On synthesizing distributed firewall configurations considering risk, usability and cost constraints

Firewalls are the most deployed security devices in computer networks. Nevertheless, designing and configuring distributed firewalls, which include determining access control rules and device placement in the network, is still a significantly complex task as it requires balancing between connectivity requirements and the inherent risk and cost. Formal approaches that allow for investigating distributed firewall configuration space systematically are highly needed to optimize decision support under multiple design constraints. The objective of this paper is to automatically synthesize the implementation of distributed filtering architecture and configuration that will minimize security risk while considering connectivity requirements, user usability and budget constraints. Our automatic synthesis generates not only the complete rule configuration for each firewall to satisfy risk and connectivity constraints, but also the optimal firewall placement in the networks to minimizes spurious traffic. We define fine-grain risk, usability and cost metrics tunable to match business requirements, and formalize the configuration synthesis as an optimization problem. We then show that distributed firewall synthesis is an NP-hard problem and provide heuristic approximation algorithms. We implemented our approach in a tool called FireBlanket that were rigorously evaluated under different network sizes, topologies and budget requirements. Our evaluation study shows that the results obtained by FireBlanket are close to the theoretical lower bound and the performance is scalable with the network size.

[1]  Sharad Malik,et al.  Declarative Infrastructure Configuration Synthesis and Debugging , 2008, Journal of Network and Systems Management.

[2]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[3]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[4]  Vincenzo Cutello,et al.  An ant-algorithm for the weighted minimum hitting set problem , 2003, Proceedings of the 2003 IEEE Swarm Intelligence Symposium. SIS'03 (Cat. No.03EX706).

[5]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[7]  Marianne Winslett,et al.  On the Safety and Efficiency of Firewall Policy Deployment , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[9]  Paolo Toth,et al.  Knapsack Problems: Algorithms and Computer Implementations , 1990 .

[10]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[11]  Ehab Al-Shaer,et al.  Objective Risk Evaluation for Automated Security Management , 2010, Journal of Network and Systems Management.

[12]  Julien Bourgeois,et al.  Defining a simple metric for real-time security level evaluation of multi-sites networks , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[13]  Ehab Al-Shaer,et al.  Towards Automatic Creation of Usable Security Configuration , 2010, 2010 Proceedings IEEE INFOCOM.

[14]  Coniferous softwood GENERAL TERMS , 2003 .

[15]  Mikkel Thorup,et al.  Internet traffic engineering by optimizing OSPF weights , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[16]  Sushil Jajodia,et al.  Attack Graphs for Sensor Placement , Alert Prioritization , and Attack Response , 2008 .

[17]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[18]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .