Professional Documents
Culture Documents
a r t i c l e i n f o a b s t r a c t
Article history: Problems arising from firewall misconfigurations are common and have dramatic consequences for net-
Received 1 December 2015 works operations. Therefore, the discovery and removal of these misconfigurations is a serious and
Received in revised form 5 June 2017 complex problem to solve. In this paper, we address this problem using a data structure (FDD: fire-
Accepted 3 September 2017
wall decision diagram). We propose a new approach to rule-set optimization and clean-up, by removing
Available online 14 September 2017
superfluous rules from a simple firewall and a totally automatic method to detect and fix misconfigura-
tions. We present also a new classification of anomalies in multi-firewall environment bringing out real
Keywords:
configurations errors. We proved the correctness and completeness of our method and demonstrated its
Firewall misconfigurations
Security policy
scalability and applicability on configurations provided by the Tunisian Ministry of Finance Computer
Firewall decision diagram Centre (CIMF), and found promising results.
Automatic resolution © 2017 Elsevier B.V. All rights reserved.
Inference system
http://dx.doi.org/10.1016/j.jocs.2017.09.003
1877-7503/© 2017 Elsevier B.V. All rights reserved.
182 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191
Order Srce @ Dest @ Protocol Dest Port Action 2.1. Intra and inter firewalls anomalies detection
r1 Accept 10.0.0.3 80 172.13.14.1 *
r2 Accept 10.0.0.0/16 80 172.13.14.0/24 TCP Al Shaer et al. [5] introduced a framework for discovering
r3 Accept 192.168.0.3 22 172.13.14.0/24 TCP anomalies in simple and distributed firewalls. They also presented a
r4 Deny 192.168.2.0/24 80 172.13.14.0/24 TCP new tool in [10] called PolicyVis, this tool allows inspecting firewall
r5 Deny 192.168.1.0/24 80 172.13.14.0/24 TCP
policies by discovering anomalies in simple or distributed firewalls.
r6 Deny 10.0.0.3 80 172.13.0.0/16 TCP
r7 Deny 10.0.0.3 * 172.13.14.0/24 TCP In their approach, they analyzed relations between rules using a
r8 Accept 192.168.2.0/24 80 172.13.0.0/16 TCP state diagram that allows identifying anomalies and couple of rules
r9 Deny 192.168.1.0/24 80 172.13.14.0/24 * involved in these anomalies or couple of firewalls (in case of inter-
r10 Accept 192.168.1.0/24 80 172.13.0.0/16 TCP
firewalls anomalies detection), this differs from our method that
r11 Accept 192.168.4.0/24 80 172.13.14.0/24 TCP
r12 Deny 192.168.4.0/24 80 172.13.0.0/16 TCP considers all rules and not only pairwise ones.
Hu et al. [11,12] proposed a new anomaly management
framework (FAME) that facilitates the systematic detection and
resolution of firewall policy anomalies by considering the analy-
sis of relations between all rules in the firewall configuration. To
resolve anomalies they assigned an action constraint that defines a
desired action (either Allow or Deny) to each conflicting segment
between rules. To generate these action constrains they used a “Risk
level” which is determined based on the vulnerability assessment
of the network. They automated this process but in some cases,
they selected manually the desired action. So, the administrator
decides manually if an anomaly is a misconfiguration. Unlike that,
our method incorporates the security policy which allows deciding,
automatically, whether an anomaly is intentional or a real config-
uration error.
In [13] authors introduced a modal logic, called visibility logic
(VL), which can be used to express arbitrary patterns between rules
inside a firewall. Then, they propose a model checker which allows
Fig. 1. Network topology. the verification of any formula expressed in visibility logic. In this
study, anomalies are detected between two rules only except for
generalization which is detected between three rules and called
effective misconfiguration since the security policy is not cor-
“second-degree generalization”. Also, this approach did not answer
rectly implemented.
the need for ways to correct anomalies already discovered.
