Domain Restriction Based Formal Model for Firewall Configurations

Firewalls are widely adopted for protecting private networks by filtering out undesired network traffic in and out of secured networks. Therefore, they play an important role in the security of communication systems. The verification of firewalls is a great challenge because of the dynamic characteristics of their operation, their configuration is highly error prone, and finally, they are considered the first defense to secure networks against attacks and unauthorized access. In this paper, we present a formal model for firewalls rulebase using domain restriction method, and based on this model, a novel algorithm for detecting and identifying conflicts in firewalls rulebase. The algorithm is based on calculating the conflict set of firewall configurations using the domain restriction. The domain restriction method is implemented using Event-B formal techniques, where we model firewall configuration rules, and then use invariant checking to verify the consistency of firewall configurations.