Diverse Firewall Design

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. An error in a firewall policy either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. It has been observed that most firewall policies on the Internet are poorly designed and have many errors. Therefore, how to design firewall policies correctly is an important issue. In this paper, we propose the method of diverse firewall design, which consists of three phases: a design phase, a comparison phase, and a resolution phase. In the design phase, the same requirement specification of a firewall policy is given to multiple teams who proceed independently to design different versions of the firewall policy. In the comparison phase, the resulting multiple versions are compared with each other to detect all functional discrepancies between them. In the resolution phase, all discrepancies are resolved and a firewall that is agreed upon by all teams is generated.

[1]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[2]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[3]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.

[4]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[5]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .

[6]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[7]  Barbara G. Ryder,et al.  Identifying Failure Causes in Java Programs: An Application of Change Impact Analysis , 2006, IEEE Transactions on Software Engineering.

[8]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[9]  Mladen A. Vouk On back-to-back testing , 1988 .

[10]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[11]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[12]  Pascal Traverse AIRBUS and ATR System Architecture and Specification , 1988 .

[13]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[14]  Susan Horwitz,et al.  Identifying the semantic and textual differences between two versions of a program , 1990, PLDI '90.

[15]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[16]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[17]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[18]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[19]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[20]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[21]  Paolo Tonella,et al.  Using a Concept Lattice of Decomposition Slices for Program Understanding and Impact Analysis , 2003, IEEE Trans. Software Eng..

[22]  H S Andersson,et al.  COMPUTER CONTROLLED INTERLOCKING SYSTEM , 1981 .

[23]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[24]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[25]  Mukesh Singhal,et al.  Design and evaluation of a high-performance ATM firewall switch and its applications , 1999, IEEE J. Sel. Areas Commun..

[26]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[27]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..