Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly
- Authors
- Kim, Sunghyun; Lee, Heejo
- Issue Date
- 27-8월-2010
- Publisher
- KSII-KOR SOC INTERNET INFORMATION
- Keywords
- Firewall; security policy; policy anomalies; network security; ACL
- Citation
- KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS, v.4, no.4, pp.671 - 690
- Indexed
- SCIE
SCOPUS
KCI
OTHER
- Journal Title
- KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS
- Volume
- 4
- Number
- 4
- Start Page
- 671
- End Page
- 690
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/115858
- DOI
- 10.3837/tiis.2010.08.013
- ISSN
- 1976-7277
- Abstract
- The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single security device. The solution for policy anomalies requires complex and complicated algorithms. In this paper, we propose a new method to remove policy anomalies in a single security device and avoid policy anomalies among the rules in distributed security devices. The proposed method classifies rules according to traffic direction and checks policy anomalies in each device. It is unnecessary to compare the rules for outgoing traffic with the rules for incoming traffic. Therefore, classifying rules by in-out traffic, the proposed method can reduce the number of rules to be compared up to a half. Instead of detecting policy anomalies in distributed security devices, one adopts the rules from others for avoiding anomaly. After removing policy anomalies in each device, other firewalls can keep the policy consistency without anomalies by adopting the rules of a trusted firewall. In addition, it blocks unnecessary traffic because a source side sends as much traffic as the destination side accepts. Also we explain another policy anomaly which can be found under a connection-oriented communication protocol.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - Graduate School > Department of Computer Science and Engineering > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.