Authors in [6,14] introduced a method of analyzing packets from
In this paper, we propose a new approach to correct discov- the filtering rule list by using the concept of Relational Algebra and a
ered misconfigurations in real-case firewall configurations already 2D box model to show a simulation of packets by rectangular boxes
designed to protect a given Network, and this will be done by mod- and identify anomalies and relations between rules. In opposition,
ifying some field of rules, changing their order, removing some in our work we also represent relations between rules in a data
rules . . . without increasing the configuration complexity. We also structure, but additionally we identify anomalies by considering
demonstrate its applicability and scalability by the use of a satisfi- all relations between all rules.
ability solver. The major differences of the present work compared Authors in [11] proposed methods to manage a single firewall
to our earlier works, presented in [8], have been stated as follows: rules. This differs from our method that takes into account all fire-
in this work we prove formally the correctness and the complete- walls in a given path in the network because even if each firewall
ness of proposed inference systems using formal specification. We in the network is well configured, anomalies could arise between
propose a method to rule-sets optimization in a simple firewall by rules of different firewalls.
removing unused rules. We extract and decide if an anomaly is a Cuppens et al. presented in [15,16] an audit process to manage
real misconfiguration or an intended anomaly in distributed envi- intra-firewall policy anomalies. By using relationships between the
ronment by using the FDD (firewall decision diagram). We present attributes of filtering rules (such as coincidence, disjunction and
a tool that could provide initial results on the speed and accuracy of inclusion), they succeed to detect and remove the configuration
the proposed method in real-world conditions. Our tool uses Lim- anomalies. The data structure used in their work is a linked list of
boole SAT (satisfiability) solver [9] as a verification tool which can initial size n, where n is the number of filtering rules. Each element
handle large set of non-quantified Boolean clauses in reasonably is an associative array with the strings condition, decision, shadow-
good time. ing and redundancy as keys to access each necessary value. Authors
This paper is organized as follows: Section 2 presents a summary in [17,18] addressed the problem of intra and inter-component
of related work. Section 3 overviews the formal representation of anomalies discovering, their approach allows detecting anomalies
firewall configurations and security policies and details FDD struc- in network security policies deployed over firewalls and network
ture. In Section 4, we present our method to discover and remove intrusion detection systems. Their approach has the advantage
superfluous rules. In Section 5, we present our approach to discover to analyze the whole set of rules and not only the relationship
simple and distributed firewalls misconfigurations. In Section 6, between two rules. For intra-component they detect three anoma-
we articulate our approach to resolve simple firewall misconfig- lies: shadowing, redundancy and irrelevance. Then they propose
urations. In Section 7, we present first a study of the complexity an algorithm that allows removing automatically these anoma-
of our inference systems, and then we address the implementation lies. This differs from our method that considers other types of
and evaluations of our tool. Finally, we present our conclusions and anomalies like correlation and generalization caused by overlapped
discuss our plans for future work. conflicting rules.
A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191 183
Liu [23] proposed a firewall verification method. The method 3.3. Firewall decision diagram (FDD) of a simple firewall
takes as input a firewall configuration and a given property, then
outputs whether the firewall configuration satisfies the property. The firewall decision diagram (fdd) as defined in [27,28] is an
Matsumoto and Bouhoula [24] propose a SAT based approach for acyclic and directed graph that has the following properties: There
verifying firewall configurations with respect to the security policy is exactly one node in fdd that has no incoming edges. This node
requirements. This method checks the correctness of the firewall is called the root of fdd. The nodes in fdd that have no outgoing
configuration whether it contains anomalies or not. FINSAT [25,26] edges are called terminal nodes. fdd is the union of direct paths dpi .
incorporates ACL (access control list) conflict analysis procedure The algorithm used to construct an fdd is detailed in [27,28]. So we
for detecting various types of ACL rule conflicts in the model using have:
Boolean satisfiability (SAT) analysis. The conflicts are reported as
fdd = dpi .
“error(s)” in case of SAT result with satisfiable instances. Then, the i(i:1→m)
Network administrator needs to reconfigure by himself the ACL
rules depending on the results. The objectives of our work are differ- dpi = dpi .srce ∧ dpi .protocol ∧ dpi .dest ∧ dpi .port ∧ dpi .rules ∧ dpi .action.
ent. We aim first to optimize the firewall configuration by removing
unused rules then to discover all misconfigurations by considering
the requirement of the security policy. So, our work involves two • dpi . src is the range of source address represented by the direct
aspects: Rule analysis aspect and firewall verification aspect. path dpi .
