Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

The design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments.

[1]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[2]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[3]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[4]  Rafael M. Gasca,et al.  CSP-Based Firewall Rule Set Diagnosis using Security Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[5]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[6]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[7]  R. Goldberg,et al.  Client-Server and Object-Oriented Training , 1996, Computer.

[8]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[9]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[10]  Ernesto Damiani,et al.  XML-based access control languages , 2004, Inf. Secur. Tech. Rep..

[11]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[13]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[14]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[15]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[16]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[17]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[18]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[19]  Beate Bollig,et al.  Improving the Variable Ordering of OBDDs Is NP-Complete , 1996, IEEE Trans. Computers.

[20]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[21]  Sushil Jajodia,et al.  Access control policies and languages , 2007, Int. J. Comput. Sci. Eng..

[22]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[23]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[24]  David A. Basin,et al.  Firewall Conformance Testing , 2005, TestCom.

[25]  Robert Goldberg,et al.  Refining the Curriculum: Client-Server and Object-Oriented Training , 1996, Computer.

[26]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[27]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[28]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[29]  Emmanuel Hooper,et al.  Intelligent Autonomic Strategy to Attacks in Network Infrastructure Protection: Feedback Methods to IDS, Using Policies, Alert Filters and Firewall Packet Filters for Multiple Protocols , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[30]  Oscar Pastor,et al.  Model-driven architecture in practice - a software production environment based on conceptual modeling , 2007 .