Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Solving Firewall Policy Anomalies Using Generic Algorithm Abhishek K. Chawan

advertisement 
International Journal of Engineering Trends and Technology (IJETT) – Volume 20 Number 4 – Feb 2015
Solving Firewall Policy Anomalies Using Generic Algorithm
Abhishek K. Chawan1, Shashikant S. Mahajan2
1
2
Student, Dept. of Computer Engineering, Vidyalankar Institute of Technology, Mumbai, India
Assistant Professor, Dept. of Information Technology, Vidyalankar Institute of Technology, Mumbai, India
Abstract— Firewalls are major element of network security. But
handling firewall rules, especially in multi-firewall enterprise
networks, is very difficult and error-prone task. Firewall filtering
and processing mechanism must be written, ordered and defined
carefully to avoid firewall policy anomalies that may cause
network breakdown. It is crucial to define and modify filtering
rules in any firewall. Firewall requires intra- and inter-firewall
analysis to determine the proper rule placement and ordering in
the firewalls; we propose and identify all anomalies that could
exist in a multiple firewall environment. We also propose a set of
techniques and algorithms to automatically identify policy
anomalies in serial and distributed firewalls. These techniques
are well proposed and tested in different scenario of distributed
system to identify the genuineness of filtering rules and the
security of next generation firewalls.
Keywords—Firewall, Firewall Anomalies, Firewall
multiple firewall environment, Resolving Technique.
policy,
I. INTRODUCTION
This with the growing global Internet service and usage,
network security has gained cogent attention in the field of
research. Due to the increase in issues related to network
attacks, firewalls have become crucial integrated elements not
only in industry and enterprise networks but also petite lan
based user where day to day transactions takes place.
Firewalls have been the serious defence mechanism for secure
networks against attacks and unauthorized traffic by filtering
out undesirable network traffic coming into or going from the
secured network. The filtering judgment is taken according to
ordered filtering protocols defined based on predefined
security policy requirements.
A firewall policy may include anomalies, where a packet
may match with many different filtering rules. When the
filtering rules are delineated, serious diligence has to be given
to rule relations and interactions in order to determine the
proper rule ordering and gage correct security policy protocols.
As the number of filtering rules increases, the difficulty of
writing a new protocol or modifying an existing one also
increases.
The correct security policy is guaranteed when proper rule
reordering is established. Our assignment provides serious
attention regarding the relationship and interactions between
the rules to assign the rule reordering. Whenever there exists
huge augmentation in filtering rules, difficulty of mutating an
existing rule or writing a new axiom also increases. For
instance, axiom is said to be clash when it has same filtering
part but possesses different actions. Typically, many of the
large scale networks involve hundred and thousands of axioms
which is recorded by various administrators in different times.
The potential of clashes (anomalies) in the policy rule of
ISSN: 2231-5381
firewall is undoubtedly increased by this scenario. Moreover,
it increases the burden of network.
II. RELATED W ORK
Analysing firewall policies has been extensively studied in
the research community. A logical framework for anomaly
detection presented in [1]. In [2] a framework for detection of
firewall anomalies proposed. A decision tree based solution
presented in [3] for analyzing firewall anomalies. FIREMAN
tool is developed for static analysis of conflicts in firewall [4].
This tool is designed based on binary decision diagrams. Total
conflicts are not considered in this tool.
In [5] a scheme for anomaly resolution is presented based
on the idea of adding resolve filters. Al-Shaer and H. Hamed
[6] identified the anomalies that could exist in both single- and
multi-firewall environments. A tool named “Firewall Policy
Advisor” was also designed based on their methods. However,
this work doesn’t address the problem of reordering rules.
