A formal logic approach to firewall packet filtering analysis and generation

Recent years have seen a significant increase in the usage of computers and their capabilities to communicate with each other. With this has come the need for more security and firewalls have proved themselves an important piece of the overall architecture, as the body of rules they implement actually realises the security policy of their owners. Unfortunately, there is little help for their administrators to understand the actual meaning of the firewall rules. This work shows that formal logic is an important tool in this respect, because it is particularly apt at modelling real-world situations and its formalism is conductive to reason about such a model. As a consequence, logic may be used to prove the properties of the models it represents and is a sensible way to go in order to create those models on computers to automate such activities. We describe here a prototype which includes a description of a network and the body of firewall rules applied to its components. We were able to detect a number of anomalies within the rule-set: inexistent elements (e.g. hosts or services on destination components), redundancies in rules defining the same action for a network and hosts belonging to it, irrelevance as rules would involve traffic that would not pass through a filtering device, and contradiction in actions applied to elements or to a network and its hosts. The prototype produces actual firewall rules as well, generated from the model and expressed in the syntax of IPChains and Cisco’s PIX.

[1]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[2]  George Varghese,et al.  Fast firewall implementations for software-based and hardware-based routers , 2001, SIGMETRICS '01.

[3]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[4]  Yechiam Yemini,et al.  NESTOR: an architecture for network self-management and organization , 2000, IEEE Journal on Selected Areas in Communications.

[5]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[6]  Mike P. Papazoglou,et al.  Interoperation support for electronic business , 2000, CACM.

[7]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[8]  Georg Gottlob,et al.  Complexity and expressive power of logic programming , 1997, Proceedings of Computational Complexity. Twelfth Annual IEEE Conference.

[9]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[10]  Anthony Ralston,et al.  Encyclopedia of Computer Science , 1971 .

[11]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[13]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[14]  Andrew W. Appel,et al.  A logic-programming approach to network security analysis , 2005 .

[15]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.

[16]  Charles Hall,et al.  A firewall configuration strategy for the protection of computer networked labs in a college setting , 2001 .

[17]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[18]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[19]  R. Power CSI/FBI computer crime and security survey , 2001 .

[20]  Robert N. Smith,et al.  Firewall placement in a large network topology , 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[21]  Prasad Rao,et al.  Automatic management of network security policy , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[22]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[23]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[24]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[25]  Susan Hinrichs,et al.  Policy-based management: bridging the gap , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[26]  Michael Huth Logic In Computer Science , 1999 .

[27]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[28]  George Varghese,et al.  Fast firewall implementations for software and hardware-based routers , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[29]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[30]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[31]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[32]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[33]  Albert G. Greenberg,et al.  Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[34]  Rolf Oppliger,et al.  Internet security: firewalls and beyond , 1997, CACM.

[35]  Antonis C. Kakas,et al.  Abduction in logic programming , 2002 .

[36]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[37]  Antonis C. Kakas,et al.  Computational Logic: Logic Programming and Beyond: Essays in Honour of Robert A. Kowalski, Part I , 2002 .

[38]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[39]  Claude Kirchner,et al.  Rule-Based Constraint Programming , 1998, Fundam. Informaticae.

[40]  Paris Flegkas,et al.  Policy conflict analysis for quality of service management , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[41]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[42]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[43]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[44]  Jorge Lobo,et al.  Conflict Resolution Using Logic Programming , 2003, IEEE Trans. Knowl. Data Eng..

[45]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[46]  Alessandra Russo,et al.  Using event calculus to formalise policy specification and analysis , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[47]  Bashar Nuseibeh,et al.  An Abductive Approach for Analysing Event-Based Requirements Specifications , 2002, ICLP.

[48]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[49]  Craig Hunt TCP/IP Network Administration , 1992 .

[50]  René Wies,et al.  Policies in network and systems management—Formal definition and architecture , 1994, Journal of Network and Systems Management.

[51]  Wouter Joosen,et al.  Bridging the gap between web application firewalls and web applications , 2006, FMSE '06.

[52]  Peter H. Salus Handbook of Programming Languages (HPL), Volume 4: Functional and Logic Programming Languages , 1998 .

[53]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM 2001.

[54]  Ivan Bratko,et al.  Prolog (3rd ed.): programming for artificial intelligence , 2000 .

[55]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[56]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[57]  Antonis C. Kakas,et al.  Abduction in Logic Programming , 2002, Computational Logic: Logic Programming and Beyond.

[58]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[59]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[60]  Alessandra Russo,et al.  Using Argumentation Logic for Firewall Policy Specification and Analysis , 2006, DSOM.

[61]  Emil C. Lupu,et al.  Conflict Analysis for Management Policies , 1997, Integrated Network Management.

[62]  Khalid Al-Tawil,et al.  Evaluation and testing of internet firewalls , 1999, Int. J. Netw. Manag..

[63]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[64]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[65]  John Daintith,et al.  A Dictionary of Computing , 1986 .

[66]  Ivan Bratko,et al.  Prolog Programming for Artificial Intelligence , 1986 .

[67]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[68]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[69]  Jorge Lobo,et al.  A Policy Description Language , 1999, AAAI/IAAI.

[70]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[71]  David Hemmendinger,et al.  Concise Encyclopedia of Computer Science , 2004 .

[72]  Atul Prakash,et al.  FACE: a firewall analysis and configuration engine , 2005, The 2005 Symposium on Applications and the Internet.