Proving the correctness and completeness of proposed tech- • dpi . dst is the range of destination address represented by the
niques is an unavoidable step. Nevertheless, most existing studies direct path dpi .
and algorithm ignore to prove these two properties. In our work, • dpi . port is the range of port number represented by the direct
by using formal representation and inference systems we proved path dpi .
their completeness and correctness. • dpi . protocol is the range of protocols represented by the direct
path dpi .
3. Preliminaries • dpi . rules is the set of rules from the firewall configuration that
match the domain of packets represented by this direct path,
In what follows, we define, formally, some key notions. dpi .rules = {rki }(k:1→l) , where r1i is the first rule in the firewall
configuration applied on the domain of dpi . The action of this
3.1. Firewall configuration direct path is the action applied by r1i .
• dpi . action = the action of this direct path dpi .
A simple firewall configuration is a finite sequence of filter-
ing rules of the form FR = (ri ⇒ Ai )0<i<N+1 . These rules are tried Figs. 2 and 3 show the firewall decision diagrams of the simple
in order, up to the first matching one. A filtering rule consists of firewalls configurations showed in Tables 1 and 2 respectively.
a precondition ri which is a region of the packet’s space P, usu-
ally, consisting of source address, destination address, protocol 3.4. FDD of a path in a distributed environment
and destination port. Each right member Ai of a rule of FR is an
action defining the behavior of the firewall on filtered packets: A network path pathi [src, dst] is composed of an ordered set of
Ai ∈ {accept, deny}. firewalls through which the traffic flows from the source src to the
destination dst. pathi = {fcj , n <= j <= m}. Let Paths be the set of all
3.2. Security policy possible paths in our network. Paths = {pathi , 1 <= i <= k}.
A firewall decision diagram of a path pathi is constructed
A security policy SP is presented as a finite unordered set of using the collection of rules of different firewalls fcj belong-
directives, as showed in the example of the Introduction, defining ing to this path. Therefore, The firewall decision diagram of
whether packets are accepted or denied. We consider also two sets, the set Paths of our network could be represented as follows:
184 A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191
Fig. 3. FDD-Firewall1.
Fig. 4. Firewall decision diagram-distributed firewall-path (Firewall3,Firewall2).
Table 2
Firewall configuration-Firewall2.
- remove(r, fdd): This function removes the rule r from each direct
Order Srce @ Dest @ Protocol Dest Port Action path dpi that contains this rule.
r1 10.0.0.0/16 192.168.0.0/23 * * Accept - dom(dpi ) is a function that maps each dpi into the subset of
r2 192.168.0.0/23 * * * Deny packets p ∈ P and represents the set of packets handled by dpi .
r3 192.168.1.0/24 * * * Deny dom(dpi ) = Packets{dpi . srce ∧ dpi . protocol ∧ dpi . dest ∧ dpi . port}.
r4 192.168.0.0/24 * * * Deny
- dom(r) is a function that maps each rule r into the subset of packets
r5 10.0.0.0/15 192.168.0.0/23 * * Deny
r6 192.168.0.0/23 * TCP * Accept p ∈ P handled by this rule.
r7 10.1.0.0/16 192.168.0.0/23 * * Deny - lst ruleact (dpi ) this function returns first rules that apply the
r8 172.13.0.0/16 * * * Deny action deny on the packets handled by the direct path dpi on each
r9 * * * * Accept firewall.
- action(p, FC) returns the action applied on the packet p ∈ P by the
Table 3 firewall configuration FC.
Firewall configuration-Firewall3. - modifyaction (r, FDD): Changes the action of the rule r in FDD.
Order Srce @ Dest @ Protocol Dest Port Action
- swapFDD (ri , rj ): Modifies FDD by swapping the rules ri and rj .
- index(r): Returns the index of the rule r in the firewall configura-
r1 192.168.1.0/24 * * * Accept
tion.
r2 192.168.0.0/23 * * * Deny
r3 172.13.0.25 * * * Accept - update(i, DP ): This function allows to update the firewall decision
r4 172.13.0.0/16 * * * Deny diagram by replacing the direct path DPi by the new direct path
r5 * * * * Accept DP .
FDD(Paths) = FDD = {0<i<N+1} fddi , where each fddi is the firewall 4. Superfluous rules identification
decision diagram of the path pathi , so FDD is the union of fddi of
each path in the network. We construct fddi by using the same To verify if a rule is superfluous, we need to ensure that removing
algorithm depicted in Section 3.3 for the collection of rules of each it from each direct path will not affect the action of this path. So we
pathi . The proprieties already defined for a direct path in a simple define a superfluous rule in a simple firewall as follows:
firewall remains the same, only for sets dpi . rules and dpi . action. In
Definition. A rule is considered to be superfluous in a simple fire-
fact, we have to precise for each rule the firewall that belongs to it.
wall, if this rule exists in the set of rules handled by a direct path
Therefore, we define direct path dpj ∈ fddi as follows:
then this rule is shadowed (i.e. it is not the first rule to be applied
dpj = dpj .srce ∧ dpj .dest ∧ dpj .port ∧ dpj .protocol ∧ dpj .rules ∧ dpj .action in this direct path) or redundant to the second rule in this path.
Formally, A rule ri is superfluous iff ∀dpj ∈ fdd, if ri ∈ dpj . rules then
where dpj .rules = {rh kj } here k is the index of each firewall through ri verifies one of these two conditions:
which the traffic flows in the path pathi .
The action of each direct path depends on the actions of each
1. ri =
/ r1j .
first rule handled by this direct path from each firewall in this path,
2. ri = r1j and action(ri ) = action(r2j ).
so we have:
• dpj . action = accept if ∀r1 k ∈ dpj .rules, action(r1 k ) = accept. To address this challenge, we use the inference system shown
j j
in Fig. 5. The rules of this inference system are applied to three
• dpj . action = deny if ∃!r1 k ∈ dpj .rules, action(r1 k ) = deny.
j j components (fc, fcf , fdd), the first component fc is the initial fire-
wall configuration, the second component fcf is the updated version
Fig. 4 shows the firewall decision diagrams of Path[zoneB , of fc by removing all superfluous rules and the third component
zoneC ] = {Firewall3, Firewall2} (Configurations are shown in fdd is the set of direct paths that represents relations between fc
Tables 3 and 2 respectively) for the network shown in Fig. 1. rules. Remove is the main inference rule in this inference system.
We consider the following functions: It deals with each rule ri from the firewall configuration fc. Applying
this inference rule implies updating the set of rules fcf by removing
- act(rj ki ): This function returns the action of the rule rj ki belonging superfluous rules. The inference rule Stop is applied when we parse
to the firewall configuration fck . all the filtering rules of fc. Thus, we conclude that this process pro-
A. Saâdaoui et al. / Journal of Computational Science 23 (2017) 181–191 185
vides configuration optimization, which reduces the firewall rule path apply a different action from the one applied in SP on these
size and subsequently improves its performance. packets.
In the configuration shown in Table 2 we can identify three
Definition. (PMC)
superfluous rules, r2 which is redundant to rules r3 and r4 ; r6 which
A direct path DPi ∈ FDD is partially misconfigured iff ∃rm i ∈
is by itself shadowed by the union of rules r3 and r4 and finally r5
DP i .R where action(rm i ) =
/ DP i .action and some packets mapped by
which is partially shadowed by rule r1 and partially redundant to
this path apply a different action as applied in SP on these packets.
rule r7 . If we use fdd shown in Fig. 2 we can easily identify them. In
fact, rules r2 , r5 and r6 verify the conditions depicted in Section 4 in In Fig. 6 we propose an inference system that presents necessary
one of these direct paths: r2 in dp5 and dp6 , r5 in dp1 and dp3 and and sufficient steps to discover total and partial misconfigurations.
r6 in dp5 and dp6 . The rules of this inference system apply to triple (FDD, TMC, PMC).
