• Archana V



Firewall, policy anomaly management, access control, visualization tool.


Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. In particular, we articulate a grid-based representation technique, providing an intuitive cognitive sense about policy anomaly. We also discuss a proof-of-concept implementation of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our approach can discover and resolve anomalies in firewall policies through rigorous experience


Download data is not yet available.

Author Biography

Archana V

PG Scholar, Department of CSE, PSN Engineering College, Tirunelveli, Tamil nadu.


[1] Al-Shaer, E., and Hamed, H.,“Discovery of Policy Anomalies in Distributed Firewalls,” IEEE INFOCOM ’04, vol. 4, pp. 2605-2616,2004.

[2] Wool, A., “Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese,” IEEE Internet Computing, vol. 14, no. 4,pp. 58-65, July/Aug. 2010.

[3] Yuan, L., Chen, H., Mai, J., Chuah, C., Su, Z., Mohapatra, P., and Davis, C., “Fireman: A Toolkit for Firewall Modeling and Analysis,”Proc. IEEE Symp. Security and Privacy, p. 15, 2006.

[4] Lupu, E., and Sloman, M., “Conflicts in Policy-Based Distributed Systems Management,” IEEE Trans. Software Eng., vol. 25, no. 6,pp. 852-869, Nov./Dec. 1999.

[5] Hu, H., Ahn, G., and Kulkarni, K., “Anomaly Discovery and Resolution in Web Access Control Policies,” Proc. 16th ACM Symp.Access Control Models and Technologies, pp. 165-174, 2011.

[6] A. El-Atawy, K. Ibrahim, H. Hamed, and E. Al-Shaer, “Policy Segmentation for Intelligent Firewall Testing,” Proc. First Workshop Secure Network Protocols (NPSec ’05), 2005.

[7] Mayer, A., Wool, A., and Ziskind, E., “Fang: A Firewall Analysis Engine,” Proc. IEEE Symp. Security and Privacy, pp. 177-189, 2000.

[8] Gouda, M., and Liu, X., “Firewall Design: Consistency, Completeness, and Compactness,” Proc. 24th Int’l Conf. Distributed Computing Systems (ICDCS ’04), p. 327, 2004.

[9] Ioannidis, S., Keromytis, A., Bellovin, S., and Smith, J., “Implementing a Distributed Firewall,” Proc. Seventh ACM Conf. Computer and Comm. Security, p. 199, 2000.

[10] Hari, A., Suri, S., and Parulkar, G., “Detecting and Resolving Packet Filter Conflicts,” Proc. IEEE INFOCOM, pp. 1203-1212, 2000.

[11] Fu, Z., Wu, S., Huang, H., Loh, K., Gong, F., Baldine, I., and Xu, C., “IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution,” Proc. Int’l Workshop Policies for Distributed Systems and Networks (POLICY ’01), pp. 39-56, 2001.