Firewall System Policy Configuration

Enterprise's dependence on the Internet is growing with its booming development while their organizational pattern is greatly altered by convenience and economy of net communication. More and more companies prefer net platform to traditional information exchange, and make use of collaborative information system to enable better internal and external resource planning; more business chance/partners can be found and remote project cooperation between distributed enterprises is realized with the help of Internet, all lead to unimaginable profits.However, outside and inside security threats could bring disaster to companies at anytime, which will ultimately affect organization profit and customer satisfaction. Security issues are becoming big challenge for modern companies. How to safeguard the inside of enterprise? Firewall technique, which is called "the first fence for network security", took up the glove. Its importance in enterprise is quite straightforward. This research has worked on firewall policy configuration for independent and distributed firewalls, including following content:(1) Prior models for firewall policy description focus on promoting filtering speed. A fact that firewall itself could be changed has been seldomly considered. For example, enterprise net topology has been altered, which would results in rules invalidation in firewall policy, and this requires us to delete redundant rules. But updating cannot be dynamically expressed with former tools, in the other way, they require reconstruction of description model for firewall policy. As the development of Internet applications, firewall policy change will become regular. If we have to reconstruct firewall for every change, this seems too costly.We provide a policy description for firewall dynamic updating—MFDT. On one hand, MFDT can fit package filtering; on the other hand, MFDT can dynamically reflect updating of firewall policy. To deal with three occasions of firewall policy update, we have designed corresponding algorithms. For updated MFDT, merge algorithm is created for merging identical sub trees in MFDT to improve the filtering efficiency.(2) Enterprises configure the firewall according to their specific requirements of security. The results of these configurations are rule table in firewall. However, some problems could be encountered in configuring independent firewall policy. Firstly, security administrator made some mistakes in rule table initiation configuration. Secondly, as the increasing of rules in the table, conflict probability between different rules increases as well. We have analyzed five types of misconfigurations, which happen from time to Lime in firewall policy and suggested solution for each. We also suggested two error detection algorithms. Algorithm based on induction enables fast detection for policy configuration errors, while algorithm on Trie adopts Trie structure, which further improved its efficiency.(3) Each one in distributed firewall may come from different producers, their configuration methods could be different, which lead to firewall configuration difficulty. Aside from that, despite the security policy of firewalls are made unifiedly, these policies are usually described in natural language and for the language obscurity, different administrators would have varied understandings, which will lead to inconsistent, configurations between independent firewall policies. To solve these problems, we provide a platform—FPT, upon this it can be performed that distributed firewall policies comparison in order to find out inconsistencies, and then correct firewall policy. This will improve the performance of distributed firewall. We have also given the FPT construction algorithm, which can transfer a firewall policy into an equivalent tree; and the FPT comparison algorithm, which can compare the difference between different policy trees. In light of these work, we have moved on to a comparison model for distributed firewall policy.Besides, even each independent firewall has received configuration correctly, distributed firewall policies conflicts and configuration errors could still happen to threaten enterprise security. We started with relationships between firewall filtering domains, deduced relationships between firewall policies, and based on this, further discussed probable policy configuration errors in detail. And an errors detection algorithm is proposed as well.