Firewall policy verification and troubleshooting

Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). However, due to the lack of tools for verifying and troubleshooting firewall policies, most firewalls on the Internet have policy errors. A firewall policy can error either create security holes that will allow malicious traffic to sneak into a private network or block legitimate traffic disrupting normal traffic, which in turn could lead to diestrous consequences. We propose a firewall verification and troubleshooting tool in this paper. Our tool takes as input a firewall policy and a given property, then outputs whether the policy satisfies the property. Furthermore, in the case that a firewall policy does not satisfy the property, our tool outputs which rules cause the verification failure. This provides firewall administrators a basis for how to fix the policy errors. Despite of the importance of verifying firewall policies and finding troublesome rules, they have not been explored in previous work. Due to the complex nature of firewall policies, designing algorithms for such a verification and troubleshooting tool is challenging. In this paper, we designed and implemented a verification and troubleshooting algorithm using decision diagrams, and tested it on both real-life firewall policies and synthetic firewall policies of large sizes. The performance of the algorithm is sufficiently high that they can practically be used in the iterative process of firewall policy design, verification, and maintenance. The firewall policy troubleshooting algorithm proposed in this paper is not limited to firewalls. Rather, they can be potentially applied to other rule-based systems as well.

[1]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Mukesh Singhal,et al.  Design and evaluation of a high-performance ATM firewall switch and its applications , 1999, IEEE J. Sel. Areas Commun..

[3]  Eric Torng,et al.  TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs , 2010, TNET.

[4]  Daniel Hoffman,et al.  Testing iptables , 2003, CASCON.

[5]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[6]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[7]  Martin Freiss Protecting networks with SATAN - internet security for system administrators , 1998 .

[8]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[9]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[10]  Martin Freiss,et al.  Protecting Networks with SATAN , 1998 .

[11]  Mohamed G. Gouda,et al.  Verification of Distributed Firewalls , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[12]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[13]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[14]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[15]  Dan Farmer,et al.  Improving the Security of Your Site by Breaking Into it , 2000 .

[16]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[17]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[18]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[19]  Alex X. Liu,et al.  Change-Impact Analysis of Firewall Policies , 2007, ESORICS.

[20]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[21]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[22]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[23]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[24]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .

[25]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[26]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[27]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[28]  X LiuAlex Firewall policy verification and troubleshooting , 2009 .

[29]  Vinod Yegneswaran,et al.  A framework for malicious workload generation , 2004, IMC '04.

[30]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[31]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[32]  Daniel Hoffman,et al.  Blowtorch: a framework for firewall test automation , 2005, ASE.

[33]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[34]  Emmanuel Fleury,et al.  Using IDDs for Packet Filtering , 2002 .

[35]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[36]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[37]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[38]  Tao Xie,et al.  Systematic Structural Testing of Firewall Policies , 2008, 2008 Symposium on Reliable Distributed Systems.

[39]  Avishai Wool,et al.  The Geometric Efficient Matching Algorithm for Firewalls , 2004, IEEE Transactions on Dependable and Secure Computing.

[40]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[41]  David A. Basin,et al.  Firewall Conformance Testing , 2005, TestCom.