Firewall design: consistency, completeness, and compactness
作者: M.G. Gouda , X.-Y.A. Liu
DOI: 10.1109/ICDCS.2004.1281597
关键词:
摘要: A firewall is often placed at the entrance of each private network in Internet. The function a to examine packet that passes through and decide whether accept allow it proceed or discard packet. usually designed as sequence rules. To make decision concerning some packets, rules are compared, one by one, with until rule found be satisfied packet: this determines fate We present first ever method for designing consistent, complete, compact. Consistency means ordered correctly, completeness every satisfies least firewall, compactness has no redundant Our starts diagram (FDD, short) whose consistency can checked systematically (by an algorithm). then apply five algorithms FDD generate, reduce simplify target while maintaining original FDD.
acm.org
computer.org
sci-hub.se 参考文章(12)
Milind M Buddhikot, Subhash Suri, Marcel Waldvogel, None, Space Decomposition Techniques for Fast Layer-4 Switching PfHSN '99 Proceedings of the IFIP TC6 WG6.1 & WG6.4 / IEEE ComSoc TC on on Gigabit Networking Sixth International Workshop on Protocols for High Speed Networks VI. pp. 25- 42 ,(1999) , 10.1007/978-0-387-35580-1_4
Y. Bartal, A. Mayer, K. Nissim, A. Wool, Firmato: a novel firewall management toolkit ieee symposium on security and privacy. pp. 17- 31 ,(1999) , 10.1109/SECPRI.1999.766714
V. Srinivasan, G. Varghese, S. Suri, M. Waldvogel, Fast and scalable layer four switching acm special interest group on data communication. ,vol. 28, pp. 191- 202 ,(1998) , 10.1145/285237.285282
David Eppstein, S. Muthukrishnan, Internet packet filter management and rectangle geometry symposium on discrete algorithms. pp. 827- 835 ,(2001) , 10.5555/365411.365791
Bryant, Graph-Based Algorithms for Boolean Function Manipulation IEEE Transactions on Computers. ,vol. 35, pp. 677- 691 ,(1986) , 10.1109/TC.1986.1676819
K. Strehl, L. Thiele, Interval diagrams for efficient symbolic verification of process networks IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems. ,vol. 19, pp. 939- 956 ,(2000) , 10.1109/43.856979
A. Hari, S. Suri, G. Parulkar, Detecting and resolving packet filter conflicts international conference on computer communications. ,vol. 3, pp. 1203- 1212 ,(2000) , 10.1109/INFCOM.2000.832496
A. Feldman, S. Muthukrishnan, Tradeoffs for packet classification international conference on computer communications. ,vol. 3, pp. 1193- 1202 ,(2000) , 10.1109/INFCOM.2000.832493
Andrew Begel, Steven McCanne, Susan L. Graham, BPF+: exploiting global data-flow optimization in a generalized packet filter architecture acm special interest group on data communication. ,vol. 29, pp. 123- 134 ,(1999) , 10.1145/316188.316214
J.D. Guttman, Filtering postures: local enforcement for global policies ieee symposium on security and privacy. pp. 120- 129 ,(1997) , 10.1109/SECPRI.1997.601327