We write C FC C : C is obtained from C by application of one of The first component FDD represents the direct paths extracted
the inference rules of Fig. 5 and we denote by ∗fc the reflexive and from the firewall configuration as explained in the previous sec-
transitive closure of fc . In order to prove the correctness of our tion, FDD = {DP i }(i:1→n) . The second component TMC is the set of
approach, we start by the following definition: extracted total misconfigurations and the third component PMC
represents the set of partial misconfiguration. Extract TMC and
Definition. Two firewall configurations fc1 and fc2 are semanti- Extract PMC are the main inference rules for the inference system.
cally equivalent (fc1 ≡ fc2 ) iff for all packets p if p is matched by fc1 The first one detects total misconfigurations. It deals with each DPi
then p is matched by fc2 and action(p, fc1) = action(p, fc2). from FDD and verifies if this DPi applies totally the same action in
the firewall configuration as applied in SP, so we test if this DPi is
Theorem. (Correctness)
included in the set of SP !(action(r1 i )) , if it is the case, DPi is considered
If (fc, fc f , fdd)∗fc fc f then fc and fcf are semantically equivalent.
to be a total misconfiguration, because the action of DPi , which is
equal to action(r1i ), is different from the action applied by SP on
Proof. If (fc, fc f , fdd)∗fc fc f then, fc = fc f ( i{ri }
) where ( i{ri }
) is
this direct path, so we add DPi to TMC. The same for the second,
the set of removed rules. If we suppose that there exists a packet p
Extract PMC, but here we will extract partial misconfigurations. In
where action(p, fc) = / action(p, fcf ). p is matched by fc i.e. ∃ at least
fact, for each DPi we test if a part from the domain of this direct path
r where p is included by the domain of r (p ∈ dom(r)), we suppose
apply a different action on the packets matched by this domain as
that r is the first rule to be applied on the packet p, then action(p,
applied in SP, if it is the case we will add DPi to the set of partial
fc) = action(r). We have two cases: (1) The rule r is removed then
misconfigurations PMC. The inference rule Pass is applied when DPi
{r} ∈ / fcf : In this case the rule is superfluous and has been removed,
does not contain an anomaly between its rules, or when it contains
so it verifies the precondition of the inference rule remove, so in each
an anomaly and the action applied on this direct path in FDD is
dpj , r is the first rule to be applied and action(r) = action(r2j ) implies
same action undertaken by the security policy. So, in this case this
that action(p, fc) = action(p, fcf ) which is a contradiction. (2) The rule
anomaly is considered to be intentional and not a misconfiguration.
{r} ∈ fcf , therefore action(p, fc) = action(p, fcf ) which is a Contradic-
Hence, the repeated application of these inference rules ensures
tion. Therefore, we conclude that for all p, action(p, fc) = action(p,
the extraction of all misconfigurations (partial or total) from the
fcf ) then fc and fcf are semantically equivalent.
firewall configuration. The rule Stop is applied when we parse all
the direct paths of FDD.
5. Misconfigurations detection In the FDD shown in Fig. 3 we have five misconfigurations.
Total misconfigurations: in DP1 , DP3 ,DP8 and DP10 . Partial mis-
Once all firewall configurations have been updated by remov- configuration: in DP13 . Once all misconfigurations are discovered,
ing all superfluous rules, we can start the process of detection of the resolution process is performed in Section 6, we discuss our
misconfigurations in both simple and distributed firewalls. approach for each correction technique, respectively.
• Definition: A direct path dpi ∈ FDD presents an anomaly iff ∃rm k ∈ Definition. FDD is called misconfiguration-free iff for all dpi in
i
dpi .rules where act(rm ki ) =
/ act(rm hi ) where h =
/ k. fddn where fddn is in FDD, if dpi present an anomaly then dom(dpi ) ⊆
SP dpi .act .
Theorem. Completeness-success
So we have two types of misconfigurations: Total and partial If FDD is misconfiguration-free then (FDD, ∅, ∅, ∅)∗FDD Success.
misconfigurations.
