Skip to main content

Automated repair by example for firewalls

A Preface to the special issue FMCAD 2017 to this article was published on 18 January 2021

Abstract

Firewalls are widely deployed to manage enterprise networks. Because enterprise-scale firewalls contain hundreds or thousands of rules, ensuring the correctness of firewalls—that the rules in the firewalls meet the specifications of their administrators—is an important but challenging problem. Although existing firewall diagnosis and verification techniques can identify potentially faulty rules, they offer administrators little or no help with automatically fixing faulty rules. This paper presents FireMason, the first effort that offers automated repair by example for firewalls. Once an administrator observes undesired behavior in a firewall, she may provide input/output examples that comply with the intended behaviors. Based on the examples, FireMason automatically synthesizes new firewall rules for the existing firewall. This new firewall correctly handles packets specified by the examples, while maintaining the rest of the behaviors of the original firewall. Through a conversion of the firewalls to SMT formulas, we offer formal guarantees that the change is correct. Our evaluation results from real-world case studies show that FireMason can efficiently find repairs.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

References

  1. 1.

    Mayer AJ, Wool A, Ziskind E (2000) Fang: a firewall analysis engine. In: IEEE symposium on security and privacy (IEEE S&P)

  2. 2.

    Torlak E, Jackson D (2007) Kodkod: a relational model finder. In: 13th international conference on tools and algorithms for the construction and analysis of systems (TACAS)

  3. 3.

    Lopes NP, Bjørner N, Godefroid P, Jayaraman K, Varghese G (2015) Checking beliefs in dynamic networks. In: 12th USENIX symposium on networked system design and implementation (NSDI)

  4. 4.

    Nelson T, Barratt C, Dougherty DJ, Fisler K, Krishnamurthi S (2010) The Margrave tool for firewall analysis. In: 24th large installation system administration conference (LISA)

  5. 5.

    Wool A (2001) Architecting the Lumeta firewall analyzer. In: USENIX security symposium

  6. 6.

    Zhang S, Mahmoud A, Malik S, Narain S (2012) Verification and synthesis of firewalls using SAT and QBF. In: 20th IEEE international conference on network protocols (ICNP)

  7. 7.

    Nelson G, Oppen DC (1979) Simplification by cooperating decision procedures. ACM Trans Program Lang Syst 1(2):245–257. https://doi.org/10.1145/357073.357079

    Article  MATH  Google Scholar 

  8. 8.

    iptables. http://ipset.netfilter.org/iptables.man.html

  9. 9.

    Hallahan WT, Zhai E, Piskac R (2017) Automated repair by example for firewalls. In: 2017 formal methods in computer aided design (FMCAD). IEEE, pp 220–229

  10. 10.

    Cypher A, Halbert D (1993) Watch what I do: programming by demonstration. MIT Press, Cambridge

    Google Scholar 

  11. 11.

    Lieberman H (2001) Your wish is my command: programming by example. Morgan Kaufmann, Burlington

    Google Scholar 

  12. 12.

    Juniper: traffic policier overview. http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/policer-overview.html

  13. 13.

    Cisco: policing and shaping overview. http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpolsh.html

  14. 14.

    Qian J, Hinrichsa S, Nahrstedt K (2001) ACLA: a framework for access control list (ACL) analysis and optimization. Springer, New York, pp 197–211

    Google Scholar 

  15. 15.

    iptables Linux User’s Manual (2015)

  16. 16.

    Tanenbaum A (2002) Computer networks, 4th edn. Prentice Hall, Upper Saddle River

    MATH  Google Scholar 

  17. 17.

    Cannot block IP address. http://stackoverflow.com/questions/16142446/why-cant-i-block-an-ip-address-with-iptables-on-debian-6

  18. 18.

    Li Z, Lu S, Myagmar S, Zhou Y (2004) Cp-Miner: a tool for finding copy-paste and related bugs in operating system code. In: 6th USENIX symposium on operating systems design and implementation (OSDI)

  19. 19.

    IPTables only allow localhost access. https://serverfault.com/questions/247176/iptables-only-allow-localhost-access

  20. 20.

    IP tables allow everything but restrict HTTP for only one IP. https://goo.gl/VTRBui

  21. 21.

    Is there a rule for iptables to limit the amount of SYN packets. http://askubuntu.com/questions/240360/is-there-a-rule-for-iptables-to-limit-%20the-amount-of-syn-packets-a-24-range-of-i

  22. 22.

    de Moura LM, Bjørner N (2008) Z3: an efficient SMT solver. In: 14th tools and algorithms for the construction and analysis of systems (TACAS)

  23. 23.

    Server fault. http://serverfault.com/

  24. 24.

    Stack overflow. http://stackoverflow.com/

  25. 25.

    Good iptables starting rules for a webserver. http://serverfault.com/questions/118669/good-iptables-starting-rules-for-a-webserver

  26. 26.

    iptables issue cannot SSH remote machines. http://askubuntu.com/questions/476626/iptables-issue-cant-ssh-remote-machines

  27. 27.

    What is the correct way to open a range of ports in iptables. https://goo.gl/tNXsLp

  28. 28.

    Block range of IP addresses. https://serverfault.com/questions/592061/block-range-of-ip-addresses

  29. 29.

    How can I rate limit SSH connections with iptables. http://serverfault.com/questions/298954/how-can-i-rate-limit-ssh-connections%20-with-iptables

  30. 30.

    Limiting the number of global connections per second. https://serverfault.com/questions/378124/limiting-the-number-of-global-connections-per-second

  31. 31.

    Chen F, Liu AX, Hwang J, Xie T (2012) First step towards automatic correction of firewall policy faults. ACM TAAS 7(2):27

    Google Scholar 

  32. 32.

    Chen F, Liu A.X, Hwang J, Xie T (2010) First step towards automatic correction of firewall policy faults. In: Proceedings of the 24th international conference on large installation system administration. USENIX Association, pp 1–8

  33. 33.

    Plotkin GD, Bjørner N, Lopes NP, Rybalchenko A, Varghese G (2016) Scaling network verification using symmetry and surgery. In: 43rd ACM symposium on principles of programming languages (POPL)

  34. 34.

    Yuan Y, Lin D, Alur R, Loo BT (2015) Scenario-based programming for SDN policies. In: ACM CoNEXT (CoNEXT)

  35. 35.

    Eppstein D, Muthukrishnan S (2001) Internet packet filter management and rectangle geometry. In: 12th symposium on discrete algorithms (SODA)

  36. 36.

    Adiseshu H, Suri S, Parulkar GM (2000) Detecting and resolving packet filter conflicts. In: 19th IEEE international conference on computer communications (INFOCOM)

  37. 37.

    Frantzen M, Kerschbaum F, Schultz EE, Fahmy S (2001) A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Comput Secur 20(3):263–270

    Article  Google Scholar 

  38. 38.

    Kamara S, Fahmy S, Schultz EE, Kerschbaum F, Frantzen M (2003) Analysis of vulnerabilities in Internet firewalls. Comput Secur 22(3):214–232

    Article  Google Scholar 

  39. 39.

    Yuan L, Chen H, Mai J, Chuah CN, Su Z, Mohapatra P (2006) Fireman: a toolkit for firewall modeling and analysis. In: 2006 IEEE symposium on security and privacy. IEEE, p 15

  40. 40.

    Wool A (2004) A quantitative study of firewall configuration errors. IEEE Comput 37(6):62–67

    Article  Google Scholar 

  41. 41.

    El-Atawy A, Ibrahim K, Hamed HH (2005) Policy segmentation for intelligent firewall testing. In: IEEE workshop on secure network protocols (NPSec)

  42. 42.

    Al-Shaer E, El-Atawy A, Samak T (2009) Automated pseudo-live testing of firewall configuration enforcement. IEEE J Sel Areas Commun 27(3):302–314

    Article  Google Scholar 

  43. 43.

    Brucker AD, Brügger L, Wolff B (2013) Hol-TestGen/fw—an environment for specification-based firewall conformance testing. In: 10th theoretical aspects of computing (ICTAC)

Download references

Acknowledgements

We thank all anonymous reviewers for their insightful comments and suggestions. We also thank the FMCAD’17 organizers, Daryl Stewart and Georg Weissenbacher, for their help in preparing this paper. We thank Avi Silberschatz and Arvind Swaminathan for their valuable feedback on the earlier version of this work.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Ruzica Piskac.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This research was supported in part by the NSF under Grants CCF-1302327, CCF-1553168 and CCF-1715387.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hallahan, W.T., Zhai, E. & Piskac, R. Automated repair by example for firewalls. Form Methods Syst Des 56, 127–153 (2020). https://doi.org/10.1007/s10703-020-00346-0

Download citation

Keywords

  • Synthesis
  • Firewall repair
  • Programming by example
  • Network configuration