Management of stateful firewall misconfiguration

Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.

[1]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Frédéric Jouault,et al.  Transforming Models with ATL , 2005, MoDELS.

[3]  Egon Balas,et al.  On the Set-Covering Problem , 1972, Oper. Res..

[4]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[5]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.

[6]  Balaji Venkatamohan Automated Implementation of Stateful Firewalls in Linux. , 2011 .

[7]  Nora Cuppens-Boulahia,et al.  MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies , 2010, DPM/SETOP.

[8]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[9]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[10]  Nora Cuppens-Boulahia,et al.  Dynamic deployment of context-aware access control policies for constrained security devices , 2011, J. Syst. Softw..

[11]  Nora Cuppens-Boulahia,et al.  Model-Driven Security Policy Deployment: Property Oriented Approach , 2010, ESSoS.

[12]  Haifeng Chen,et al.  Automatic Profiling of Network Event Sequences: Algorithm and Applications , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[13]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[14]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[15]  Vasek Chvátal,et al.  A Greedy Heuristic for the Set-Covering Problem , 1979, Math. Oper. Res..

[16]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[17]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.

[19]  Adel Bouhoula,et al.  Dealing with Stateful Firewall Checking , 2011, DICTAP.

[20]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM '01.

[21]  Nora Cuppens-Boulahia,et al.  Management of Exceptions on Access Control Policies , 2007, SEC.

[22]  Carey L. Williamson,et al.  An analysis of TCP reset behaviour on the internet , 2005, CCRV.

[23]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[24]  Simon N. Foley,et al.  Network Access Control Interoperation using Semantic Web Techniques , 2008, WOSIS.

[25]  J. Treurniet,et al.  Detecting low-profile scans in TCP anomaly event data , 2006, PST.

[26]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[27]  Ta Vinh Thong,et al.  Consistency verification of stateful firewalls is not harder than the stateless case , 2009 .

[28]  Nora Cuppens-Boulahia,et al.  Handling Stateful Firewall Anomalies , 2012, SEC.

[29]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[30]  Pablo Neira Ayuso,et al.  Netfilter's Connection Tracking System , 2006, login Usenix Mag..

[31]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[32]  Nora Cuppens-Boulahia,et al.  A model-driven approach for the extraction of network access-control policies , 2012, MDsec '12.

[33]  Achim D. Brucker,et al.  Test-Sequence Generation with Hol-TestGen with an Application to Firewall Testing , 2007, TAP.

[34]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.