Skip to main content
SpringerLink
Log in

Detection of firewall configuration errors with updatable tree

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Rubin, A.D., Geer, D., Ranum, M.J.: Web Security Sourcebook: A Complete Guide to Web Security Threats and Solutions. Wiley, New York (1997)

    Google Scholar 

  2. Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manag. 1(1), 2–10 (2004)

    Article  Google Scholar 

  3. CERT Coordination Center. CERT Advisory CA-2003-20 W32/Blaster worm. http://www.cert.org/advisories/CA-2003-20.html August (2003)

  4. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The spread of the sapphire/slammer worm. http://www.caida.org/publications/papers/2003/sapphire/sapphire.html (2003)

  5. CERT Coordination Center. Conficker worm targets microsoft windows systems. http://www.uscert.gov/cas/techalerts/TA09-088A.html April (2009)

  6. Simovits Consulting. Trojan list sorted on trojan port. http://www.simovits.com/trojans/trojans.html

  7. Abbes, T., Bouhoula, A., Rusinowitch, M.: An inference system for detecting firewall filtering rules anomalies. In: Proceedings of the 2008 ACM Symposium on Applied Computing, SAC ’08, pp. 2122–2128 (2008)

  8. Al-Shaer, E., Hamed, H.: Taxonomy of conflicts in network security policies. IEEE Commun. Mag. 44(3), 134–141 (2006)

    Article  Google Scholar 

  9. Qian, J.: Acla: a framework for access control list (acl) analysis and optimization. In: Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, p. 4 (2001)

  10. Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In: Proceeding of the IEEE International Conference on Communications, ICC ’07, pp. 1304–1310 (2007)

  11. Al-shaer, E.S., Hamed, Hazem H.: Firewall policy advisor for anomaly discovery and rule editing. In: Proceedings of IFIP/IEEE Eighth International Symposium on Integrated Network Management, pp. 17–30 (2003)

  12. Al-shaer, E.S., Hamed, Hazem H.: Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOMM, pp. 2605–2616 (2004)

  13. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., Mohapatra, P.: Fireman: A toolkit for firewall modeling and analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, SP ’06, pp. 199–213 (2006)

  14. Gouda, M., Liu, X.: Firewall design: consistency, completeness, and compactness. In: Proceedings of the 24th International Conference on Distributed Computing Systems, ICDCS’04, pp. 320–327 (2004)

  15. Lui, A., Gouda, M.: Firewall policy queries. IEEE Trans. Parallel Distrib. Syst. 20(6), 766–777 (2009)

    Article  Google Scholar 

  16. Hu, H., Ahn, G.L., Kulkarn, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)

    Article  Google Scholar 

  17. Rezvani, M., Aryan, R.: Analyzing and resolving anomalies in firewall security policies based on propositional logic. In: Proceedings of 13th IEEE International Multitopic Conference, INMIC 2009, pp. 1–7 (2009)

  18. Jeffreyand, A., Samak, T.: Model checking firewall policy configurations. In: Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY ’09, pp. 60–67 (2009)

  19. BenYoussef, N., Bouhoula, A., Jacquemard, F.: Automatic verification of conformance of firewall configurations to security policies. In: Proceedings of the 14th IEEE Symposium on Computers and Communications, ISCC 2009, pp. 526–531 (2009)

  20. BenYoussef, N., Bouhoula, A.: Automatic conformance verification of distributed firewalls to security requirements. In: Proceedings of the 2010 IEEE Second International Conference on Social Computing, SOCIALCOM ’10, pp. 834–841 (2010)

  21. Cuppens-Boulahia, N. Cuppens, F., Alfaro, J.G.: Detection and removal of firewall misconfiguration. In: Proceedings of the International Conference on Communication, Network and Information Security, IASTED’05, vol. 1, pp. 154–162 (2005)

  22. Cuppens-Boulahia, N., Cuppens, F., Alfaro, J.G.: Misconfiguration management of network security components. In: Proceedings of the 7th International Symposium on System and Information Security, pp. 154–162 (2005)

  23. Alfaro, J.G., Cuppens-Boulahia, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

  24. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: Mirage: a management tool for the analysis and deployment of network security policies. In: Proceedings of the 5th International Workshop on Data Privacy Management, and 3rd International Conference on Autonomous Spontaneous Security, pp. 203–215 (2011)

  25. Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)

    Article  Google Scholar 

  26. Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107 (2001)

  27. Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Netw. Mag. Glob. Internetw. 15(2), 24–32 (2001)

    Article  Google Scholar 

  28. Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 827–835. Philadelphia, PA, USA (2001)

  29. Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: Proceedings of the 10th IEEE International Conference on Network Protocols, ICNP ’02, pp. 270–279. IEEE Computer Society, Washington, DC, USA (2002)

  30. Thanasegaran, S., Yin, Y., Tateiwa, Y., Katayama, Y., Takahashi, N.: A topological approach to detect conflicts in firewall policies. In: Proceedings of the IEEE International Symposium on Parallel Distributed Processing, IPDPS 2009, pp. 1–7 (2009)

  31. Ruiz-Sanchez, M.A., Biersack, E.W., Dabbous, W.: Survey and taxonomy of IP address lookup algorithms. J. IEEE Netw. Mag. Glob. Internetw. 15(2), 8–23 (2001)

    Article  Google Scholar 

  32. Srinivasan, V., Varghese, G.: Fast address lookups using controlled prefix expansion. J. ACM Trans. Comput. Syst. 17(1), 1–40 (1999)

    Article  Google Scholar 

  33. Gouda, M., Liu, A.: A model of stateful firewalls and its properties. In: Proceedings of the IEEE International Conference on Dependable Systems and Networks, pp. 128–137 (2005)

Download references

Author information

Authors and Affiliations

  1. Higher Institute of Electronic and Communication of Sfax, Sfax, Tunisia

    Tarek Abbes

  2. Higher School of Communication of Tunis, Ariana, Tunisia

    Adel Bouhoula

  3. Laboratory of Research in Computer Science and its Applications, Vandoeuvre-les-Nancy, France

    Michaël Rusinowitch

Authors
  1. Tarek Abbes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adel Bouhoula
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michaël Rusinowitch
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tarek Abbes.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Abbes, T., Bouhoula, A. & Rusinowitch, M. Detection of firewall configuration errors with updatable tree. Int. J. Inf. Secur. 15, 301–317 (2016). https://doi.org/10.1007/s10207-015-0290-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-015-0290-0

Keywords

Search

Navigation