research-article

Tri-Modularization of Firewall Policies

Authors:

Omar Chowdhury,

Warut Khern-am-nuai,

Youngja ParkAuthors Info & Claims

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

Pages 37 - 48

https://doi.org/10.1145/2914642.2914646

Published: 06 June 2016 Publication History

Abstract

Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.

References

[1]

IBM CPLEX optimizer.small http://www-01.ibm.com/software/commerce/optimization/cplex-optimizer/.

[2]

Juniper. http://www.juniper.net/.

[3]

Netfilter. http://www.netfilter.org/.

[4]

SPMF: An Open-Source Data Mining Library. http://www.philippe-fournier-viger.com/spmf/.

[5]

H. B. Acharya, A. Joshi, and M. G. Gouda. Firewall modules and modular firewalls. In ICNP'10, pages 174--182, 2010.

Digital Library

[6]

P. Ad\ ao, C. Bozzato, G. Dei Rossi, R. Focardi, and F. Luccio. Mignis: A semantic based tool for firewall configuration. In CSF'14, pages 351--365, 2014.

Digital Library

[7]

R. Agrawal and R. Srikant. Fast algorithms for mining association rules in large databases. In VLDB '94, pages 487--499, 1994.

Digital Library

[8]

E. Al-Shaer and H. Hamed. Firewall policy advisor for anomaly detection and rule editing. In IM'03, pages 17--30, 2003.

[9]

E. Al-Shaer and H. Hamed. Discovery of policy anomalies in distributed firewalls. In INFOCOM'04, 2004.

[10]

E. Al-Shaer and H. Hamed. Modeling and management of firewall policies. IEEE TNSM, 1--1, 2004.

Digital Library

[11]

E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan. Conflict classification and analysis of distributed firewall policies. IEEE JSAC, 23(10), 2005.

Digital Library

[12]

E. S. Al-shaer and H. H. Hamed. Design and implementation of firewall policy advisor tools. Technical report, 2002. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.134.3344.

[13]

F. Baboescu and G. Varghese. Fast and scalable conflict detection for packet classifiers. Comput. Netw., 42(6):717--735, 2003.

Digital Library

[14]

Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. ACM TOCS, 22(4):381--420, 2004.

Digital Library

[15]

F. Chen, A. X. Liu, J. Hwang, and T. Xie. First step towards automatic correction of firewall policy faults. ACM TAAS, 7(2):27:1--27:24, 2012.

Digital Library

[16]

E. W. Dijkstra. The humble programmer. Commun. ACM, 15(10):859--866, 1972.

Digital Library

[17]

K. Golnabi, R. K. Min, L. Khan, and E. Al-Shaer. Analysis of firewall policy rules using data mining techniques. In NOMS'06, pages 305--315, 2006.

[18]

M. G. Gouda and A. X. Liu. Structured firewall design. Comput. Netw., 51(4):1106--1120, 2007.

Digital Library

[19]

J. D. Guttman. Filtering postures: Local enforcement for global policies. In IEEE SP'97, pages 120--129, 1997.

Digital Library

[20]

J. D. Guttman and A. L. Herzog. Rigorous automated network security management. Int. J. Inf. Sec., 4(1--2):29--48, 2005.

Digital Library

[21]

J. Hwang, T. Xie, F. Chen, and A. X. Liu. Systematic structural testing of firewall policies. IEEE TNSM, 9(1):1--11, 2012.

[22]

M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining - revealing business roles for security administration using data mining technology. In SACMAT '03, pages 179--186, 2003.

Digital Library

[23]

A. X. Liu. Firewall policy change-impact analysis. ACM Trans. Internet Technol., 11(4):15:1--15:24, 2008.

Digital Library

[24]

A. X. Liu and M. G. Gouda. Complete redundancy detection in firewalls. In DBSec'05, pages 193--206, 2005.

Digital Library

[25]

A. X. Liu and M. G. Gouda. Diverse firewall design. IEEE TPDS, 19(9):1237--1251, 2008.

Digital Library

[26]

A. X. Liu and M. G. Gouda. Firewall policy queries. IEEE TPDS, 20(6):766--777, 2009.

Digital Library

[27]

R. Marmorstein and P. Kearns. A tool for automated iptables firewall analysis. In USENIX ATC'05, pages 71--81, 2005.

Digital Library

[28]

R. Marmorstein and P. Kearns. Firewall analysis with policy-based host classification. In LISA '06, pages 41--51, 2006.

Digital Library

[29]

A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. IEEE S&P'00, pages 177--187, 2000.

Digital Library

[30]

I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with semantic meanings. In SACMAT'08, pages 21--30, 2008.

Digital Library

[31]

A. D. Santis, A. Castiglione, U. Fiore, and F. Palmieri. An intelligent security architecture for distributed firewalling environments. JAIHC, 4(2):223--234, 2013.

[32]

J. Schlegelmilch and U. Steffens. Role mining with ORCA. In SACMAT'05, pages 168--176, 2005.

Digital Library

[33]

A. Tongaonkar, N. Inamdar, and R. Sekar. Inferring higher level policies from firewall rules. In LISA'07, pages 17--26, 2007.

Digital Library

[34]

T. E. Uribe and S. Cheung. Automatic analysis of firewall and network intrusion detection system configurations. Journal of Computer Security, 15(6):691--715, 2007.

Digital Library

[35]

J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: Finding a minimal descriptive set of roles. In SACMAT'07, pages 175--184, 2007.

Digital Library

[36]

M. Weiser. Program slicing. In ICSE'81, pages 439--449, 1981.

Digital Library

[37]

A. Wool. Architecting the lumeta firewall analyzer. In SSYM'01, 2001.

Digital Library

[38]

A. Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62--67, June 2004.

Digital Library

[39]

A. Wool. Trends in firewall configuration errors: Measuring the holes in swiss cheese. IEEE Internet Computing, 14(4):58--65, July 2010.

Digital Library

[40]

L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, and P. Mohapatra. Fireman: A toolkit for firewall modeling and analysis. In IEEE S&P'06, pages 199--213, 2006.

Digital Library

Cited By

Toland TKollmannsperger SBrewton JCraft W(2017)Using Sports Plays to Configure Honeypots Environments to form a Virtual Security ShieldComputer and Network Security Essentials10.1007/978-3-319-58424-9_11(189-204)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_11

Index Terms

Tri-Modularization of Firewall Policies
1. Security and privacy
  1. Network security
    1. Firewalls
  2. Security services
    1. Access control

Recommendations

Location aware self-adapting firewall policies

Private access to corporate servers from Internet can be achieved using various security mechanisms. This article presents a network access control mechanism that employs a policy management architecture empowered with dynamic firewalls. With the ...
Directed Acyclic Graph Modeling of Security Policies for Firewall Testing
SSIRI '09: Proceedings of the 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement

Currently network security of institutions highly depend on firewalls, which are used to separate untrusted network from trusted one by enforcing security policies. Security policies used in firewalls are ordered set of rules where each rule is ...
Inferring higher level policies from firewall rules
LISA'07: Proceedings of the 21st conference on Large Installation System Administration Conference

Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

June 2016

248 pages

ISBN:9781450338028

DOI:10.1145/2914642

General Chair:
X. Sean Wang
Fudan University, China
,
Program Chairs:
Lujo Bauer
Carnegie Mellon University, USA
,
Florian Kerschbaum
SAP, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Security Agency

Conference

SACMAT 2016

Sponsor:

SIGSAC

SACMAT 2016: The 21st ACM Symposium on Access Control Models and Technologies

June 6 - 8, 2016

Shanghai, China

Acceptance Rates

SACMAT '16 Paper Acceptance Rate 18 of 55 submissions, 33%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
461
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Toland TKollmannsperger SBrewton JCraft W(2017)Using Sports Plays to Configure Honeypots Environments to form a Virtual Security ShieldComputer and Network Security Essentials10.1007/978-3-319-58424-9_11(189-204)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_11

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents