ABSTRACT
Firewalls are a widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. However, designing and managing firewall policies are often error-prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. This paper represents an innovative anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. In particular, we articulate a grid-based representation technique for providing an intuitive cognitive sense about policy anomaly and facilitating efficient policy anomaly management. In addition, we demonstrate the feasibility and applicability of our framework through a proof-of-concept prototype of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME).
- }}A Systematic Approach for Conflict Resolution in Firewall Policies. Technical Report ASU-SCIDSE-10-2, Arizona State University, Tempe, May 2010. http: //sefcom.asu.edu/confres/confres.pdf.Google Scholar
- }}Buddy version 2.4. http://sourceforge.net/projects/buddy.Google Scholar
- }}TENABLE Network Security. http://www.nessus.org/nessus.Google Scholar
- }}Tissynbe.py. http://www.tssci-security.com/projects/tissynbe_py.Google Scholar
- }}E. Al-Shaer and H. Hamed. Firewall Policy Advisor for anomaly discovery and rule editing. In Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on, pages 17--30, 2003.Google ScholarCross Ref
- }}E. Al-Shaer and H. Hamed. Discovery of policy anomalies in distributed firewalls. In IEEE INFOCOM, volume 4, pages 2605--2616, 2004.Google Scholar
- }}E. Al-Shaer, W. Marrero, A. El-Atawy, and K. ElBadawi. Network Configuration in A Box: Towards End-to-End Verification of Network Reachability and Security. In Proceedings of the 17th IEEE International Conference on Network Protocols (ICNP), pages 123--132, 2009.Google ScholarDigital Library
- }}J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens. Complete analysis of configuration rules to guarantee reliable network security policies. International Journal of Information Security, 7(2):103--122, 2008. Google ScholarDigital Library
- }}F. Baboescu and G. Varghese. Fast and scalable conflict detection for packet classifiers. Computer Networks, 42(6):717--735, 2003. Google ScholarDigital Library
- }}Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems (TOCS), 22(4):381--420, 2004. Google ScholarDigital Library
- }}S. Bellovin. Distributed firewalls. Journal of Login, 24(5):37--39, 1999.Google Scholar
- }}C. Brodie, C. Karat, and J. Karat. An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In Proceedings of the second symposium on Usable privacy and security, page 19. ACM, 2006. Google ScholarDigital Library
- }}E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown, and W. Robinson. Performance measurement guide for information security. NIST Special Publication, pages 800--55, 2008. Google ScholarDigital Library
- }}A. El-Atawy, K. Ibrahim, H. Hamed, and E. Al-Shaer. Policy segmentation for intelligent firewall testing. In 1st Workshop on Secure Network Protocols (NPSec 2005), 2005. Google ScholarDigital Library
- }}A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li. Using online traffic statistical matching for optimizing packet filtering performance. In IEEE INFOCOM 2007. 26th IEEE International Conference on Computer Communications, pages 866--874, 2007.Google ScholarDigital Library
- }}M. Frigault, L. Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, pages 23--30. ACM, 2008. Google ScholarDigital Library
- }}M. Gouda and X. Liu. Firewall Design: Consistency, Completeness, and Compactness. In Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04), page 327. IEEE Computer Society, 2004. Google ScholarDigital Library
- }}I. Herman, G. Melançon, and M. Marshall. Graph visualization and navigation in information visualization: A survey. IEEE Transactions on Visualization and Computer Graphics, pages 24--43, 2000. Google ScholarDigital Library
- }}S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing a distributed firewall. In Proceedings of the 7th ACM conference on Computer and communications security, page 199. ACM, 2000. Google ScholarDigital Library
- }}A. Liu and M. Gouda. Complete redundancy detection in firewalls. Data and Applications Security XIX, pages 193--206, 2005. Google ScholarDigital Library
- }}A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. In IEEE Symposium on Security and Privacy, pages 177--189. IEEE Computer Society, 2000. Google ScholarDigital Library
- }}P. Mell, K. Scarfone, and S. Romanosky. A complete guide to the common vulnerability scoring system version 2.0. In Published by FIRST-Forum of Incident Response and Security Teams, June, 2007.Google Scholar
- }}G. Misherghi, L. Yuan, Z. Su, C.-N. Chuah, and H. Chen. A general framework for benchmarking firewall optimization techniques. IEEE Transactions on Network and Service Management, 5(4):227--238, Dec. 2008. Google ScholarDigital Library
- }}R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1473--1482. ACM, 2008. Google ScholarDigital Library
- }}M. Sahinoglu. Security meter: A practical decision-tree model to quantify risk. IEEE security & privacy, pages 18--24, 2005. Google ScholarDigital Library
- }}R. Sawilla and X. Ou. Identifying Critical Attack Assets in Dependency Attack Gaphs. In 13th European Symposium on Research in Computer Security (ESORICS). Springer, 2008. Google ScholarDigital Library
- }}T. Tran, E. Al-Shaer, and R. Boutaba. PolicyVis: firewall security policy visualization and inspection. In Proceedings of the 21st conference on Large Installation System Administration Conference, pages 1--16. USENIX Association, 2007. Google ScholarDigital Library
- }}A. Wool. Architecting the lumeta firewall analyzer. In Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, page 7. USENIX Association, 2001. Google ScholarDigital Library
- }}L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis. Fireman: A toolkit for firewall modeling and analysis. In 2006 IEEE Symposium on Security and Privacy, page 15, 2006. Google ScholarDigital Library
- }}L. Yuan, C. Chuah, and P. Mohapatra. ProgME: towards programmable network measurement. ACM SIGCOMM Computer Communication Review, 37(4):108, 2007 Google ScholarDigital Library
Index Terms
- FAME: a firewall anomaly management environment
Recommendations
Location aware self-adapting firewall policies
Private access to corporate servers from Internet can be achieved using various security mechanisms. This article presents a network access control mechanism that employs a policy management architecture empowered with dynamic firewalls. With the ...
Directed Acyclic Graph Modeling of Security Policies for Firewall Testing
SSIRI '09: Proceedings of the 2009 Third IEEE International Conference on Secure Software Integration and Reliability ImprovementCurrently network security of institutions highly depend on firewalls, which are used to separate untrusted network from trusted one by enforcing security policies. Security policies used in firewalls are ordered set of rules where each rule is ...
Towards quantification of firewall policy complexity
HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of SecurityDeveloping metrics for quantifying the security and usability aspects of a system has been of constant interest to the cybersecurity research community. Such metrics have the potential to provide valuable insight on security and usability of a system ...
Comments