III. OVERVIEW OF F IREWALL
The firewall policy consists of array of rules that define the
actions performed on packets so that, it satisfy certain
ballgames. A rule consists of certain conditions that perform
some activity. The rules are specified in the form of (condition;
action). A condition in a rule comprises a set of fields that can
identify specific packets matched by this rule. Table I shows a
paradigm of firewall policy which includes 5 firewall rules- r1,
r2, r3, r4, r5. In Table I, a single “*” appearing in the IP
address field represents an IP address range from 0.0.0.0 to
255.255.255.255 and single “*” appearing in the port field
represents port range from 0 to 65535. Several related works
[2], [3] categorized different firewall policy anomalies. The
typical firewall policy anomalies are:
1) Shadowing: A rule is shadowed when one or more of
preceding rules that matches all the packets matched by this
rule, in such a way that the shadowed rule is never activated.
Shadowing can be considered as a critical error in the policy,
because the shadowed rule never takes effect. For example, r4
is obscured by r3 in Table I. In r3 packets with tcp protocol
having source IP (100.12.*.*) are accepted whereas, in r4
those packets with Source IP (100.12.1.*) is denied. Since, r4
is obscured by r3; r4 will be neglected by accepting packets
with all Source IP.
2) Generalization: A rule is a generalization of one or
more of preceding rules if they have different actions and if a
subset of packets matched by this rule also matches the
preceding rules. For example, r5 is an abstraction of r4 in
Table I, implies that all packets arriving from the address
100.12.1.* will be confirmed, except the tcp packet coming
http://www.ijettjournal.org
Page 200
International Journal of Engineering Trends and Technology (IJETT) – Volume 20 Number 4 – Feb 2015
from 100.12.1.* to the port 53 of 182.168.1.*. It is considered
just as an unconformity warning because the specific rule
makes an exception of the general rule. This might cause
preventing of an accepted traffic or a denied traffic to be
permitted.
3) Correlation: If a rule intersects with rules but have
different action, then this rule is said to be corresponds with
other rules. Here, the packets matched by the intersection of
those rules may be denied by one rule, but permitted by others.
For example, r2 is in correlation with r5 in Table I. The two
rules with this ordering connote that all UDP packets coming
from any port of 100.12.1.* to the port 80 of 152.32.1.* match
the intersection of these. Since, r2 precedes r5, every packet
within the intersection of r5 will be denied by r2.
4) Redundancy: A rule is redundant if there is another
same or more general rule at hand that has same action on the
same packet such that if the redundant rule is removed, the
overall firewall policy will not be affected. For example, r1 is
redundant to r2 in Table I, since all UDP packets arriving
from any port of 100.12.2.* to the port 80 of 152.32.1.*
matched with r1 can match r2 as well with the same action.
5) Irrelevance Anomaly: If a rule cannot match to any
traffic that might flow through the network, then the rule is
called irrelevant. This happens when the source address and
destination address fields of the rule do not match any domain
reachable through this firewall.
TABLE I
FIREWALL POLICY E XAMPLE
Rule
r1
Proto
col
UDP
r2
UDP
r3
TCP
r4
TCP
r5
*
Source
IP
100.12.2
.*
100.12.*
.*
100.12.*
.*
100.12.1
.*
100.12.1
.*
Source
Port
*
*
*
*
*
Dest
IP
152.32.1
.*
152.32.1
.*
182.168.
*.*
182.168.
1.*
*
Dest
Port
80
Action
80
Deny
53
Allow
53
Deny
*
Allow
Deny
IV. F IREWALL ANOMALIES D ISCOVERY AND RESOLUTION
A. HSM Algorithm
Hierarchical Space Mapping (HSM) classifies packets
using policy lookup table which has four parameters. The four
parameters considered in the policy lookup table are
destination IP address (DA), source IP address (SA),
destination port number (DP), and source port (SP) number.
HSM algorithm maps the lookup domains two-to-one and
hierarchically and thus reduces the searching fields.
ISSN: 2231-5381
Fig. 1 Packet flow in HSM
First, it maps the 2 IP address spaces (DA, SA) and the 2
port number spaces (DP, SP) into non overlapped segments
according the network address ranges and port number ranges
used in the policy table, and reduces the original fourdimension space to a two-dimension space by looking up the
two tables, which are AMT (source/destination IP address
mapping table) and PMT (source/destination port number
mapping table). The two-dimension tables resulted from the
previous step is transformed to the one-dimension policy table.
