Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Firewall Background
Problems with Previous Algorithms
Conclusion
References
All Topics
Business and Management
Management, Monitoring, Policy and Law

Safe and Efficient Strategies for Updating Firewall Policies

Profile image of zeeshan ahmedzeeshan ahmed

2010, Trust, Privacy and Security in Digital Business

https://doi.org/10.1007/978-3-642-15152-1_5
visibility

description

23 pages

link

1 file

Abstract

Actuellement, les politiques de pare-feu (en anglais firewall) peuvent contenir de milliers de règles et ceà cause de la tailleénorme et la structure complexe des réseaux modernes. De ce fait, ces politiques nécessitent des outils automatiques fournissant un environnement convivial pour spécifier, configurer et déployer en sûreté une politique cible. Beaucoup de travaux de recherche ont traité de la spécification des politiques, la détection des conflits et le problème d'optimisation, mais très peu de travaux se sont intéressés au déploiement de politiques. Ce n'est que récemment, certains chercheurs ont proposé des stratégies de déploiement pour les deux importantes catégories d'édition de politiques. Dans ce rapport, nous montrons que ces stratégies sont erronées et pourraient mener a des failles de sécurité. Ensuite, nous fournissons deux algorithmes corrects, efficaces et sûrs pour les classes d'édition de politiques. Nos résultats expérimentaux montrent que ces algorithmes sont trés rapides et peuventêtre utilisés en toute sûreté, même pour le déploiement de politiques dont la taille est très importante.

Related papers

Formal analysis of firewall policies
Robert Marmorstein

2008

This dissertation describes a technique for formally analyzing a firewall security policy using a quasi-reduced multiway decision diagram model. The analysis allows a system administrator to detect and repair errors in the configuration of the firewall without a tedious manual inspection of the firewall rules. We present four major contributions. First, we describe a set of algorithms for representing a firewall rule set as a multi-way decision diagram and for solving logical queries against that model. We demonstrate the application of these techniques in a tool for analyzing iptables firewalls. Second, we present an extension of our work that enables analysis of systems of connected firewalls and firewalls that use network address translation and other packet mangling rules. Third, we demonstrate a technique for decomposing a network into classes of equivalent hosts. These classes can be used to detect errors in a firewall policy without apriori knowledge of potential vulnerabilit...

View PDFchevron_right
First step towards automatic correction of firewall policy faults
Tao Xie

2010

Abstract Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult.

View PDFchevron_right
An Automated Framework for Validating Firewall Policy Enforcement
Ehab Al-Shaer

2007

The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure proven security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles.

View PDFchevron_right
On the Security of Firewall Policy Deployment
A. Kartit

Due to the sensitive nature of information transmitted during a policy deployment, the communication between management tool and firewall should be confidential. Confidentiality can be achieved by using encrypted communication protocols such as SSH, SSL and IPSec. Much research has already addressed the specification of policies, conflict detection and optimization, but very little research is devoted to the security of policy deployment. In the previous article [1], we proposed an exact algorithm for the deployment of security policies but in this paper, we will propose an effective solution that will allow us to secure the deployment process of a political target. This solution has the objective to create secure tunnels between the different entities (firewalls).

View PDFchevron_right
Malachite: Firewall policy comparison
dinesha ranathunga

2016 IEEE Symposium on Computers and Communication (ISCC), 2016

Firewalls are a crucial element of any modern day business; they protect data and resources in a communications network from unauthorised access. In particular domains, such as SCADA networks, there are guidelines for firewall configuration, but currently there are no automated means to test compliance. Our research tackles this from first principles: we ask how firewall policies can be described at a high-level, independent of firewall-vendor and network minutiae. The semantic foundations we propose allow us to compare network-wide firewall policies and check if they are equivalent; or one is contained in the other in meaningful ways. These foundations also enable policy change-impact analysis and help identify functional discrepancies between multiple policy designs from users in distinct policy subdomains (e.g., SCADA engineers, Corporate admins).

View PDFchevron_right
Formal Analysis of Firewalls
Robert Marmorstein

2008

The task of configuring and updating a collection of firewalls has become so challenging that, for many networks, the cost of maintaining the firewall is prohibitive. This cost derives from the difficulty of avoiding subtle design errors in a complex and often verbose firewall policy. Analysis tools can reduce the burden on the administrator and improve security by identifying errors in the firewall configuration or even suggesting changes to the policy. Existing analysis tools suffer from many drawbacks which prevent ...

View PDFchevron_right
On autonomic optimization of firewall policy organization
Ehab Al-Shaer

Journal of High Speed Networks, 2006

Security policies play a critical role in many of the current network security technologies such as firewalls, IPSec and IDS devices. The configuration of these policies not only determines the functionality of such devices, but also substantially affects their performance. The optimization of filtering policy configuration is critically important to provide high performance packet filtering particularly for high speed network security.

