Firewalls are widely deployed to manage enterprise networks. Because enterprise-scale firewalls contain hundreds or thousands of rules, ensuring the correctness of firewalls—that the rules in the firewalls meet the specifications of their administrators—is an important but challenging problem. Although existing firewall diagnosis and verification techniques can identify potentially faulty rules, they offer administrators little or no help with automatically fixing faulty rules. This paper presents FireMason, the first effort that offers automated repair by example for firewalls. Once an administrator observes undesired behavior in a firewall, she may provide input/output examples that comply with the intended behaviors. Based on the examples, FireMason automatically synthesizes new firewall rules for the existing firewall. This new firewall correctly handles packets specified by the examples, while maintaining the rest of the behaviors of the original firewall. Through a conversion of the firewalls to SMT formulas, we offer formal guarantees that the change is correct. Our evaluation results from real-world case studies show that FireMason can efficiently find repairs.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Mayer AJ, Wool A, Ziskind E (2000) Fang: a firewall analysis engine. In: IEEE symposium on security and privacy (IEEE S&P)
Torlak E, Jackson D (2007) Kodkod: a relational model finder. In: 13th international conference on tools and algorithms for the construction and analysis of systems (TACAS)
Lopes NP, Bjørner N, Godefroid P, Jayaraman K, Varghese G (2015) Checking beliefs in dynamic networks. In: 12th USENIX symposium on networked system design and implementation (NSDI)
Nelson T, Barratt C, Dougherty DJ, Fisler K, Krishnamurthi S (2010) The Margrave tool for firewall analysis. In: 24th large installation system administration conference (LISA)
Wool A (2001) Architecting the Lumeta firewall analyzer. In: USENIX security symposium
Zhang S, Mahmoud A, Malik S, Narain S (2012) Verification and synthesis of firewalls using SAT and QBF. In: 20th IEEE international conference on network protocols (ICNP)
Nelson G, Oppen DC (1979) Simplification by cooperating decision procedures. ACM Trans Program Lang Syst 1(2):245–257. https://doi.org/10.1145/357073.357079
Hallahan WT, Zhai E, Piskac R (2017) Automated repair by example for firewalls. In: 2017 formal methods in computer aided design (FMCAD). IEEE, pp 220–229
Cypher A, Halbert D (1993) Watch what I do: programming by demonstration. MIT Press, Cambridge
Lieberman H (2001) Your wish is my command: programming by example. Morgan Kaufmann, Burlington
Juniper: traffic policier overview. http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/policer-overview.html
Cisco: policing and shaping overview. http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpolsh.html
Qian J, Hinrichsa S, Nahrstedt K (2001) ACLA: a framework for access control list (ACL) analysis and optimization. Springer, New York, pp 197–211
iptables Linux User’s Manual (2015)
Tanenbaum A (2002) Computer networks, 4th edn. Prentice Hall, Upper Saddle River
Cannot block IP address. http://stackoverflow.com/questions/16142446/why-cant-i-block-an-ip-address-with-iptables-on-debian-6
Li Z, Lu S, Myagmar S, Zhou Y (2004) Cp-Miner: a tool for finding copy-paste and related bugs in operating system code. In: 6th USENIX symposium on operating systems design and implementation (OSDI)
IPTables only allow localhost access. https://serverfault.com/questions/247176/iptables-only-allow-localhost-access
IP tables allow everything but restrict HTTP for only one IP. https://goo.gl/VTRBui
Is there a rule for iptables to limit the amount of SYN packets. http://askubuntu.com/questions/240360/is-there-a-rule-for-iptables-to-limit-%20the-amount-of-syn-packets-a-24-range-of-i
de Moura LM, Bjørner N (2008) Z3: an efficient SMT solver. In: 14th tools and algorithms for the construction and analysis of systems (TACAS)
Server fault. http://serverfault.com/
Stack overflow. http://stackoverflow.com/
Good iptables starting rules for a webserver. http://serverfault.com/questions/118669/good-iptables-starting-rules-for-a-webserver
iptables issue cannot SSH remote machines. http://askubuntu.com/questions/476626/iptables-issue-cant-ssh-remote-machines
What is the correct way to open a range of ports in iptables. https://goo.gl/tNXsLp
Block range of IP addresses. https://serverfault.com/questions/592061/block-range-of-ip-addresses
How can I rate limit SSH connections with iptables. http://serverfault.com/questions/298954/how-can-i-rate-limit-ssh-connections%20-with-iptables
Limiting the number of global connections per second. https://serverfault.com/questions/378124/limiting-the-number-of-global-connections-per-second
Chen F, Liu AX, Hwang J, Xie T (2012) First step towards automatic correction of firewall policy faults. ACM TAAS 7(2):27
Chen F, Liu A.X, Hwang J, Xie T (2010) First step towards automatic correction of firewall policy faults. In: Proceedings of the 24th international conference on large installation system administration. USENIX Association, pp 1–8
Plotkin GD, Bjørner N, Lopes NP, Rybalchenko A, Varghese G (2016) Scaling network verification using symmetry and surgery. In: 43rd ACM symposium on principles of programming languages (POPL)
Yuan Y, Lin D, Alur R, Loo BT (2015) Scenario-based programming for SDN policies. In: ACM CoNEXT (CoNEXT)
Eppstein D, Muthukrishnan S (2001) Internet packet filter management and rectangle geometry. In: 12th symposium on discrete algorithms (SODA)
Adiseshu H, Suri S, Parulkar GM (2000) Detecting and resolving packet filter conflicts. In: 19th IEEE international conference on computer communications (INFOCOM)
Frantzen M, Kerschbaum F, Schultz EE, Fahmy S (2001) A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Comput Secur 20(3):263–270
Kamara S, Fahmy S, Schultz EE, Kerschbaum F, Frantzen M (2003) Analysis of vulnerabilities in Internet firewalls. Comput Secur 22(3):214–232
Yuan L, Chen H, Mai J, Chuah CN, Su Z, Mohapatra P (2006) Fireman: a toolkit for firewall modeling and analysis. In: 2006 IEEE symposium on security and privacy. IEEE, p 15
Wool A (2004) A quantitative study of firewall configuration errors. IEEE Comput 37(6):62–67
El-Atawy A, Ibrahim K, Hamed HH (2005) Policy segmentation for intelligent firewall testing. In: IEEE workshop on secure network protocols (NPSec)
Al-Shaer E, El-Atawy A, Samak T (2009) Automated pseudo-live testing of firewall configuration enforcement. IEEE J Sel Areas Commun 27(3):302–314
Brucker AD, Brügger L, Wolff B (2013) Hol-TestGen/fw—an environment for specification-based firewall conformance testing. In: 10th theoretical aspects of computing (ICTAC)
We thank all anonymous reviewers for their insightful comments and suggestions. We also thank the FMCAD’17 organizers, Daryl Stewart and Georg Weissenbacher, for their help in preparing this paper. We thank Avi Silberschatz and Arvind Swaminathan for their valuable feedback on the earlier version of this work.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This research was supported in part by the NSF under Grants CCF-1302327, CCF-1553168 and CCF-1715387.
About this article
Cite this article
Hallahan, W.T., Zhai, E. & Piskac, R. Automated repair by example for firewalls. Form Methods Syst Des 56, 127–153 (2020). https://doi.org/10.1007/s10703-020-00346-0
- Firewall repair
- Programming by example
- Network configuration