Abstract
Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences.
A major source of policy errors stem from policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. In this paper, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it.
Chapter PDF
References
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)
Oppenheimer, D., Ganapathi, A., Patterson, D.A.: Why do internet services fail, and what can be done about it? In: Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS-03) (March 2003)
Liu, A.X., Gouda, M.G.: Complete redundancy detection in firewalls. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security XIX. LNCS, vol. 3654, pp. 196–209. Springer, Heidelberg (2005)
Gouda, M.G., Liu, A.X.: Structured firewall design. Computer Networks Journal 51(4), 1106–1120 (2007)
Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Network 15(2), 24–32 (2001)
Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD thesis, Stanford University (2000)
Horwitz, S.: Identifying the semantic and textual differences between two versions of a program. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 234–245. ACM Press, New York (1990)
Ren, X., Chesley, O.C., Ryder, B.G.: Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Transactions on Software Engineering 32(9), 718–732 (2006)
Liu, A.X., Gouda, M.G.: Diverse firewall design. In: DSN 2004. Proceedings of the International Conference on Dependable Systems and Networks, pp. 595–604 (June 2004)
Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and change impact analysis of access-control policies. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, Springer, Heidelberg (2006)
Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 120–129. IEEE Computer Society Press, Los Alamitos (1997)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: Proceeding of the IEEE Symposium on Security and Privacy, pp. 17–31. IEEE Computer Society Press, Los Alamitos (1999)
Hari, A., Suri, S., Parulkar, G.M.: Detecting and resolving packet filter conflicts. In: Proceedings of IEEE INFOCOM, pp. 1203–1212. IEEE Computer Society Press, Los Alamitos (2000)
Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Symp. on Discrete Algorithms, pp. 827–835 (2001)
Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: Proceedings of the 10th IEEE International Conference on Network Protocols, IEEE Computer Society Press, Los Alamitos (2002)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. IEEE Computer Society Press, Los Alamitos (2000)
Wool, A.: Architecting the lumeta firewall analyzer. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85–97 (2001)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Proceedings of the Workshop on Dependability of IP Applications, Platforms and Networks (2000)
Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107 (2001)
Liu, A.X., Gouda, M.G., Ma, H.H., Ngu, A.H.: Firewall queries. In: Higashino, T. (ed.) OPODIS 2004. LNCS, vol. 3544, pp. 124–139. Springer, Heidelberg (2005)
Garca-Alfaro, J., Cuppens, F., Cuppens, N.: Analysis of policy anomalies on distributed network security setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, Springer, Heidelberg (2006)
Yuan, L., Chen, H., Mai, J., Chuah, C.N., Su, Z., Mohapatra, P.: Fireman: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2006)
Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM’04, pp. 2605–2616. IEEE Computer Society Press, Los Alamitos (2004)
CERT: Test the firewall system, http://www.cert.org/security-improvement/practices/p060.html
Hoffman, D., Prabhakar, D., Strooper, P.: Testing iptables. In: Proceedings of the 2003 conference of IBM Centre for Advanced Studies, pp. 80–91 (2003)
Jürjens, J., Wimmel, G.: Specification-based testing of firewalls. In: Bjørner, D., Broy, M., Zamulin, A.V. (eds.) PSI 2001. LNCS, vol. 2244, Springer, Heidelberg (2001)
Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pp. 96–103. ACM Press, New York (2005)
Senn, D., Basin, D., Caronni, G.: Firewall conformance testing. In: Proceedings of the Testcom (Testing of Communicating Systems) (May 2005)
Lyu, M.R., Lau, L.K.Y.: Firewall security: Policies, testing and performance evaluation. In: COMPSAC 2000. Proceedings of the 24th International Conference on Computer Systems and Applications, pp. 116–121 (October 2000)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, A.X. (2007). Change-Impact Analysis of Firewall Policies. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)