Proof. If FDD is misconfiguration-free, then for all dpi ∈ fddn
p
where fddn ∈ FDD; if there exists a rule rj i from the firewall config-
• TMC: A direct path dpi ∈ fddn is totally misconfigured iff it uration fcp , matched by a direct path dpi and this rule is overlapped
q
presents an anomaly and all the packets mapped by this path and have a different action to another rule rm i from another fire-
apply a different action as applied in the security policy SP on wall configuration fcq and belonging to the same direct path, then
these packets. dpi applies the same action as defined in SP (SP dom(dpi ) ⊆ SP dpi .act )
• PMC: A direct path dpi ∈ fddn is partially misconfigured iff it because we supposed that FDD is misconfiguration-free. It follows
presents an anomaly and some packets mapped by this path that the precondition of the inference rule Detect misc is not veri-
apply a different action as applied in the security policy SP on fied for dpi . It implies that for all steps Pass inference rule is applied.
these packets. Therefore, TMC = ∅ and PMC = ∅. Hence, (FDD, ∅, ∅, ∅)∗FDD Success.
DPj and this direct path is in TMC then we can modify the action
of this rule, and by this modification we ensure that we correct all
DPk ∈ TMC that have the first rule r1i . For instance, r5 exists only
in the direct path DP10 . So by changing the action of this rule (i.e.,
r5 ) we will correct this misconfiguration and we will not generate
new misconfigurations. The rule Stop is applied when we parse all
Fig. 9. IS for modifying rules actions. the direct paths of TMC.
Proof. if (TMC, FDD, ∅, TMC) * SUCCESS then we have (TMC, sented by these values: [@ srce, port, @ dest, protocol] = [192.168.4.3,
− FDD, ∅, TMC) (TMC1, FDD1, CL1, TMCs 1) (TMC2, FDD2, CL2, 80, 172.13.14.0/24, TCP]. Therefore, DP13 could be represented as
− TMCs 2) · · · (TMCn, FDDn, CLn, TMCs n) SUCCESS where TMCs n =∅. follow: DP13 = (DP13 \ BSP) ∪ (DP13 ∩ BSP). Then using our inference
We can show by induction on i, 1 ≤ i ≤ n, that, at each step, the system, we use first the inference rule Correct P MC1 to divide this
precondition of the inference rule Swap is verified, then we have direct path into two sub-FDDs where the first (DP13 \ BSP) repre-
two cases. The first case when a candidate rule rc ∈ CLi is the new sents paths which are conform to SP and the second one DP13 ∩ BSP
first rule in DPi . R instead of r1i and we have action(rc ) = / action(r1i ) is the totally misconfigured path. Then to correct DP13 ∩ BSP we use
and according to the definition of TMC, DPi ∈ TMC then dom(DP i ) ⊆ Correct P MC2.
SP !action(r1i ) it follows that DP i ⊆ SP action(rc ) , where rc is the new
first rule to be applied in DPi so this direct path applies the same Definition. (Completeness) FDD is complete with respect to
action as applied in SP. Thus DPi is well configured with respect SP in term of misconfigurations iff ∀DPi ∈ FDD if ∃rm i ∈ DP i
to SP. The second case is when r2i is the new first rule in DPi . where action(rm i ) =
/ DP i .action then dom(DP i ) ⊆ SP action(r1i ) , i.e., DPi
R and according to the precondition of the inference rule Swap, applies the same action as defined by SP.
action(r2 i) = / action(r1i ) it follows that DPi applies the same action
as applied in SP. Therefore ∀DPi ∈ TMC, DPi is well configured with Theorem. (Completeness) If (TMC, PMC, FDD, ∅) * STOP then FDD
respect to SP. is complete with respect to SP in term of misconfigurations.
Table 5
Number of discovered misconfigurations.
100 18 21
778 47 35
Fig. 13. Modified firewall decision diagram-Firewall1. 1418 85 62
2057 67 113
Table 4
New firewall configuration-Firewall1.
7.2. FARE-implementation
Order Srce @ Dest @ Protocol Dest Port Action
9. Conclusion
2015, Cambridge, MA, USA, September 28–30, 2015, 2015, pp. 63–67, http:// [26] P. Bera, S.K. Ghosh, P. Dasgupta, Policy based security analysis in enterprise
dx.doi.org/10.1109/NCA.2015.31. networks: a formal approach, IEEE: Trans. Netw. Serv. Manag. 7 (4) (2010)
[9] Limboole SAT Solver, 2015 http://fmv.jku.at/limboole/index.html. 231–243, http://dx.doi.org/10.1109/TNSM.2010.1012.0365.
