Using argumentation logic for firewall configuration management

Firewalls remain the main perimeter security protection for corporate networks. However, network size and complexity make firewall configuration and maintenance notoriously difficult. Tools are needed to analyse firewall configurations for errors, to verify that they correctly implement security requirements and to generate configurations from higher-level requirements. In this paper we extend our previous work on the use of formal argumentation and preference reasoning for firewall policy analysis and develop means to automatically generate firewall policies from higher-level requirements. This permits both analysis and generation to be done within the same framework, thus accommodating a wide variety of scenarios for authoring and maintaining firewall configurations. We validate our approach by applying it to both examples from the literature and real firewall configurations of moderate size (≈ 150 rules).

[1]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Pascal Van Hentenryck The Acceptability Semantics for Logic Programs , 1994 .

[3]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[4]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[5]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[6]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[7]  George Pavlou,et al.  Policy refinement for DiffServ quality of service management , 2005, 2005 9th IFIP/IEEE International Symposium on Integrated Network Management, 2005. IM 2005..

[8]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[9]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[10]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[11]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[12]  Alessandra Russo,et al.  Using Argumentation Logic for Firewall Policy Specification and Analysis , 2006, DSOM.

[13]  John W. Lloyd Logic Programming without Negation as Failure , 1995 .

[14]  Avishai Wool How Not to Configure Your Firewall: A Field Guide to Common Firewall Configurations , 2001, LISA.

[15]  Gabriele Paul,et al.  Approaches to abductive reasoning: an overview , 1993, Artificial Intelligence Review.

[16]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[17]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[19]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[20]  R. Sekar,et al.  Inferring Higher Level Policies from Firewall Rules , 2007, LISA.

[21]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[22]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).