FARE: FDD-based firewall anomalies resolution tool
Introduction
Firewall configurations are inherently difficult to manage. Studies [1], [2], [3] regularly report insufficient quality of firewall rulesets and highlight the critical problem of firewall misconfigurations. Since companies rely only on the availability of their networks, such misconfigurations are costly. Due to the magnitude of this problem, our goal is to develop a method that allows to automatically identify and correct configuration errors among the set of firewall rules with respect to the security policy. As an example, consider an enterprise network shown in Fig. 1. We have three firewalls delimiting three subdomains. The global security policy that should be implemented is described as follows:
- •
Allow access from Zone_C to other zones except traffic from machine 172.16.0.25.
- •
Deny all traffic from Zone_B to Zone_C.
- •
Allow access from Zone_A to other zones except http access from machine 192.168.4.3 to subzone 172.13.14.0/24.
- •
Accept all traffic from Zone_B to Zone_A except traffic from sub-zoneB1.
To deal with firewall rules analysis problem, many solutions have been proposed but they have, essentially, the following drawbacks:
- •
In a multi-firewall environment, they consider anomalies between only two firewalls in a given network path which cannot give a precise idea on real conflicts that can arise between different rules of different firewalls and obviously will not help to fix them.
- •
In [4] authors deal only with pairwise filtering rules. In such way, some other classes of configuration anomalies could be uncharted. For example, we note that the rule r5 in Firewall2 is partially shadowed (masked) by rule r1 and partially redundant to rule r7. Thus, removing this rule will not affect the firewall behavior and therefore this rule could be considered as unused.
- •
Some studies did not distinguish between intentional syntactic anomalies and real configuration errors. For instance, we can note that in the network path composed by firewalls Firewall3 and Firewall2, respectively, packets from machine 172.27.0.25 will be rejected because they match rule r8 from Firewall2 which is conform to the global security policy SP. Although no misconfigurations are identified, most related studies [5], [6], [7] present the conflict between r8 from Firewall2 and r3 from Firewall3 as a purely syntactic anomaly, since these two rules handle common packets with different actions.
- •
We can note also that the third rule r10 in the firewall configuration Firewall1, shown in Table 1, is configured to accept all the traffic from sub-zoneA2 to the Zone_C which is conform to the global security policy. But even if this rule is correct by itself, the Firewall will reject the flow from sub-zoneA2 to 172.13.14.0/24 because it matches some common packets with the rule before (i.e. packets mapped by r5). So, in this case, this anomaly is an effective misconfiguration since the security policy is not correctly implemented.
In this paper, we propose a new approach to correct discovered misconfigurations in real-case firewall configurations already designed to protect a given Network, and this will be done by modifying some field of rules, changing their order, removing some rules … without increasing the configuration complexity. We also demonstrate its applicability and scalability by the use of a satisfiability solver. The major differences of the present work compared to our earlier works, presented in [8], have been stated as follows: in this work we prove formally the correctness and the completeness of proposed inference systems using formal specification. We propose a method to rule-sets optimization in a simple firewall by removing unused rules. We extract and decide if an anomaly is a real misconfiguration or an intended anomaly in distributed environment by using the FDD (firewall decision diagram). We present a tool that could provide initial results on the speed and accuracy of the proposed method in real-world conditions. Our tool uses Limboole SAT (satisfiability) solver [9] as a verification tool which can handle large set of non-quantified Boolean clauses in reasonably good time.
This paper is organized as follows: Section 2 presents a summary of related work. Section 3 overviews the formal representation of firewall configurations and security policies and details FDD structure. In Section 4, we present our method to discover and remove superfluous rules. In Section 5, we present our approach to discover simple and distributed firewalls misconfigurations. In Section 6, we articulate our approach to resolve simple firewall misconfigurations. In Section 7, we present first a study of the complexity of our inference systems, and then we address the implementation and evaluations of our tool. Finally, we present our conclusions and discuss our plans for future work.
Section snippets
Intra and inter firewalls anomalies detection
Al Shaer et al. [5] introduced a framework for discovering anomalies in simple and distributed firewalls. They also presented a new tool in [10] called PolicyVis, this tool allows inspecting firewall policies by discovering anomalies in simple or distributed firewalls. In their approach, they analyzed relations between rules using a state diagram that allows identifying anomalies and couple of rules involved in these anomalies or couple of firewalls (in case of inter-firewalls anomalies
Preliminaries
In what follows, we define, formally, some key notions.
Superfluous rules identification
To verify if a rule is superfluous, we need to ensure that removing it from each direct path will not affect the action of this path. So we define a superfluous rule in a simple firewall as follows: Definition A rule is considered to be superfluous in a simple firewall, if this rule exists in the set of rules handled by a direct path then this rule is shadowed (i.e. it is not the first rule to be applied in this direct path) or redundant to the second rule in this path. Formally, A rule ri is superfluous
Misconfigurations detection
Once all firewall configurations have been updated by removing all superfluous rules, we can start the process of detection of misconfigurations in both simple and distributed firewalls.
Simple firewall misconfigurations resolution techniques
Our objective is to correct each misconfiguration by a minimum number of modifications and by minimum number of generated rules. In our approach, for each step, we try to correct a misconfiguration (total or partial). To determine which correction method should be used at each case; we test if the condition of each correction technique is verified. In fact, we parse the set of total and partial misconfigurations then we try to correct them by using one of the inference systems detailed in the
Complexity
For n rules in FC, there can be a maximum of 2n − 1 outgoing edges for a node. Therefore, the maximum number of paths in a constructed FDD is (2n − 1)d, where d is the number of fields in each rule. After the construction of FDD and the discovering of misconfigurations, all resolution operations, explained in Section 6, are done on direct paths elements DPi. R. Therefore, for the inference system for removing rules, the complexity (without counting the elementary functions) is equivalent to the
Discussion
Although the work done on firewall rules management, most of organizations would not easily allow that firewall configurations are modified without human supervision. However, one of the most intriguing finding from IBM's “‘2014 Cyber Security Intelligence Index”’ [33] is that over 95% of all security incidents investigated involve human error, and one of the most commonly recorded form of human errors includes network system misconfiguration, also the research presented in [34], has identified
Conclusion
We presented in this paper a set of inference systems for the management of misconfigurations of firewall rule sets. More precisely, our proposal is intended for discovering and fixing these misconfigurations by using a formal method and a data structure (FDD). Our approach allows also simple firewalls rule-sets optimization by removing rules that are no longer needed (called superfluous). The advantages of our proposal are the following: First, The resolution approach is optimal, using the
Acknowledgments
We are grateful to Mr. Khaled Ghorbel and to Mr. Mohamed Aymen Messaoudi from the Tunisian Ministry of Finance Computer Centre (CIMF) for their beneficial comments and support and especially, for providing us firewall rules collections used to evaluate the practical value of our work.
Amina Saâdaoui is a Ph.D.-student at the Higher School of Communication of Tunis (Sup’Com). Amina's research concerns network security, access control, formal specification as well as formal validation and verification techniques. She is a member of the Tunisian Association of Digital Security (TADS).
References (34)
- et al.
Structured firewall design
Comput. Netw.
(2007) A quantitative study of firewall configuration errors
IEEE Comput.
(2004)Trends in firewall configuration errors: measuring the holes in swiss cheese
IEEE Internet Comput.
(2010)- et al.
Semantics-preserving simplification of real-world firewall rule sets
- et al.
Firewall policy advisor for anomaly discovery and rule editing
IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003
(2003) - et al.
Modeling and management of firewall policies
IEEE Trans. Netw. Serv. Manag.
(2004) - et al.
Firewall rules analysis
- et al.
Detection and removal of firewall misconfiguration
- et al.
Automated and optimized FDD-based method to fix firewall misconfigurations
Limboole SAT Solver
(2015)
Policyvis: firewall security policy visualization and inspection
Detecting and resolving firewall policy anomalies
IEEE Trans. Dependable Secur. Comput.
FAME: a firewall anomaly management environment
SafeConfig
Firewall anomaly detection with a model checker for visibility logic
Detecting policy anomalies in firewalls by relational algebra and raining 2d-box model
IJCSNS International Journal of Computer Science and Network Security, vol. 13
Detection and removal of firewall misconfiguration
Proceedings of the 2005 IASTED International Conference on Communication, Network and Information Security (CNIS 2005).
Misconfiguration management of network security components
IASTED International Conference on Communication, Network, and Information Security (CNIS 2005)
Cited by (0)
Amina Saâdaoui is a Ph.D.-student at the Higher School of Communication of Tunis (Sup’Com). Amina's research concerns network security, access control, formal specification as well as formal validation and verification techniques. She is a member of the Tunisian Association of Digital Security (TADS).
Nihel Ben Youssef received her engineering degree in computer science from the National Institute of Applied Science and Technology and she received her Phd from the Higher School of Communication of Tunis (Sup’Com). Nihel Ben Youssef Ben Souayeh is currently an Assistant Professor at the higher institute of computer science in Tunisia. Her research interests include network security, formal specification as well as formal validation and verification techniques. She is the co-founder of the Association of computer security (SECURINETS) in Tunisia. She is also member of Tunisian Association of Digital Security (TADS).
Adel Bouhoula obtained his undergraduate degree in computer engineering with distinction from the University of Tunis in Tunisia. He also holds a Masters, PhD and Habilitation from Henri Poincare University in Nancy, France. Adel Bouhoula is currently a Professor at the Higher School of Communication of Tunis (Sup’Com). He is also the founder and Director of the Research Unit on Digital Security and the President of the Tunisian Association of Digital Security (TADS). His research interests include automated reasoning, algebraic specifications, formal specification as well as formal validation and verification techniques, network security, cryptography, and validation of cryptographic protocols.