Firewall Policy Queries

Firewalls are crucial elements in network security, and have been widely deployed in most businesses and institutions for securing private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy. Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. Because a firewall may have a large number of rules and the rules often conflict, understanding and analyzing the function of a firewall has been known to be notoriously difficult. An effective way to assist firewall administrators to understand and analyze the function of their firewalls is by issuing queries. An example of a firewall query is "Which computers in the private network can receive packets from a known malicious host in the outside Internet?rdquo Two problems need to be solved in order to make firewall queries practically useful: how to describe a firewall query and how to process a firewall query. In this paper, we first introduce a simple and effective SQL-like query language, called the Structured Firewall Query Language (SFQL), for describing firewall queries. Second, we give a theorem, called the Firewall Query Theorem, as the foundation for developing firewall query processing algorithms. Third, we present an efficient firewall query processing algorithm, which uses decision diagrams as its core data structure. Fourth, we propose methods for optimizing firewall query results. Finally, we present methods for performing the union, intersect, and minus operations on firewall query results. Our experimental results show that our firewall query processing algorithm is very efficient: it takes less than 10 milliseconds to process a query over a firewall that has up to 10,000 rules.

[1]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[2]  Eric Torng,et al.  TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs , 2007, 2007 IEEE International Conference on Network Protocols.

[3]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[4]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[5]  George Varghese,et al.  Packet classification for core routers: is there an alternative to CAMs? , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[6]  Martin Freiss,et al.  Protecting Networks with SATAN , 1998 .

[7]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[9]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[10]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[11]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[12]  Avishai Wool,et al.  The Geometric Efficient Matching Algorithm for Firewalls , 2004, IEEE Transactions on Dependable and Secure Computing.

[13]  Alex X. Liu,et al.  Change-Impact Analysis of Firewall Policies , 2007, ESORICS.

[14]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[15]  Donald R. Morrison,et al.  PATRICIA—Practical Algorithm To Retrieve Information Coded in Alphanumeric , 1968, J. ACM.

[16]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[17]  Dan Farmer,et al.  Improving the Security of Your Site by Breaking Into it , 2000 .

[18]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[19]  Mukesh Singhal,et al.  Design of a high-performance ATM firewall , 1998, CCS '98.

[20]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[21]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[22]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[23]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[24]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[25]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[26]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[27]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[28]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[29]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[30]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[31]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[32]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[33]  Richard J. Lipton,et al.  Multidimensional Searching Problems , 1976, SIAM J. Comput..

[34]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[35]  Alex X. Liu,et al.  Firewall policy verification and troubleshooting , 2009, Comput. Networks.

[36]  Mukesh Singhal,et al.  Design and evaluation of a high-performance ATM firewall switch and its applications , 1999, IEEE J. Sel. Areas Commun..

[37]  Mohamed G. Gouda,et al.  Verification of Distributed Firewalls , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[38]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[39]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .