Tri-Modularization of Firewall Policies

Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.

[1]  R. Sekar,et al.  Inferring Higher Level Policies from Firewall Rules , 2007, LISA.

[2]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[3]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[4]  Tao Xie,et al.  First step towards automatic correction of firewall policy faults , 2012, TAAS.

[5]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[6]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[7]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[8]  Robert M. Marmorstein,et al.  Firewall Analysis with Policy-based Host Classification , 2006, LISA.

[9]  Hoang Thanh Lam,et al.  The SPMF Open-Source Data Mining Library , 2016 .

[10]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[11]  Hrishikesh B. Acharya,et al.  Firewall modules and modular firewalls , 2010, The 18th IEEE International Conference on Network Protocols.

[12]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[13]  Mohamed G. Gouda,et al.  Firewall Policy Queries , 2009, IEEE Transactions on Parallel and Distributed Systems.

[14]  Avishai Wool,et al.  Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese , 2010, IEEE Internet Computing.

[15]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[16]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[17]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[18]  E. Al-Shaer,et al.  Design and Implementation of Firewall Policy Advisor Tools , 2004 .

[19]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[20]  Edsger W. Dijkstra,et al.  The humble programmer , 1972, CACM.

[21]  Alex X. Liu Firewall policy change-impact analysis , 2008, TOIT.

[22]  Flaminia L. Luccio,et al.  Mignis: A Semantic Based Tool for Firewall Configuration , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[23]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[24]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[25]  Tao Xie,et al.  Systematic Structural Testing of Firewall Policies , 2012, IEEE Transactions on Network and Service Management.

[26]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[27]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[30]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[31]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[32]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[33]  Alfredo De Santis,et al.  An intelligent security architecture for distributed firewalling environments , 2013, J. Ambient Intell. Humaniz. Comput..

[34]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[35]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[36]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[37]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.