Industrial Grade Methodology for Firewall Simulation and Requirements Verification

Firewalls are a critical part in any security frame-work. Most firewalls consist of a large amount of sequential rules that are unstructured and confusing. Unfortunately, because a lot of rules configuration work is done manually by the network administrators, misconfigurations are very common and can affect the reliability of the firewall. Identifying such anomalies is a challenging task. In this paper, we propose a tree based simulation and verification model to verify if the implemented firewall of a system is in compliance with the belonging firewall requirements. The proposed methodology was developed in relation with the H2020 FORTIKA project and was evaluated in the scope of case studies with industrial partners. The case studies in question related to large scale telecom infrastructures involving critical scenarios in the scope of Smart Cities in general and SME cyber-security protection. Thereby, the executed case studies demonstrate how our approach can lead to improved structuring of firewalls and belonging rules, to the comfortable visualization of firewall structures and decision patterns, and finally to the verification of system and context requirements imposed by the firewall operation environment.

[1]  Wang Yi,et al.  UPPAAL - a Tool Suite for Automatic Verification of Real-Time Systems , 1996, Hybrid Systems.

[2]  David A. Basin,et al.  Firewall Conformance Testing , 2005, TestCom.

[3]  Ahmed Khoumsi,et al.  A formal basis for the design and analysis of firewall security policies , 2018, J. King Saud Univ. Comput. Inf. Sci..

[4]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[5]  Marc Frappier,et al.  Intrusion Detection Systems: A Cross-Domain Overview , 2019, IEEE Communications Surveys & Tutorials.

[6]  Kamel Karoui,et al.  Formal specification, verification and correction of security policies based on the decision tree approach , 2013 .

[7]  Laurent Ciavaglia,et al.  Standardization of resilience & survivability, and autonomic fault-management, in evolving and future networks: An ongoing initiative recently launched in ETSI , 2013, 2013 9th International Conference on the Design of Reliable Communication Networks (DRCN).

[8]  Arun Prakash,et al.  Addressing Stability in Future Autonomic Networking , 2010, MONAMI.

[9]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[10]  Rafael M. Gasca,et al.  AFPL, an Abstract Language Model for Firewall ACLs , 2008, ICCSA.

[11]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[12]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[13]  Nikolay Tcholtchev,et al.  Autonomic Fault-Management and resilience from the perspective of the network operation personnel , 2010, 2010 IEEE Globecom Workshops.

[14]  Guy Pujolle,et al.  An evaluation of a virtual network function for real-time threat detection using stream processing , 2018, 2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ).

[15]  Alex X. Liu,et al.  Firewall policy verification and troubleshooting , 2009, Comput. Networks.

[16]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[17]  Jürgen Großmann,et al.  Model-Based Security Testing , 2012, MBT.

[18]  Daniel Hoffman,et al.  Blowtorch: a framework for firewall test automation , 2005, ASE.

[19]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[20]  Dimitrios Tzovaras,et al.  Acceleration at the Edge for Supporting SMEs Security: The FORTIKA Paradigm , 2019, IEEE Communications Magazine.

[21]  Ehab S. Elmallah,et al.  Hardness of Firewall Analysis , 2014, IEEE Transactions on Dependable and Secure Computing.

[22]  Mary Grammatikou,et al.  Applying distributed monitoring techniques in autonomic networks , 2010, 2010 IEEE Globecom Workshops.

[23]  M. Madhuri,et al.  Systematic Detection And Resolution Of Firewall Policy Anomalies , 2013 .

[24]  Georg Carle,et al.  Verified iptables Firewall Analysis and Verification , 2018, Journal of Automated Reasoning.

[25]  Nacira Ghoualmi-Zine,et al.  IPsec/Firewall Security Policy Analysis: A Survey , 2018, 2018 International Conference on Signal, Image, Vision and their Applications (SIVA).

[26]  Anirban Basu,et al.  A Framework for Blockchain-Based Verification of Integrity and Authenticity , 2019, IFIPTM.

[27]  Matteo Pradella,et al.  Temporal Logic and Model Checking for Operator Precedence Languages , 2018, GandALF.

[28]  Daniel Hoffman,et al.  Testing iptables , 2003, CASCON.

[29]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[30]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.