View PDFchevron_right
A policy-based approach to firewall management
Edmundo Monteiro

2002

Abstract: This paper describes a policy-based approach to firewall management. The Policy-Based Networking (PBN) architecture proposed by the Policy Framework Group of IETF is analysed, together with the communication protocols, policy specification languages, and the necessary information models. The paper continues with a description of an application of the PBN architecture to firewall management. The proposed architecture is presented and its implementation issues are analysed with some usage examples.

View PDFchevron_right
An axiomatic approach to firewall rule update
Richard Booth
View PDFchevron_right
Conflict classification and analysis of distributed firewall policies
Ehab Al-Shaer

IEEE Journal on Selected Areas in Communications, 2005

Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single-or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

View PDFchevron_right

References (26)

  1. Check Point SmartCenter. http://www.checkpoint.com/products/smartcenter/.
  2. Cisco Security Manager. http://www.cisco.com/en/US/products/ps6498/index.html.
  3. Entrasys Matrix X Core Router. http://www.entrasys.com/products/routing/x/.
  4. F-Secure. Malware information pages: Slammer. http://www.f-secure.com/v-descs/mssqlm.shtml.
  5. F-Secure. Malware information pages: Worm:w32/downadup.al. http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml.
  6. Juniper Network and Security Manager. http://www.juniper.net/us/en/local/pdf/datasheets/1100018-en.pd
  7. E. Al-Shaer and H. Hamed. Modeling and Management of Firewall Policies. Network and Service Management, IEEE Transactions on, 1(1):2-10, April 2004.
  8. M. Anwar, M. Zafar, and Z. Ahmed. A Proposed Preventive Information Security System. In International Conference on Electrical Engineering, 2007. ICEE '07., pages 1-6, 2007.
  9. F. Baboescu and G. Varghese. Fast and Scalable Conflict Detection for Packet Classifiers. In ICNP, pages 270-279, 2002.
  10. Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool. Firmato: A Novel Firewall Management Toolkit. In IEEE Symposium on Security and Privacy, pages 17-31, 1999.
  11. L. Bergroth, H. Hakonen, and T. Raita. A Survey of Longest Common Subsequence Algo- rithms. In SPIRE '00: Proceedings of the Seventh International Symposium on String Process- ing Information Retrieval (SPIRE'00), page 39, Washington, DC, USA, 2000. IEEE Computer Society. INRIA
  12. S. Cobb. ICSA Firewall Policy Guide v2.0. Technical report, NCSA Security White Paper Series, 1997.
  13. G. Cormode, S. Muthukrishnan, and S. C. Sahinalp. Permutation Editing and Matching via Embeddings. In ICALP, pages 481-492, 2001.
  14. M. Englund. Securing systems with host-based firewalls. In Sun BluePrints Online, September 2001.
  15. Z. Fu, S. F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu. IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution. In POLICY, pages 39-56, 2001.
  16. M. G. Gouda and A. X. Liu. Firewall Design: Consistency, Completeness, and Compactness. In ICDCS, pages 320-327, 2004.
  17. H. Hamed and E. Al-Shaer. Dynamic rule-ordering optimization for high-speed firewall filter- ing. In ASIACCS, pages 332-342, 2006.
  18. S. Karen and H. Paul. Guidelines on Firewalls and Firewall Policy. NIST Recommendations, SP 800-41, July, 2008.
  19. A. X. Liu. Change-impact analysis of firewall policies. In ESORICS, pages 155-170, 2007.
  20. J. Qian. ACLA: A framework for Access Control List (ACL) Analysis and Optimization, booktitle = Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century. page 4, Deventer, The Netherlands, The Netherlands, 2001. Kluwer, B.V.
  21. L. Qiu, G. Varghese, and S. Suri. Fast firewall implementations for software and hardware- based routers. In International Conference on Network Protocols, pages 155-170, 2001.
  22. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In WOEC'96: Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 4-4, Berkeley, CA, USA, 1996. USENIX Association.
  23. T. Ylönen. SSH: secure login connections over the internet. In SSYM'96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pages 4-4, Berkeley, CA, USA, 1996. USENIX Association.
  24. C. C. Zhang, M. Winslett, and C. A. Gunter. On the Safety and Efficiency of Firewall Policy Deployment. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 33-50, Washington, DC, USA, 2007. IEEE Computer Society. RR n°6940 Unité de recherche INRIA Lorraine LORIA, Technopôle de Nancy-Brabois -Campus scientifique 615, rue du Jardin Botanique -BP 101 -54602 Villers-lès-Nancy Cedex (France) Unité de recherche INRIA Futurs : Parc Club Orsay Université -ZAC des Vignes 4, rue Jacques Monod -91893 ORSAY Cedex (France)
  25. Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu -35042 Rennes Cedex (France) Unité de recherche INRIA Rhône-Alpes : 655, avenue de l'Europe -38334 Montbonnot Saint-Ismier (France) Unité de recherche INRIA Rocquencourt : Domaine de Voluceau -Rocquencourt -BP 105 -78153 Le Chesnay Cedex (France) Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles -BP 93 -06902 Sophia Antipolis Cedex (France)
  26. Éditeur INRIA -Domaine de Voluceau -Rocquencourt, BP 105 -78153 Le Chesnay Cedex (France) http://www.inria.fr ISSN 0249-6399

