Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence

Security policies play an important role in the security of communication networks. They are normally defined at a high level of abstraction and implemented in firewalls, which are the first defense to secure networks against attacks and unauthorized access. When security policies are implemented in firewalls, anomalities and conflicts that may arise from different policies should be taken into consideration. On the other hand, Firewalls conduct random sequence order shuffling during their operation to prevent certain security attacks. This may result in an incorrect implementation of high level policies that depend on the order of rules inspection in the firewall. This paper presents a formal model of firewall rules sequence and a novel method that verifies the set of security policies when rules sequence changes. The method is tested on synthetic firewall of practical size, where the obtained results demonstrate the ability of firewalls to maintain the functional behavior of security policies during their runtime operation. The detailed analysis shows that the proposed method can be applied on firewalls with dynamic rule sequence in real time.

[1]  Alex X. Liu,et al.  Firewall Design and Analysis , 2011, Computer and Network Security.

[2]  Sofiène Tahar,et al.  DOMAIN RESTRICTION BASED FORMAL MODEL FOR FIREWALL CONFIGURATIONS , 2013 .

[3]  Adel Bouhoula,et al.  A Fully Automatic Approach for Fixing Firewall Misconfigurations , 2011, 2011 IEEE 11th International Conference on Computer and Information Technology.

[4]  Igor V. Kotenko,et al.  Verification of security policy filtering rules by Model Checking , 2011, Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems.

[5]  Jean-Raymond Abrial,et al.  Faultless Systems: Yes We Can! , 2009, Computer.

[6]  Florent Jacquemard,et al.  Automatic verification of conformance of firewall configurations to security policies , 2009, 2009 IEEE Symposium on Computers and Communications.

[7]  Ehab Al-Shaer,et al.  ConfigChecker: A tool for comprehensive security configuration analytics , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[8]  Hrishikesh B. Acharya,et al.  Projection and Division: Linear-Space Verification of Firewalls , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[9]  Martin C. Rinard,et al.  Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies , 2013, TSEC.

[10]  Avishai Wool,et al.  Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese , 2010, IEEE Internet Computing.

[11]  Jonathan P. Bowen,et al.  Formal Methods: State of the Art and New Directions , 2009 .

[12]  Miroslav Svéda,et al.  A Formal Model for Network-Wide Security Analysis , 2008, 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems (ecbs 2008).

[13]  Achim D. Brucker,et al.  Model-Based Firewall Conformance Testing , 2008, TestCom/FATES.

[14]  Roger Villemaire,et al.  Firewall anomaly detection with a model checker for visibility logic , 2012, 2012 IEEE Network Operations and Management Symposium.

[15]  Alan Jeffrey,et al.  Model Checking Firewall Policy Configurations , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[16]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[17]  Sofiène Tahar,et al.  Novel algorithm for detecting conflicts in firewall rules , 2012, 2012 25th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE).

[18]  Michaël Rusinowitch,et al.  An inference system for detecting firewall filtering rules anomalies , 2008, SAC '08.

[19]  Stephan Windmüller Offline Validation of Firewalls , 2011, 2011 IEEE 34th Software Engineering Workshop.

[20]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.