Skip to main content
SpringerLink
Log in
Book cover

Handbook of Information and Communication Security pp 207–219Cite as

Intranet Security via Firewalls

  • Chapter

Abstract

Firewalls, forefront defense for corporate intranet security, filter traffic by comparing arriving packets against stored security policies in a sequential manner. In a large organization, traffic typically goes through several firewalls before it reaches the destination. Setting polices device-by-device in an organization with large number of firewalls may easily create conflicts in policies. The dependency of one firewall on the other in the network hierarchy requires the policies applied to resolve the conflicts to be in a specific order. A certain traffic type may be allowed in a lower-order firewall but blocked by a higher-order device. Also, a conflicts analyzer able to detect conflicts in a single device is not capable of analyzing enterprise-wise policy anomalies. Moreover, most of the existing tools are very much device-specific, whereas today’s organizations operate in a multivendor environment. In this chapter, we first discuss various issues related to policy conflicts in firewalls. We then propose an architecture for an enterprise-wise firewall policy management system that can detect conflict in real time when a new policy is added to any firewall.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   349.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   449.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   599.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CiscoSystems: Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 (Cisco Systems Inc Version 6.3, 2003)

    Google Scholar 

  2. F. Cuppens, N. Cuppens, J. Garca-Alfaro: Detection and Removal of Firewall Misconfiguration, Proc. 2005 IASTED International Conference on Communication, Network and Information Security (CNIS 2005) (IASTED PRESS, 2005)

    Google Scholar 

  3. R. Boutaba, M. Hasan, E. Al-Shaer, H. Hamed: Conflict classification and analysis of distributed firewall policies, IEEE J. Selected Areas in Commun. 23(10), 2069–2084 (2005)

    Article  Google Scholar 

  4. CiscoSystems: PIX Firewall Software Version 6.3 Commands (Cisco Systems Inc, 2002)

    Google Scholar 

  5. E. Al-Shaer, H. Hamed: Firewall policy advisor for anomaly detection and rule editing, Proc. IEEE/IFIP 8th Int. Symp. Integrated Network Management (IM 2003) (2003)

    Google Scholar 

  6. W.R. Cheswick, S.M. Bellovin: Firewalls and Internet Security; Repelling the Wily Hacker (Addison Wesley, NJ, USA 1994)

    Google Scholar 

  7. E.D. Zwicky, S. Cooper, D.B. Chapman: Building Internet firewalls, 2nd edn. (O’Reilly, USA 2000)

    Google Scholar 

  8. T.E. Uribe, S. Cheung: Automatic analysis of firewall and network intrusion detection system configurations, Proc. 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, ed. by V. Atluri, M. Backes, D.A. Basin, M. Waidner (ACM, 2004)

    Google Scholar 

  9. S. Suri, G. Varghese: Packet Filtering in High Speed Networks (SODA, 1999)

    Google Scholar 

  10. Scott Hazelhurst: Algorithms for Analysing Firewall and Router Access Lists (CoRR, 2000)

    Google Scholar 

  11. T.Y.C. Woo: A modular approach to packet classification: algorithms and results, Proc. IEEE INFOCOM ’00 (2000)

    Google Scholar 

  12. E.W. Fulp, S.J. Tarsa: Trie-Based Policy Representations for Network Firewalls, Proc. 10th IEEE Symposium on Computers and Communications ISCC 2005 (IEEE Comput. Soc., 2005) pp. 434–441

    Google Scholar 

  13. P. Gupta, N. McKeown: Packet Classification on Multiple Fields (SIGCOMM, 1999)

    Google Scholar 

  14. H. Adiseshu, S. Suri, G.M. Parulkar: Detecting and Resolving Packet Filter Conflicts (INFOCOM, 2000)

    Google Scholar 

  15. D. Eppstein, S. Muthukrishnan: Internet Packet Filter Management and Rectangle Geometry (CoRR, 2000)

    Google Scholar 

  16. H. Lu, S. Sahni: Conflict detection and resolution in two-dimensional prefix router tables, IEEE/ACM Trans. Netw. 13(6), 1353–1363 (2005)

    Article  Google Scholar 

  17. E.S. Al-Shaer, H.H. Hamed: Discovery of Policy Anomalies in Distributed Firewalls (INFOCOM, 2004)

    Google Scholar 

  18. E. Lupu, M. Sloman: Conflict Analysis for Management Policies, Proc. 5th International Symposium on Integrated Network Management IM’97 (Chapman & Hall, 1997)

    Google Scholar 

  19. I.S. Pabla: A New Architecture For Conflict-Free Firewall Policy Provisioning (RMIT University, 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Senetas Corporation Limited, Level 1, 11 Queens Road, 3004, Melbourne, VIC, Australia

    Inderjeet Pabla

  2. School of Computer Science and IT, RMIT University, 3001, Melbourne, VIC, Australia

    Ibrahim Khalil & Jiankun Hu

Authors
  1. Inderjeet Pabla
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ibrahim Khalil
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiankun Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technical University of Crete, 73132, Chania, Crete, Greece

    Peter Stavroulakis

  2. Dept. Computer Science, San Jose State University, One Washington Square, 95192, San Jose, CA, USA

    Mark Stamp

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Pabla, I., Khalil, I., Hu, J. (2010). Intranet Security via Firewalls. In: Stavroulakis, P., Stamp, M. (eds) Handbook of Information and Communication Security. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04117-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04117-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04116-7

  • Online ISBN: 978-3-642-04117-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation