Automatic verification of conformance of firewall configurations to security policies

The configuration of firewalls is highly error prone and automated solution are needed in order to analyze its correctness. We propose a formal and automatic method for checking whether a firewall reacts correctly with respect to a security policy given in an high level declarative language. When errors are detected, some feedback is returned to the user in order to correct the firewall configuration. Furthermore, the procedure verifies that no conflicts exist within the security policy. We show that our method is both correct and complete. Finally, it has been implemented in a prototype of verifier based on a satisfiability solver modulo theories (SMT). Experiment conducted on relevant case studies demonstrate the efficiency and scalability of the approach.

[1]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[2]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[3]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[4]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[5]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[6]  Adel Bouhoula,et al.  A Domain Specific Language for Securing Distributed Systems , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[7]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[8]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[9]  Michaël Rusinowitch,et al.  An inference system for detecting firewall filtering rules anomalies , 2008, SAC '08.

[10]  Thawatchai Chomsiri,et al.  Firewall Policy Analyzing by Relational Algebra , 2004 .

[11]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.

[12]  Adel Bouhoula,et al.  Tuple Based Approach for Anomalies Detection within Firewall Filtering Rules , 2007, 2007 12th IEEE Symposium on Computers and Communications.