Abstract
Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem. In this article, we first propose a fault model for firewall policies including five types of faults. For each type of fault, we present an automatic correction technique. Second, we propose the first systematic approach that employs these five techniques to automatically correct all or part of the misclassified packets of a faulty firewall policy. Third, we conducted extensive experiments to evaluate the effectiveness of our approach. Experimental results show that our approach is effective to correct a faulty firewall policy with three of these types of faults.
- Al-Shaer, E., El-Atawy, A., and Samak, T. 2009. Automated pseudo-live testing of firewall configuration enforcement. IEEE J. Select. Areas Comm. 27, 302--314. Google ScholarDigital Library
- Al-Shaer, E. and Hamed, H. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of IEEE Conference on Computer Communications (INFOCOM). 2605--2616.Google Scholar
- Baboescu, F. and Varghese, G. 2002. Fast and scalable conflict detection for packet classifiers. In Proceedings of IEEE International Conference on Network Protocols (ICNP). 717--735. Google ScholarDigital Library
- CERT. 2001. Test the firewall system. http://www.cert.org/security-improvement/practices/p060.html.Google Scholar
- Chen, F., Liu, A. X., Hwang, J., and Xie, T. 2010. First step towards automatic correction of firewall policy faults. In Proceedings of USENIX Large Installation System Administration Conference (LISA). Google ScholarDigital Library
- Cisco Reflexive ACLs 2012. http://www.cisco.com/.Google Scholar
- DeMillo, R. A., Lipton, R. J., and Sayward, F. G. 1978. Hints on test data selection: Help for the practicing programmer. IEEE Comput. 11, 4, 34--41. Google ScholarDigital Library
- Hari, A., Suri, S., and Parulkar, G. M. 2000. Detecting and resolving packet filter conflicts. In Proceedings of IEEE Conference on Computer Communications (INFOCOM). 1203--1212.Google Scholar
- Hoffman, D. and Yoo, K. 2005. Blowtorch: a framework for firewall test automation. In Proceedings of International Conference on Automated Software Engineering (AES). 96--103. Google ScholarDigital Library
- Hwang, J., Xie, T., Chen, F., and Liu, A. X. 2008. Systematic structural testing of firewall policies. In Proceedings of IEEE International Symposium on Reliable Distributed Systems (SRDS). 105--114. Google ScholarDigital Library
- Hwang, J., Xie, T., Chen, F., and Liu, A. X. 2009. Fault localization for firewall policies. In Proceedings of IEEE International Symposium on Reliable Distributed Systems (SRDS). 100--106. Google ScholarDigital Library
- Jürjens, J. and Wimmel, G. 2001. Specification-based testing of firewalls. In Proceedings of International Conference Perspectives of System Informatics (PSI). 308--316. Google ScholarDigital Library
- Liu, A. X. 2007. Change-impact analysis of firewall policies. In Proceedings of European Symposium Research Computer Security (ESORICS). 155--170. Google ScholarDigital Library
- Liu, A. X. and Gouda, M. G. 2008. Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19, 8. Google ScholarDigital Library
- Liu, A. X., Zhou, Y., and Meiners, C. R. 2008. All-match based complete redundancy removal for packet classifiers in TCAMs. In Proceedings of IEEE Conference on Computer Communications (INFOCOM). 574--582.Google Scholar
- Lyu, M. R. and Lau, L. K. Y. 2000. Firewall security: Policies, testing and performance evaluation. In Proceedings of International Conference on Computer Systems and Applications (COMPSAC). 116--121. Google ScholarDigital Library
- Marmorstein, R. and Kearns, P. 2007. Assisted firewall policy repair using examples and history. In Proceedings of USENIX Large Installation System Administration Conference (LISA). 1--11. Google ScholarDigital Library
- Nessus. 2004. http://www.nessus.org/.Google Scholar
- Satan. 1995. http://www.porcupine.org/satan/.Google Scholar
- Tang, Y., Al-Shaer, E., and Boutaba, R. 2008. Efficient fault diagnosis using incremental alarm correlation and active investigation for internet and overlay networks. IEEE Trans. Netw. Service Manag. 5, 36--49. Google ScholarDigital Library
- Wool, A. 2004. A quantitative study of firewall configuration errors. IEEE Comput. 37, 6, 62--67. Google ScholarDigital Library
- Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., and Mohapatra, P. 2006. Fireman: a toolkit for firewall modeling and analysis. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). 199--213. Google ScholarDigital Library
- Zeller, A. 2002. Isolating cause-effect chains from computer programs. In Proceedings of ACM SIGSOFT Symposium on Foundations of Software Engineering (FSE). 1--10. Google ScholarDigital Library
Index Terms
- First step towards automatic correction of firewall policy faults
Recommendations
Firewall policy change-impact analysis
Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., ...
First step towards automatic correction of firewall policy faults
LISA'10: Proceedings of the 24th international conference on Large installation system administrationFirewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life ...
Firewall policy verification and troubleshooting
Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). ...
Comments