@inproceedings{767e62fe63f44b5ca13cf8b8f7ff666a,
title = "Semantics-preserving simplification of real-world firewall rule sets",
abstract = "The security provided by a firewall for a computer network almost completely depends on the rules it enforces. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. Therefore, there are many tools to analyze them. However, we found that none of the available tools could handle typical, real-world iptables rulesets. This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open source tools. In this paper, we provide algorithms to transform firewall rulesets. We reduce the execution model to a simple list model and use ternary logic to abstract over all unknownmatch conditions.These transformations enable existingtools tounderstandreal-worldfirewall rules,whichwe demonstrate on four decently-sized rulesets. Using the Isabelle theorem prover, we formally showthat all our algorithms preserve the firewall{\textquoteright}s filtering behavior.",
keywords = "Computer networks, Firewalls, Isabelle, Netfilter Iptables, Semantics",
author = "Cornelius Diekmann and Lars Hupel and Georg Carle",
note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 20th International Symposium on Formal Methods, FM 2015 ; Conference date: 24-06-2015 Through 26-06-2015",
year = "2015",
doi = "10.1007/978-3-319-19249-9_13",
language = "English",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "195--212",
editor = "Nikolaj Bjorner and {de Boer}, Frank",
booktitle = "FM 2015",
}