Abstract
Recent years have seen a significant increase in the usage of computers and their capabilities to communicate with each other. With this has come the need for more security and firewalls have proved themselves an important piece of the overall architecture, as the body of rules they implement actually realises the security policy of their owners. Unfortunately, there is little help for their administrators to understand the actual meaning of the firewall rules. This work shows that formal logic is an important tool in this respect, because it is particularly apt at modelling real-world situations and its formalism is conductive to reason about such a model. As a consequence, logic may be used to prove the properties of the models it represents and is a sensible way to go in order to create those models on computers to automate such activities. We describe here a prototype which includes a description of a network and the body of firewall rules applied to its components. We were able to detect a number of anomalies within the rule-set: inexistent elements (e.g. hosts or services on destination components), redundancies in rules defining the same action for a network and hosts belonging to it, irrelevance as rules would involve traffic that would not pass through a filtering device, and contradiction in actions applied to elements or to a network and its hosts. The prototype produces actual firewall rules as well, generated from the model and expressed in the syntax of IPChains and Cisco’s PIX.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abdennadher S (2001) Rule-based constraint programming, Habilitationsschrift, Ludwig-Maximilians- Universität, München, Germany, 15 July 2001
Acharya S, Wang J, Ge Z, Znati T, Greenberg A (2006) Simulation study of firewalls to aid improved performance. In: Proceedings of the 39th Annual Simulation Symposium (ANSS’06), Huntsville, 2–6 April 2006
Al-Shaer E, Hamed H (2003) Firewall policy advisor for anomaly detection and rule editing. IEEE/IFIP Integrated Management(IM’2003), Colorado Springs, pp 17–30, 24–28 March 2003
Al-Shaer E, Hamed H (2004) Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOM, Hong Kong, pp 2605–2616, 7–12 March 2004
Al-Tawil K, Al-Kaltham I (1999) Evaluation and testing of internet firewalls. In: Int J Netw Manage 9: 135–149, Wiley
Baboescu F, Varghese G (2005) Scalable packet classification. In: IEEE/ACM Trans Networking, vol 13, n° 1, pp 2–14 Feb 2005
Bandara AK, Kakas A, Lupu E, Russo A (2006) Using argumentation logic for firewall policy specification and analysis. In: 17th IFIP/IEEE workshop on distributed systems: operations and management (DSOM) 2006, Dublin, 23–25 Oct 2006
Bandara AK, Lupu EC, Russo A (2003) Using event calculus to formalise policy specification and analysis. In: Proceedings of the 4th IEEE international workshop on policies for distributed systems and networks (POLICY’03), Lake Como, 4–6 June 2003
Bandara AK, Lupu EC, Moffett J, Russo A (2004) A goal-based approach to policy refinement. In: Proceedings of the 5th IEEE international workshop on policies for distributed systems and networks (POLICY’04), Yorktown Heights, New York, 7–9 June 2004
Bartal Y, Mayer AJ, Nissim K, Wool A (1999) Firmato: a novel firewall management toolkit. In: Proceedings of IEEE symposium on security and privacy, Oakland, California, USA, pp 17–31, 9–12 May 1999
Begel A, McCanne S, Graham SL (1999) BPF+: exploiting global data-flow optimization in a generalized packet filter architecture. SIGCOMM’99, Aug 99, Cambridge, pp 123–134, 30 Aug–3 Sept 1999
Bratko I (2001) PROLOG programming for artificial intelligence. Pearson Education Ltd, Harlow
Burns J, Cheng A, Gurung P, Rajagopalan S, Rao P, Rosenbluth D, Surendran AV, Martin DM (2001) Automatic management of network security policy. In: DARPA information survivability conference and exposition (DISCEX II’01), vol 2, Anaheim, California, pp 12–26, 12–14 June 2001
Charalambides M, Flegkas P, Pavlou G, Rubio-Loyola J, Bandara AK, Lupu EC, Russo A, Sloman M, Dulay N (2005) Policy conflict analysis for quality of service management. In: Proceedings of the 6th IEEE international workshop on policies for distributed systems and networks, Stockholm, 6–8 June 2005
Chapman DB, Zwicky ED (1995) Building internet firewalls. In: Russell D (ed). O’Reilly & Associates, Inc., Sebastopol, CA, USA
Chomicki J, Lobo J, Naqvi S (2003) Conflict resolution using logic programming. IEEE Trans Knowl Data Eng 15(1): 244–249
Cuppens F et al (2004) A formal approach to specify and deploy a network security policy. In: Formal aspects in security and trust, Toulouse, France, pp 203–218
Cuppens F, Cuppens-Boulahia N, Garcia-Alfaro J (2005) Misconfiguration management of network security components. In: Proceedings of the 7th international Symposium on System and Information Security(SSI 2005), Sao Paulo, 1–10 Nov 2005
Damianou N, Dulay N, Lupu E, Sloman M (2001) The ponder policy specification language. In: International workshop, policies for distributed systems and neworks (Policy 2001), LNCS 1995. Springer, Bristol, pp 18–39, 29–31 Jan 2001
Dantsin E, Eiter T, Gottlob G, Voronkov A (2001) Complexity and expressive power of logic programming. In: ACM computing surveys, vol. 33, No. 3, pp 374–425, Sept 2001, first presented at the 12th annual IEEE conference on computational complexity (CCC’97), Ulm, 1997
Denecker M, Kakas A (2002) Abduction in logic programming. In: Kakas A and Sadri F (eds) Computational logic: logic programming and beyond, essays in honour of Robert A. Kowalski LNCS 2407, Part I, pp 402–436. Springer, Berlin
Desmet L, Piessens F, Joosen W, Verboeten P (2006) Bridging the gap between web application firewalls and Web applications. In: FMSE’06, Alexandria, pp 67–77, 3 Nov 2006
Dictionary of Computing (2004) A dictionary of computing. Oxford University Press, 2004. Oxford Reference Online, Oxford University Press, http://www.oxfordreference.com/
El Kalam AA, El Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miège A, Saurel C, Trouessin G (2003) Organization based access control. In: Proceedings of the fourth international workshop on policies for distributed systems and networks (POLICY’03), Lake Como, 4–6 June 2003
Eppstein D, Muthukrishnan S (2001) Internet packet filter management and rectangle Geometry. In: Proceedings of the 12th annual ACM–SIAM Symposium on Discrete Algorithms (SODA 2001), Washington DC, pp 827–835, 7–9 Jan 2001
Eronen P, Zitting J (2001) An expert system for analyzing firewall rules. In Proceedings of the sixth Nordic Workshop on Secure IT-System (Nonlsec 2001), Lyngby, pp 100–107, 1–2 Nov 2001
Fu Z, Wu F, Huang H, Lob K, Gong F, Baldine I, Xu C (2001) IPSec/VPN security policy: correctness, conflict detection and resolution. In: Proceedings of policy’2001 workshop, Bristol, pp 39–56, 29–31 Jan 2001
Garlik (2007) UK Cybercrime Report. https://www.garlik.com/press/Garlik%20Cybercrime%20Report.pdf
Gordon L, Loeb M, Lucyshyn M, Richardson R (2006) CSI/FBI computer crime and security survey. Computer Security Institute publications, New York, USA
Gouda MG, Liu XYA (2004) Firewall design: consistency, completeness and compactness. In: IEEE International Conference on Distributed Computing Systems(ICDCS) 24. Tokyo, 24–26 March 2004
Gupta P, Mc Keown N (2001) Algorithms for packet classification. IEEE Netw 15(2): 24–32
Guster D, Hall C (2001) A firewall configuration strategy for the protection of computer networked labs in a college setting. J Comput Sci Coll 17(1): 187–193
Guttman J (1997) Filtering postures: local enforcement for global policies. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, California, pp 120–129, 4–7 May 1997
Guttman J, Herzog A (2003) Rigorous automated network security management. Technical report, MITRE Corp., 15 Aug. 2003. Preliminary version appeared in Proceedings VERIFY 2002, Copenhagen, 25–26 July 2006
Hamed H, Al-Shaer E (2006) Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS ‘06, Taipei, pp 332–342, 21–24 March 2006
Hari A, Suri S, Parulkar G (2000) Detecting and resolving packet filter conflicts. In: Proceedings of IEEE INFOCOM, Tel Aviv, pp 1203–1212, 26–27 March 2000
Hazelhurst S (1999) Algorithms for analysing firewall and router access lists. Technical Report TR-Wits-CS-1999-5, Department of Computer Science, University of the Witwatersrand, South Africa, July 1999
Hazelhurst S, Attar A, Sinnappan R (2000) Algorithms for improving the dependability of firewall and filter rule lists. In: DSN ‘00 Proceedings of the 2000 international conference on dependable systems and networks 2000, New York, 25–28 June 2000
Hinrichs S (1999) Policy-based management: bridging the Gap. In: Proceedings of the 15th annual computer security application conference, Phoenix, pp 209–218, 6–10 Dec 1999
Hunt C (1992) TCP/IP network administration, USA, O’Reilly and Associates, Inc
Huth M, Ryan M (2004) Logic in computer science. University Press, Cambridge
Internet Systems Consortium, Inc. (2007) ISC Domain Survey. http://www.isc.org/index.pl?/ops/ds/host-count-history.php
Konstantinou AV (2003) ‘NESTOR: an architecture for network self-management and organization. http://www1.cs.columbia.edu/dcc/nestor/. Accessed 14 July 2007
Lakshman TV, Stiliadis D (1998) High-speed policy-based packet forwarding using efficient multi-dimensional range matching. SIGCOMM’98, Vancouver, pp 203–214, 31 Aug–4 Sept 1998
Lobo J, Bathia R, Naqvi S (1999) A policy description language. In: Proceedings of AAAI, 1999, presented at 16th national conference on artificial intelligence, Orlando, 18–22 July 1999
Lupu E, Sloman M (1997) Conflict analysis for management policies. In: Proceedings of IFIP/IEEE international symposium on integrated network management (IM 1997), California, pp 430–443, 12–16 May 1997
Mayer A, Wool A, Ziskind E (2006) Offline firewall analysis. Int J Inf Secur 5(3): 125–144
Oppliger R (1997) Internet security: firewalls and beyond. Commun ACM 40(5): 92–102
Ou X (2005) A logic-programming approach to network security analysis, a dissertation presented to the faculty of Princeton University in candidacy for the degree of Doctor of Philosophy, Nov 2005
Ou X, Govindavajhala S, Appel AW (2005) MulVAL: a logic-based network security analyzer. In: 14th USENIX security symposium, Baltimore, 1–5 Aug 2005
Qiu L, Varghese G, Suri S (2001) Fast firewall implementations for software and hardware-based routers. In: Proceedings of 9th international conference on network protocols (ICNP’2001), Toronto, 11–14 Nov 2001
Ralston A, Reilly E (1995) Encyclopedia of computer science. International Thomson Computer Press, London
Russo A, Miller R, Nuseibeh B, Kramer J (2002) An abductive approach for analysing event-based requirements specifications presented at 18th international conference on logic programming (ICLP), Copenhagen, 29 July–1 Aug 2002
Salus P (1998) Handbook of programming languages, vol IV—Functional and logic programming languages. Macmillan Technical, Indianapolis
Screen digest (2007) The broadcast and media technology business: global market value, structure and strategy to 2010 (Jan 2007), http://www.screendigest.com/reports/ext/06ext_broadmediatec/readmore/view.html
Smith RN, Bhattacharya S (1997) Firewall placement in a large network topology. In: Proceedings 6th workshop future trends distrib. comput. Tunis, pp 40–45, 29–31 Oct 1997
Son TC, Lobo J (2001) Reasoning about policies using logic programming presented at AAAI (American Association for Artificial Intelligence) spring symposium on answer set programming, Stanford University, California, 26–28 March 2001
Srinivasan V, Suri S, Varghese G (1999) Packet classification using tuple space search. In: Proceedings of ACM SIGCOM-M 1999 annual technical conference, vol 29, Cambridge, pp 135–146, 30 Aug–3 Sept 1999
Team Cymru (2007) The Team Cymru Bogon List v3.4 22 Jan 2007, http://www.cymru.com/Documents/bogon-list.html
Uribe T, Cheung S (2004) Automatic analysis of firewall and network intrusion detection system configuration. FMSE’04 Washington DC, pp 66–74, 29 Oct 2004
Verma P, Prakash A (2005) FACE: a firewall analysis and configuration engine. In: Proceedings of the 2005 symposium on applications and the internet (SAINT’05), Trento, 31 Jan–4 Feb 2005
Wies R (1994) Policies in network and systems management. Netw Syst Manage 2(1): 63–83
Wool A (2001) Architecting the Lumeta firewall analyzer. In: Proceedings of the 10th USENIX security symposium, Washington DC, pp 85–97, 13–17 Aug 2001
Wool A (2004) A quantitative study of firewall configuration errors. IEEE Computer 37(6): 62–67
Wool A (2004b) The use and usability of direction-based filtering in firewalls. Comput Secur 23(6): 459–468
Xie G, Zhan J, Maltz DA, Zhang H, Greenberg A, Hjalmtysson G, Rexford J (2005) On static reachability analysis of IP networks. In: IEEE INFOCOM, 2005, Miami, pp 2170–2183, 13–17 Mar 2005
Yang J, Papazoglou MP (2000) Interoperation support for electronic business. Commun ACM 43(6): 39–47
Yuan L, Mai J, Su Z, Chen H, Chuah CN, Mohapatra P (2006) FIREMAN: a toolkit for FIREwall modelling and ANalysis. In: Proceedings of the 2006 IEEE symposium on security and privacy, California, 21–24 May 2006
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Govaerts, J., Bandara, A. & Curran, K. A formal logic approach to firewall packet filtering analysis and generation. Artif Intell Rev 29, 223 (2008). https://doi.org/10.1007/s10462-009-9147-0
Published:
DOI: https://doi.org/10.1007/s10462-009-9147-0