[10] T. Tran, E.S. Al-Shaer, R. Boutaba, Policyvis: firewall security policy [27] M.G. Gouda, A.X. Liu, Structured firewall design, Comput. Netw. 51 (4) (2007)
visualization and inspection, in: Proceedings of the 21st Large Installation 1106–1120, http://dx.doi.org/10.1016/j.comnet.2006.06.015.
System Administration Conference, LISA 2007, Dallas, Texas, USA, November [28] A.X. Liu, M.G. Gouda, Diverse firewall design, IEEE Trans. Parallel Distrib. Syst.
11–16, 2007, 2007, pp. 1–16 http://www.usenix.org/events/lisa07/tech/tran. 19 (9) (2008) 1237–1251, http://dx.doi.org/10.1109/TPDS.2007.70802.
html. [29] Netfilter-IPTables F, 2015 http://www.netfilter.org/.
[11] H. Hu, G.-J. Ahn, K. Kulkarni, Detecting and resolving firewall policy [30] CISCO, 2015 www.cisco.com/.
anomalies, IEEE Trans. Dependable Secur. Comput. 9 (3) (2012) 318–331, [31] ETOpen Ruleset, 2015 http://rules.emergingthreats.net/fwrules/.
http://dx.doi.org/10.1109/TDSC.2012.20. [32] The Tunisian Ministry of Finance Computer Center (CIMF), 2015 http://www.
[12] H. Hu, G.-J. Ahn, k. Kulkarni, FAME: a firewall anomaly management portail.finances.gov.tn.
environment, in: SafeConfig, ACM, 2010, pp. 17–26 http://dblp.uni-trier.de/ [33] IBM, IBM Security Services 2014 Cyber Security Intelligence Index, IBM Global
db/conf/safeconfig/safeconfig2010.html. Technology services, 2014 http://fr.slideshare.net/ibmsecurity/2014-cyber-
[13] B. Khorchani, S. Hallé, R. Villemaire, Firewall anomaly detection with a model security-intelligence-index.
checker for visibility logic, in: 2012 IEEE Network Operations and [34] C.O. Sandeep Bhatt, P. Rao, Fast, Cheap and In Control: A Step Towards Pain
Management Symposium, NOMS 2012, Maui, HI, USA, April 16–20, 2012, Free Security!, 111 Hewlett-Packard, September 21-2008 http://www.hpl.hp.
2012, pp. 466–469, http://dx.doi.org/10.1109/NOMS.2012.6211932. com/techreports/2008/HPL-2008-111.pdf/.
[14] N. Mukkapati, Ch.V. Bhargavi, Detecting policy anomalies in firewalls by
relational algebra and raining 2d-box model, IJCSNS International Journal of
Computer Science and Network Security, vol. 13 (2013) 94–99 http://paper. Amina Saâdaoui is a Ph.D.-student at the Higher School
ijcsns.org/07 book/201305/20130516.pdf. of Communication of Tunis (Sup’Com). Amina’s research
[15] F. Cuppens, N. Cuppens-Boulahia, J. García-Alfaro, Detection and removal of concerns network security, access control, formal spec-
firewall misconfiguration, in: Proceedings of the 2005 IASTED International ification as well as formal validation and verification
Conference on Communication, Network and Information Security (CNIS techniques. She is a member of the Tunisian Association
2005)., IASTED, Phoenix, AZ, USA, 2005, pp. 154–161, , ISBN: 0-88986-537-X of Digital Security (TADS).
http://www-public.tem-tsp.eu/∼garcia a/web/papers/cnis05.pdf.
[16] F. Cuppens, N. Cuppens-Boulahia, J. Alfaro, Misconfiguration management of
network security components, IASTED International Conference on
Communication, Network, and Information Security (CNIS 2005) (2005) 1–10
http://www.deic.uab.es/∼joaquin/papers/ssi05.pdf.
