An Effective Algorithm for Collision Resolution in Security Policy Rules

A firewall is the main classic tool for monitoring and managing the network traffic on a local network. Its task is to compare the network traffic passing through it with the established security rules. These rules, which are often also called security policy, can be defined both before and during the operation of the firewall. Managing the security policy of large corporate networks is a complex task. In order to properly implement it, firewall filtering rules must be written and organized neatly and without errors. In addition, the process of changing or inserting new rules should be performed only after a careful analysis of the relationship between the rules being modified or inserted, as well as the rules that already exist in the security policy. In this article, the authors consider the classification of relations between security policy rules and also give the definition of all sorts of conflicts between them. In addition, the authors present a new efficient algorithm for detecting and resolving collisions in firewall rules by the example of the Floodlight SDN controller.

1. Al-Shaer E., et al., "Automated Firewall Analytics. Design, Configuration and Optimization", Proceedings of 2016 IEEE Trustcom/BigDataSE/ISPA, 2014, 15-18.

2. Abedin M., Nessa S., Khan L., Thuraisingham B., "Detection and Resolution of Anomalies in Firewall Policy Rules", Data and Applications Security XX, Springer, 2006, 15-29.

3. Morzhov S., Nikitinskiy M., "Development and research of the PreFirewall network application for Floodlight SDN controller", 2018 Moscow Workshop on Electronic and Networking Technologies (MWENT) (Moscow, March 14-16), 2018, 1-4.

4. Morzhov S., Sokolov V., Nikitinskiy M., Chaly D., "Building a Security Policy Tree for SDN Controllers", 2018 International Scientific and Technical Conference Modern Computer Network Technologies (MoNeTec) (Moscow, October 25), 2018, 1-6.

5. Morzhov S., Alekseev I., Nikitinskiy M., "Firewall application for Floodlight SDN controller", XII International Siberian Conference on Control and Communications (SIBCON-2016) (Moscow, May 12-14), 2016, 1-5.