Related papers

Towards a New Algorithm More Efficient for Updating Firewall Policies 1
A. Kartit

2014

Firewall is one of the most widely utilized compone nt on any network architecture, since that a deploy ment is a very important step to turn the initial policy to a target policy. This policy requires automated tools in order to create a suitable environment for configur ing or deploying safely a policy target. Most resea rchers are interested in detection of conflicts or the pro blem of optimization of policies firewall while few of them have proposed deployment strategies for two importa nt types of edition policies. We have already propo sed a correct algorithm for the deployment type I [0]. In this work we study one of these strategies that falls within the type II edition policies. We show that t he proposed solution of type II edition [1] is not fully correct and lead to security vulnerabilities, and t hen we offer a few corrections and improvements for this type of editing.

View PDFchevron_right
Improvement of Algorithm for Updating Firewall Policies
A. Kartit

2014

Security issues are becoming more critical in network systems. Firewalls offer an important defense and protection for network, permit to strengthen security aspect. Firewalls are network devices or programs which enforce an organization's security policy, permit to control and monitor the traffic flow of network; they are installed between networks or hosts that employ differing security postures. Generally firewalls were deployed at network perimeters in order to provide some measure of protection for internal hosts. Different firewalls support different policy editing commands. The set of policy editing commands that a firewall supports is called its policy editing language. In [1], the authors provide deployment algorithm for type II language. This paper aims to develop an efficient algorithm for the updates of the security policy. Our proposal is considered improved type II edition policies algorithm. Although the proposed algorithm in [1] gives correct results, but it has ...

View PDFchevron_right
On the Correctness of Firewall Policy Deployment
A. Kartit

Firewall policies can contain several thousand rules due to the large size and complex structure of modern networks. The size and complexity of these policies require automated tools providing a user-friendly environment to specify, configure and safely deploy a target policy. In this paper, we show that naïve deployment approaches can easily create a temporary security hole by permitting illegal traffic or interrupt service by rejecting legal traffic during the deployment. We make some contributions to the correctness of firewall policy deployments and we show that the category of type I policy editing is wrong and could lead to security vulnerabilities. We then provide a correct algorithm for publishing political class type I. Our algorithm can be used even for the deployment of policies whose size is very important.

View PDFchevron_right
Modeling and Management of Firewall Policies
Ehab Al-Shaer

IEEE Transactions on Network and Service Management, 2004

Firewalls are core elements in network security. However, managing firewall rules, especially for enterprize networks, has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition, inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and other rules in order to determine the proper order of this rule and commit the updates. In this paper, we present a set of techniques and algorithms that provide (1) automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls, and (2) anomaly-free policy editing for rule insertion, removal and modification. This is implemented in a user-friendly tool called "Firewall Policy Advisor." The Firewall Policy Advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule misconfiguration.

View PDFchevron_right
Assisted firewall policy repair using examples and history
Robert Marmorstein

Proceedings of the 21st conference on …, 2007

Firewall policies can be extremely complex and difficult to maintain, especially on networks with more than a few hundred machines. The difficulty of configuring a firewall properly often leads to serious errors in the firewall configuration or discourage system administrators from implementing restrictive policies. In previous research, we developed a technique for modeling firewall policies using Multiway Decision Diagrams and performing logical queries against a decision diagram model. Using the query logic, the system administrator can detect errors in the policy and gain a deeper understanding of the behavior of the firewall. The technique is extremely efficient and can process policies with thousands of rules in just a few seconds. While queries are a significant improvement over manual inspection of the policy for detecting that errors exist, they provide only limited assistance in repairing a broken policy. In this paper we present two extensions to our work, examples and history, which enable the administrator to more easily repair a policy which contains errors. An example is a representative packet which illustrates that the firewall complies with or (more importantly) deviates from its expected behavior. History records the specific rules involved in the deviation. Examples and history provide guidance in finding and fixing faults in a firewall rule set. These contributions can be also be used with the equivalence class analysis to reduce the burden of designing a complicated set of assertions.

View PDFchevron_right

Related topics

  • Computer Science
  • Computer Security
  • Policy Management
  • Software Deployment
  • Denial of Service Attack
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved