ESORICS 2007: Computer Security – ESORICS 2007 pp 155-170 | Cite as

Change-Impact Analysis of Firewall Policies

  • Alex X. Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4734)

Abstract

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences.

A major source of policy errors stem from policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. In this paper, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it.

Keywords

Protocol Type Integer Interval Rule Deletion Hard Requirement Malicious Host 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)Google Scholar
  2. 2.
    Oppenheimer, D., Ganapathi, A., Patterson, D.A.: Why do internet services fail, and what can be done about it? In: Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS-03) (March 2003)Google Scholar
  3. 3.
    Liu, A.X., Gouda, M.G.: Complete redundancy detection in firewalls. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security XIX. LNCS, vol. 3654, pp. 196–209. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Gouda, M.G., Liu, A.X.: Structured firewall design. Computer Networks Journal 51(4), 1106–1120 (2007)MATHCrossRefGoogle Scholar
  5. 5.
    Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Network 15(2), 24–32 (2001)CrossRefGoogle Scholar
  6. 6.
    Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD thesis, Stanford University (2000)Google Scholar
  7. 7.
    Horwitz, S.: Identifying the semantic and textual differences between two versions of a program. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 234–245. ACM Press, New York (1990)Google Scholar
  8. 8.
    Ren, X., Chesley, O.C., Ryder, B.G.: Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Transactions on Software Engineering 32(9), 718–732 (2006)CrossRefGoogle Scholar
  9. 9.
    Liu, A.X., Gouda, M.G.: Diverse firewall design. In: DSN 2004. Proceedings of the International Conference on Dependable Systems and Networks, pp. 595–604 (June 2004)Google Scholar
  10. 10.
    Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and change impact analysis of access-control policies. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, Springer, Heidelberg (2006)Google Scholar
  11. 11.
    Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 120–129. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  12. 12.
    Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: Proceeding of the IEEE Symposium on Security and Privacy, pp. 17–31. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  13. 13.
    Hari, A., Suri, S., Parulkar, G.M.: Detecting and resolving packet filter conflicts. In: Proceedings of IEEE INFOCOM, pp. 1203–1212. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  14. 14.
    Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Symp. on Discrete Algorithms, pp. 827–835 (2001)Google Scholar
  15. 15.
    Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: Proceedings of the 10th IEEE International Conference on Network Protocols, IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  16. 16.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  17. 17.
    Wool, A.: Architecting the lumeta firewall analyzer. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85–97 (2001)Google Scholar
  18. 18.
    Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Proceedings of the Workshop on Dependability of IP Applications, Platforms and Networks (2000)Google Scholar
  19. 19.
    Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107 (2001)Google Scholar
  20. 20.
    Liu, A.X., Gouda, M.G., Ma, H.H., Ngu, A.H.: Firewall queries. In: Higashino, T. (ed.) OPODIS 2004. LNCS, vol. 3544, pp. 124–139. Springer, Heidelberg (2005)Google Scholar
  21. 21.
    Garca-Alfaro, J., Cuppens, F., Cuppens, N.: Analysis of policy anomalies on distributed network security setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, Springer, Heidelberg (2006)Google Scholar
  22. 22.
    Yuan, L., Chen, H., Mai, J., Chuah, C.N., Su, Z., Mohapatra, P.: Fireman: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  23. 23.
    Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM’04, pp. 2605–2616. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  24. 24.
  25. 25.
    Hoffman, D., Prabhakar, D., Strooper, P.: Testing iptables. In: Proceedings of the 2003 conference of IBM Centre for Advanced Studies, pp. 80–91 (2003)Google Scholar
  26. 26.
    Jürjens, J., Wimmel, G.: Specification-based testing of firewalls. In: Bjørner, D., Broy, M., Zamulin, A.V. (eds.) PSI 2001. LNCS, vol. 2244, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Hoffman, D., Yoo, K.: Blowtorch: a framework for firewall test automation. In: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pp. 96–103. ACM Press, New York (2005)CrossRefGoogle Scholar
  28. 28.
    Senn, D., Basin, D., Caronni, G.: Firewall conformance testing. In: Proceedings of the Testcom (Testing of Communicating Systems) (May 2005)Google Scholar
  29. 29.
    Lyu, M.R., Lau, L.K.Y.: Firewall security: Policies, testing and performance evaluation. In: COMPSAC 2000. Proceedings of the 24th International Conference on Computer Systems and Applications, pp. 116–121 (October 2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Alex X. Liu
    • 1
  1. 1.Department of Computer Science and Engineering, Michigan State University, East Lansing, MI 48824-1266U.S.A

Personalised recommendations