henri Poincare University in Nancy,
France. Adel Bouhoula is currently a Professor at the
Higher School of Communication of Tunis (Sup’Com). He
is also the founder and Director of the Research Unit on
Digital Security and the President of the Tunisian Asso-
ciation of Digital Security (TADS). His research interests
include automated reasoning, algebraic specifications,
formal specification as well as formal validation and ver-
ification techniques, network security, cryptography, and
validation of cryptographic protocols.