[17] J. García-Alfaro, N. Boulahia-Cuppens, F. Cuppens, Complete analysis of
configuration rules to guarantee reliable network security policies, Int. J. Inf.
Secur. 7 (2) (2008) 103–122, http://dx.doi.org/10.1007/s10207-007-0045-7. Nihel Ben Youssef received her engineering degree in
[18] J. García-Alfaro, F. Cuppens, N. Cuppens-Boulahia, Analysis of policy computer science from the National Institute of Applied
anomalies on distributed network security setups, in: Computer Security – Science and Technology and she received her Phd from
ESORICS 2006, 11th European Symposium on Research in Computer Security, the Higher School of Communication of Tunis (Sup’Com).
Hamburg, Germany, September 18–20, 2006, Proceedings, 2006, pp. 496–511, Nihel Ben Youssef Ben Souayeh is currently an Assistant
http://dx.doi.org/10.1007/11863908 30. Professor at the higher institute of computer science in
[19] E.S. Al-Shaer, H.H. Hamed, Discovery of policy anomalies in distributed Tunisia. Her research interests include network security,
firewalls, in: Proceedings IEEE INFOCOM 2004, The 23rd Annual Joint formal specification as well as formal validation and verifi-
Conference of the IEEE Computer and Communications Societies, Hong Kong, cation techniques. She is the co-founder of the Association
China, March 7–11, 2004, 2004 http://www.ieee-infocom.org/2004/Papers/ of computer security (SECURINETS) in Tunisia. She is also
54 3.PDF. member of Tunisian Association of Digital Security (TADS).
[20] S. Hallé, E.L. Ngoupe, R. Villemaire, O. Cherkaoui, Distributed firewall anomaly
detection through LTL model checking, in: 2013 IFIP/IEEE International
Symposium on Integrated Network Management (IM 2013), Ghent, Belgium, Adel Bouhoula obtained his undergraduate degree in
May 27–31, 2013, 2013, pp. 194–201 http://ieeexplore.ieee.org/xpl/freeabs computer engineering with distinction from the Univer-
all.jsp?arnumber=6572986. sity of Tunis in Tunisia. He also holds a Masters, PhD
[21] A.J. Mayer, A. Wool, E. Ziskind, Fang: a firewall analysis engine, in: 2000 IEEE and Habilitation from Henri Poincare University in Nancy,
Symposium on Security and Privacy, Berkeley, California, USA, May 14–17, France. Adel Bouhoula is currently a Professor at the
2000, 2000, pp. 177–187, http://dx.doi.org/10.1109/SECPRI.2000.848455. Higher School of Communication of Tunis (Sup’Com). He
[22] L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, P. Mohapatra, Fireman: A toolkit for is also the founder and Director of the Research Unit on
firewall modeling and analysis, in: Proceedings of the 2006 IEEE Symposium Digital Security and the President of the Tunisian Asso-
on Security and Privacy, SP ‘06, Washington, DC, USA, IEEE Computer Society, ciation of Digital Security (TADS). His research interests
2006, pp. 199–213, http://dx.doi.org/10.1109/SP.2006.16. include automated reasoning, algebraic specifications,
[23] A.X. Liu, Formal verification of firewall policies, in: Proceedings of IEEE formal specification as well as formal validation and ver-
International Conference on Communications, ICC 2008, Beijing, China, 19–23 ification techniques, network security, cryptography, and
May 2008, 2008, pp. 1494–1498, http://dx.doi.org/10.1109/ICC.2008.289. validation of cryptographic protocols.
[24] S. Matsumoto, A. Bouhoula, Automatic verification of firewall configuration
with respect to security policy requirements, in: Proceedings of the
International Workshop on Computational Intelligence in Security for
Information Systems, CISIS’08, Genova, Italy, October 23–24, 2008, 2008, pp.
123–130, http://dx.doi.org/10.1007/978-3-540-88181-0 16.
[25] P. Bera, S.K. Ghosh, P. Dasgupta, Integrated security analysis framework for an
enterprise network – a formal approach, IET Inf. Secur. 4 (4) (2010) 283–300,
http://dx.doi.org/10.1049/iet-ifs.2009.0174.