A Feasible Visualized System for Anomaly Diagnosis of Internet Firewall Rules

While configuring firewalls, rule configuration has to conform to the demands of the network security policies. As always, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a multi-firewall-equipped network. Nevertheless, network operators are prone to incorrectly configuring the firewalls since there are typically thousands or hundreds of thousands of filtering rules (i.e., rules in the access control list file; or access control list for short) which could be set up in a firewall; in addition, rules in each firewall can interact and adversely affect each other, making the matter worse. For this, our work is to build a feasible diagnosis system for checking the anomalies between firewalls' rules which often lead to the inconsistency between the demands of network security policies and firewall rule configuration. The system collects the ACL rules from all of the firewalls in the managed network and then a RAR tree (rule anomaly relation tree) is created based on these collected firewall rules. By using the RAR tree, we can not only do the diagnosis of intra-ACL rule anomalies more efficiently, but make the diagnosis of inter-ACL rule anomalies much easier and more flexible.

[1]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[2]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[3]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[4]  Yoshiaki Katayama,et al.  A topological approach to detect conflicts in firewall policies , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[5]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[6]  Alex X. Liu,et al.  Firewall policy verification and troubleshooting , 2009, Comput. Networks.

[7]  Ehab Al-Shaer Managing firewall and network-edge security policies , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[8]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[9]  Yoshiaki Katayama,et al.  Detection of Conflicts Caused by a Combination of Filters Based on Spatial Relationships , 2008, J. Inf. Process..

[10]  Yoshiaki Katayama,et al.  Implementation of Packet Filter Configurations Anomaly Detection System with SIERRA , 2005, ICICS.

[11]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[12]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[13]  G. Robertson,et al.  Using visualization to support network and application management in a data center , 2008, 2008 IEEE Internet Network Management Workshop (INM).

[14]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[15]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[16]  Mohsen Rezvani,et al.  Analyzing and resolving anomalies in firewall security policies based on propositional logic , 2009, 2009 IEEE 13th International Multitopic Conference.