An expert system for analyzing firewall rules

When deploying firewalls in an organization, it is essential to verify that the firewalls are configured properly. The problem of finding out what a given firewall configuration does occurs, for instance, when a new network administrator takes over, or a third party performs a technical security audit for the organization. While the problem can be approached via testing, non-intrusive techniques are often preferred. Existing tools for analyzing firewall configurations usually rely on hard-coded algorithms for analyzing access lists. In this paper we present a tool based on constraint logic programming (CLP) which allows the user to write higher level operations for, e.g., detecting common configuration mistakes. Our tool understands Cisco router access lists, and it is implemented using Eclipse, a constraint logic programming language. The problem of analyzing firewall configurations lends itself quite naturally to be solved by an expert system. We found it surprisingly easy to use logic statements to express knowledge on networking, firewalls, and common configuration mistakes, for instance. Using an existing generic inference engine allowed us to focus on defining the core concepts and relationships in the knowledge base.

[1]  Susan Hinrichs,et al.  Policy-based management: bridging the gap , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[2]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[3]  Jacques Cohen,et al.  Constraint logic programming languages , 1990, CACM.

[4]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[5]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[8]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[9]  Edward J. Dudewicz,et al.  Expert systems and artificial intelligence , 1991 .

[10]  Nigel Ford Expert systems and artificial intelligence , 1991 .

[11]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Scott Hazelhurst,et al.  BINARY DECISION DIAGRAM REPRESENTATIONS OF FIREWALL AND ROUTER ACCESS LISTS , 1998 .

[13]  Luis Sanchez,et al.  Security Policy Protocol , 1999 .

[14]  Joachim Schimpf,et al.  ECLiPSe: A Platform for Constraint Logic Programming , 1997 .

[15]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[16]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[17]  Eugene H. Spafford,et al.  On the modeling, design, and implementation of firewall technology , 1997 .

[18]  Andrew Molitor An architecture for advanced packet filtering , 1995 .

[19]  Lakhmi C. Jain,et al.  Introduction to knowledge-based systems , 1995, Proceedings Electronic Technology Directions to the Year 2000.

[20]  Gilbert Held,et al.  Cisco Access Lists Field Guide , 2000 .