Model Checking Firewall Policy Configurations

The use of firewalls to enforce access control policies can result in extremely complex networks. Each individual firewall may have hundreds or thousands of rules, and when combined in a network, they may result in unexpected combined behavior. To mitigate this problem, there has been recent interest in the use of model checking techniques for analyzing the behavior of firewall policy configurations, and reporting anomalies. Existing techniques for firewall policy analysis are based on decision diagrams, most normally reduced ordered Binary Decision Diagrams (BDDs). BDDs are a rich data structure, supporting more logical operations than just solving boolean formulae. Typically, search algorithms for boolean satisfiability (so-called SAT-solvers) outperform BDDs. In this paper, we show that the extra structure provided by BDDs is not necessary for firewall policy analysis, and that SAT solvers are sufficient. This argument is supported both by theoretical analysis and by experimental data.

[1]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Jørn Lind-Nielsen,et al.  BuDDy : A binary decision diagram package. , 1999 .

[3]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[4]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[5]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[6]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[7]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[8]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[9]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[10]  Terry Martin,et al.  Benchmarking Methodology for Firewall Performance , 2003, RFC.

[11]  Donald W. Loveland,et al.  A machine program for theorem-proving , 2011, CACM.

[12]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[13]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[14]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[15]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[16]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[17]  Miroslav Svéda,et al.  A Formal Model for Network-Wide Security Analysis , 2008, 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems (ecbs 2008).

[18]  Jun Gu,et al.  Algorithms for the satisfiability (SAT) problem: A survey , 1996, Satisfiability Problem: Theory and Applications.

[19]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.