article

Firewall policy verification and troubleshooting

Author:

Alex X. LiuAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 53, Issue 16

Pages 2800 - 2809

https://doi.org/10.1016/j.comnet.2009.07.003

Published: 01 November 2009 Publication History

Abstract

Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). However, due to the lack of tools for verifying and troubleshooting firewall policies, most firewalls on the Internet have policy errors. A firewall policy can error either create security holes that will allow malicious traffic to sneak into a private network or block legitimate traffic disrupting normal traffic, which in turn could lead to diestrous consequences. We propose a firewall verification and troubleshooting tool in this paper. Our tool takes as input a firewall policy and a given property, then outputs whether the policy satisfies the property. Furthermore, in the case that a firewall policy does not satisfy the property, our tool outputs which rules cause the verification failure. This provides firewall administrators a basis for how to fix the policy errors. Despite of the importance of verifying firewall policies and finding troublesome rules, they have not been explored in previous work. Due to the complex nature of firewall policies, designing algorithms for such a verification and troubleshooting tool is challenging. In this paper, we designed and implemented a verification and troubleshooting algorithm using decision diagrams, and tested it on both real-life firewall policies and synthetic firewall policies of large sizes. The performance of the algorithm is sufficiently high that they can practically be used in the iterative process of firewall policy design, verification, and maintenance. The firewall policy troubleshooting algorithm proposed in this paper is not limited to firewalls. Rather, they can be potentially applied to other rule-based systems as well.

References

[1]

E. Al-Shaer, H. Hamed, Discovery of policy anomalies in distributed firewalls, in: IEEE INFOCOM'04, March 2004.

[2]

F. Baboescu, G. Varghese, Fast and scalable conflict detection for packet classifiers, in: Proceedings of the 10th IEEE International Conference on Network Protocols, 2002.

Digital Library

[3]

Y. Bartal, A.J. Mayer, K. Nissim, A. Wool, Firmato: A novel firewall management toolkit, in: Proceedings of the IEEE Symposium on Security and Privacy, 1999, pp. 17-31.

[4]

CERT. Test the firewall system <http://www.cert.org/security-improvement/practices/p060.html>.

[5]

M. Christiansen, E. Fleury, Using interval decision diagrams for packet filtering. Technical Report, RS-02-43, University of Aarhus, Denmark, 2002.

[6]

D. Eastlake, P. Jones, Us secure hash algorithm 1 (sha1), RFC 3174, 2001.

Digital Library

[7]

A. El-Atawy, K. Ibrahim, H. Hamed, E. Al-Shaer, Policy segmentation for intelligent firewall testing, in: Proceedings of the First Workshop on Secure Network Protocols, November 2005.

Digital Library

[8]

D. Eppstein, S. Muthukrishnan, Internet packet filter management and rectangle geometry, in: Symposium on Discrete Algorithms, 2001, pp. 827-835.

Digital Library

[9]

P. Eronen, J. Zitting, An expert system for analyzing firewall rules, in: Proceedings of the Sixth Nordic Workshop on Secure IT Systems (NordSec 2001), 2001, pp. 100-107.

[10]

D. Farmer, W. Venema, Improving the security of your site by breaking into it. <http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html>, 1993.

[11]

Frantzen, M., Kerschbaum, F., Schultz, E. and Fahmy, S., A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Computers and Security. v20 i3. 263-270.

[12]

Freiss, M., Protecting Networks with SATAN. 1998. O'Reilly and Associates, Inc.

Digital Library

[13]

M. Gouda, A.X. Liu, M. Jafry, Verification of distributed firewalls, in: Proceedings of the IEEE Global Communications Conference (GLOBECOM), 2008.

[14]

M.G. Gouda, A.X. Liu, Firewall design: consistency, completeness and compactness, in: Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS'04), 2004, pp. 320-327.

Digital Library

[15]

M.G. Gouda, A.X. Liu, A model of stateful firewalls and its properties, in: Proceedings of the IEEE International Conference on Dependable Systems and Networks (DSN-05), June 2005, pp. 320-327.

Digital Library

[16]

Gouda, M.G. and Liu, A.X., Structured firewall design. Computer Networks Journal (Elsevier). v51 i4. 1106-1120.

Digital Library

[17]

J.D. Guttman, Filtering postures: Local enforcement for global policies, in: Proceedings of IEEE Symposium on Security and Privacy, 1997, pp. 120-129.

Digital Library

[18]

A. Hari, S. Suri, G.M. Parulkar, Detecting and resolving packet filter conflicts, in: Proceedings of IEEE INFOCOM, 2000, pp. 1203-1212.

[19]

S. Hazelhurst, A. Attar, R. Sinnappan, Algorithms for improving the dependability of firewall and filter rule lists, in: Proceedings of the International Conference on Dependable Systems and Networks (DSN'00), 2000, pp. 576-585.

Digital Library

[20]

D. Hoffman, D. Prabhakar, P. Strooper, Testing iptables, in: Proceedings of the 2003 Conference of IBM Centre for Advanced Studies, 2003, pp. 80-91.

Digital Library

[21]

D. Hoffman, K. Yoo, Blowtorch: a framework for firewall test automation, in: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005, pp. 96-103.

Digital Library

[22]

J. Hwang, T. Xie, F. Chen, A.X. Liu, Systematic structural testing of firewall policies, in: Proceedings 27th IEEE International Symposium on Reliable Distributed Systems (SRDS), 2008.

Digital Library

[23]

J. Jürjens, G. Wimmel, Specification-based testing of firewalls, in: A. Ershov (Ed.), Proceedings of the Fourth International Conference Perspectives of System Informatics (PSI'01), LNCS, Springer.

Digital Library

[24]

Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F. and Frantzen, M., Analysis of vulnerabilities in internet firewalls. Computers and Security. v22 i3. 214-232.

[25]

A.X. Liu, Change-impact analysis of firewall policies, in: J. Biskup, J. Lopez (Ed.), Proceedings of the 12th European Symposium Research Computer Security (ESORICS), LNCS 4734, Springer-Verlag, September 2007, p. 155C170.

Digital Library

[26]

A.X. Liu, Firewall policy verification and troubleshooting, in: Proceedings IEEE International Conference on Communications (ICC), May 2008.

[27]

A.X. Liu, M.G. Gouda, Diverse firewall design, in: Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2004, pp. 595-604.

Digital Library

[28]

A.X. Liu, M.G. Gouda, Complete redundancy detection in firewalls, in: Proceedings 19th Annual IFIP Conference on Data and Applications Security, LNCS 3654, August 2005, pp. 196-209.

Digital Library

[29]

Liu, A.X. and Gouda, M.G., Diverse firewall design. IEEE Transactions on Parallel and Distributed Systems (TPDS). v19 i8.

Digital Library

[30]

A.X. Liu, C.R. Meiners, E. Torng, Tcam razor: a systematic approach towards minimizing packet classifiers in tcams, in: IEEE/ACM Transactions on Networking, accepted for publication.

Digital Library

[31]

M.R. Lyu, L.K.Y. Lau, Algorithms for improving the dependability of firewall and filter rule lists, in: Proceedings of the 24th International Conference on Computer Systems and Applications (COMPSAC'2000), October 2000, pp. 116-121.

[32]

A. Mayer, A. Wool, E. Ziskind, Fang: a firewall analysis engine, in: Proceedings of IEEE Symposium on Security and Privacy, 2000, pp. 177-187.

Digital Library

[33]

Mayer, A., Wool, A. and Ziskind, E., Offline firewall analysis. International Journal of Information Security. v5 i3. 125-144.

Digital Library

[34]

Moffett, J.D. and Sloman, M.S., Policy conflict analysis in distributed system management. Journal of Organizational Computing. v4 i1. 1-22.

[35]

Nessus <http://www.nessus.org/>, March 2004.

[36]

R. Rivest, The md5 message-digest algorithm. RFC 1321, 1992.

Digital Library

[37]

D. Rovniagin, A. Wool, The geometric efficient matching algorithm for firewalls, in: Proceedings 23rd IEEE Convention of Electrical and Electronics Engineers in Israel (IEEEI). Technical Report available at <http://www.eng.tau.ac.il/~yash/ees2003-6.ps>, 2004, pp. 153-156.

[38]

Senn, D., Basin, D. and Caronni, G., Firewall conformance testing. Proceedings of the Testcom (Testing of Communicating Systems).

Digital Library

[39]

J. Sommers, V. Yegneswaran, P. Barford, A framework for malicious workload generation, in: Proceedings of the Fourth ACM SIGCOMM Conference on Internet Measurement, ACM, New York, NY, USA, 2004, pp. 82-87.

Digital Library

[40]

A. Wool, Architecting the lumeta firewall analyzer, in: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85-97.

Digital Library

[41]

Wool, A., A quantitative study of firewall configuration errors. IEEE Computer. v37 i6. 62-67.

Digital Library

[42]

Xu, J. and Singhal, M., Design and evaluation of a high-performance atm firewall switch and its applications. IEEE Journal on Selected Areas in Communications (JSAC). v17 i6. 1190-1200.

[43]

Xu, J. and Singhal, M., Design of a high-performance atm firewall. ACM Transactions on Information and System Security. v2 i3. 269-294.

Digital Library

[44]

L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, P. Mohapatra, Fireman: a toolkit for firewall modeling and analysis, in: IEEE Symposium on Security and Privacy, May 2006.

Digital Library

Cited By

Barakat RCatal FTcholtchev NRebahi YSchieferdecker I(2020)Industrial Grade Methodology for Firewall Simulation and Requirements VerificationNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS47738.2020.9110345(1-7)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1109/NOMS47738.2020.9110345
Nath RDas SSural SVaidya JAtluri VKerschbaum FMashatan ANiu JLee A(2019)PolTreeProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325102(25-35)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325102
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Show More Cited By

Firewall policy verification and troubleshooting
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Firewall policy change-impact analysis

Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., ...
SP 800-41 Rev. 1. Guidelines on Firewalls and Firewall Policy
A framework for firewalls policy representativeness testing based on classification and reversible metrics

Network's security organisation and management is a hard and complex task. This is due to the diversity of security components and activities such as security policy specification, anomalies detection, vulnerability assessment, etc. In this paper, we ...

Comments

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 53, Issue 16

November, 2009

118 pages

ISSN:1389-1286

Issue’s Table of Contents

Copyright © Elsevier B.V. © 2009.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 November 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Barakat RCatal FTcholtchev NRebahi YSchieferdecker I(2020)Industrial Grade Methodology for Firewall Simulation and Requirements VerificationNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS47738.2020.9110345(1-7)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1109/NOMS47738.2020.9110345
Nath RDas SSural SVaidya JAtluri VKerschbaum FMashatan ANiu JLee A(2019)PolTreeProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325102(25-35)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325102
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Zhang YDeng XWei DDeng Y(2012)Assessment of E-Commerce security using AHP and evidential reasoningExpert Systems with Applications: An International Journal10.1016/j.eswa.2011.09.05139:3(3611-3623)Online publication date: 1-Feb-2012
https://dl.acm.org/doi/10.1016/j.eswa.2011.09.051
Liu A(2008)Firewall policy change-impact analysisACM Transactions on Internet Technology10.1145/2109211.210921211:4(1-24)Online publication date: 23-Mar-2008
https://dl.acm.org/doi/10.1145/2109211.2109212

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents