Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly

The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single security device. The solution for policy anomalies requires complex and complicated algorithms. In this paper, we propose a new method to remove policy anomalies in a single security device and avoid policy anomalies among the rules in distributed security devices. The proposed method classifies rules according to traffic direction and checks policy anomalies in each device. It is unnecessary to compare the rules for outgoing traffic with the rules for incoming traffic. Therefore, classifying rules by in-out traffic, the proposed method can reduce the number of rules to be compared up to a half. Instead of detecting policy anomalies in distributed security devices, one adopts the rules from others for avoiding anomaly. After removing policy anomalies in each device, other firewalls can keep the policy consistency without anomalies by adopting the rules of a trusted firewall. In addition, it blocks unnecessary traffic because a source side sends as much traffic as the destination side accepts. Also we explain another policy anomaly which can be found under a connection-oriented communication protocol.

[1]  Heejo Lee,et al.  Abnormal Policy Detection and Correction Using Overlapping Transition , 2010, IEICE Trans. Inf. Syst..

[2]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[3]  Rafael M. Gasca,et al.  CSP-Based Firewall Rule Set Diagnosis using Security Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[4]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[5]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[6]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[7]  N. Cuppens,et al.  Detection and Removal of Firewall Misconfiguration , 2019 .

[8]  Rafael M. Gasca,et al.  Fast Algorithms for Consistency-Based Diagnosis of Firewall Rule Sets , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[9]  Zhan Zhang,et al.  Reducing the Size of Rule Set in a Firewall , 2007, 2007 IEEE International Conference on Communications.

[10]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[11]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[12]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[13]  Reihaneh Safavi-Naini,et al.  Comparing and debugging firewall rule tables , 2007, IET Inf. Secur..

[14]  Hyoung Joong Kim,et al.  Reversible watermarking method using optimal histogram pair shifting based on prediction and sorting , 2010 .

[15]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[16]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[17]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[18]  Nora Cuppens-Boulahia,et al.  Aggregating and Deploying Network Access Control Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[19]  Heejo Lee,et al.  Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching , 2009, IEICE Trans. Inf. Syst..

[20]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[21]  Bhavani M. Thuraisingham,et al.  Detection and Resolution of Anomalies in Firewall Policy Rules , 2006, DBSec.