An algorithm for security policy migration in multiple firewall networks

Firewalls are effectively employed to protect network portions by blocking illegitimate traversing traffic. However, during traffic load peaks, possibly due to DoS-like attacks, they may become performance bottlenecks, introducing consistent delays/losses on legitimate packets. In multiple firewall networks, a cooperative approach to mitigate performance degradation caused by firewall overloads consists in suitably distributing responsibility for security policy implementation among available devices to balance workload. We present a technique for migrating security policies among firewalls in a sequence, formally verified to preserve the overall security policy implemented by the sequence itself. The technique can be used as building block in the development of cooperative solutions allowing to balance workload in networks where firewalls are arbitrarily placed to guard specific domains.