Abstract
Packet filtering in a firewall is one of the useful tools for network security. Packet filtering examines network packet and decides whether to accept, or deny it and this decision is determined by a packet filtering configuration developed by the network administrator. An administrator may find hard to understand and maintain a configuration, and this burden will furthermore be increased to find anomalies between two configurations, especially when the size of filters in a configuration increased. This difficulty may leave the administrator with less confidence that the configurations are correctly and completely implemented. This paper presents a system with SIERRA (A systolic filter sieve array) which can detect the anomalies between two configurations. It provides three functions, side-effects analysis function, equality judgment function, and composition analysis function. Experimental results show that the proposed system is suitable for small network and configurations with large number of filters.
Chapter PDF
Similar content being viewed by others
References
Takahashi, N.: A Systolic Sieve Array for Real-time Packet Classification. IPSJ Journal 42(2), 146–166 (2001)
Hazelhurst, S., Fatti, A., Henwood, A.: Binary decision diagram representations of firewall and router access lists. Technical Report TR-Wits-CS-1998-3, Department of Computer Science, University of the Witwatersrad, South Africa (October 1998)
Bryant, R.E.: Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys 24(3), 293–318 (1992)
Lakshman, T.V., Stiliads, D.: High-Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching. In: Proc. SIGCOMM 1998, pp. 203–214 (1998)
Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proc. 6th Nordic Workshop on Secure IT Systems (NordSec 2001), November 2001, pp. 100–107 (2001)
Yi, Y., Katayama, Y., Takahashi, N.: A system for Comparing Packet Filter Configuration Files with SIERRA. In: Tokai branch rengo conference (2004) (In Japanese)
Gupta, P., Mckeown, N.: Packet classification on multiple fields. In: Proc. SIGCOMM 1999, pp.147–160 (1999)
Takahashi, N.: Real-time packet classification based on the partial evaluation of filter-sieve functions. In: Proc. Workshop on Internet Technologies 1999, JSSST, pp. 190–197 (1999) (in Japanese)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yin, Y., Bhuvaneswaran, R.S., Katayama, Y., Takahashi, N. (2005). Implementation of Packet Filter Configurations Anomaly Detection System with SIERRA. In: Qing, S., Mao, W., López, J., Wang, G. (eds) Information and Communications Security. ICICS 2005. Lecture Notes in Computer Science, vol 3783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11602897_39
Download citation
DOI: https://doi.org/10.1007/11602897_39
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30934-5
Online ISBN: 978-3-540-32099-9
eBook Packages: Computer ScienceComputer Science (R0)