This is done by looking up the third table PLT (policy lookup
table). Step by step flow of packet in HSM is shown in Fig. 1
[7]. Policy Lookup Table gives information about conflicting
rules. Procedure for Generation of Policy Lookup Table is as
follows.
1) IP addresses fragmentation: IP address decomposition
is done for both source address space and destination address
space respectively. For each address range from the policy
table, its two boundaries IP addresses are marked down in the
corresponding source address or destination address IP space.
After completion of construction of policies in the policy
table, for each segment that is following at least one policy
falls in it, an Address Sequence Number (ASN)is assigned in
the ascending order along the direction of increasing IP
address, starting from 0.
2) Port number fragmentation: The principle of port
number fragmentation to get Port Sequence Number (PSN) is
similar to IP address fragmentation.
3) Generation of address mapping table (AMT): For IP
address segmentation, a bitmap is assigned for each address
sequence number. The bit map has one bit for each policy in
the policy table. Each entry of address mapping table is given
an address group number (AGN) which is according to the
order of its appearance and with a bit map tagged to it.
http://www.ijettjournal.org
Page 201
International Journal of Engineering Trends and Technology (IJETT) – Volume 20 Number 4 – Feb 2015
TABLE II
AMT STRUCTURE AND SETUP
AMT
DA#0
DA#1
DA#2
SA#0
SA#1
1,2
0,1,2
2
0
SA#2
1,2
1,2
2
SA#3
1
1
TABLE III
PMT STRUCTURE AND SETUP
PMT
DP#0
DP#1
DP#2
SP#0
SP#1
1
0,1
1
0
SP#2
1
0,1,2
1,2
SP#3
0,2
2
4) Generation of port mapping table (PMT): The
generation of port mapping table is similar to address mapping
table. The bit map has one bit for each policy in the policy
table. Each entry of port mapping table is given a port group
number (PGN) according to the order of its appearance, and
also has a BM tagged to it. These Bit Maps are not physically
stored in the lookup table, they are only used in the setup of
lookup tables. After deriving look-up table, the bit maps will
be released.
TABLE IV
PLT STRUCTURE AND SETUP
PLT
PGN#0
PGN#1
PGN#2
PGN#3
PGN#4
PGN#5
PGN#6
AGN#0
1
1
1(2)
2
1(2)
2
AGN#1
1
1
1
AGN#2
0
0
0
0
1
AGN#3
1
0
0(1)
0(1)(2)
0(2)
1(2)
2
AGN#4
2
2
2
2
5) Generation of policy lookup table (PLT): Each entry
of Policy Lookup Table (PLT) is filled with a policy number.
The Bit Maps of address group number and port group
numbers are combined and then the policy number of the
highest priority is picked out. Sample policy table is shown
below.
TABLE V
POLICY T ABLE U SED AS E XAMPLE FOR HSM ALGORITHM
Rule
SA Range
DA Range
0
0.0.0.0 ~
64.0.0.0
32.0.0.0 ~
255.255.255
.255
32.0.0.0 ~
128.0.0.0
32.0.0.0 ~
64.0.0.0
0.0.0.0 ~
64.0.0.0
1
2
0.0.0.0 ~
255.255.255
.255
ISSN: 2231-5381
SP
Range
0~
65535
64 ~
256
DP
Range
128 ~
256
0~
65535
Action
128 ~
65535
128 ~
65535
Deny
Deny
Permit
B. Conflict Resolution
After detection of conflicting segments, each conflicting
segment indicates a set of conflicting rules involved in the
conflict. Our conflict resolution mechanism introduces that an
action constraint is assigned to each conflicting segment.
When any packet within the conflicting segment comes to the
firewall, an action constraint for a conflicting segment defines
a desired action i.e. either Allow or Deny.
Once conflicts in a firewall policy are identified, the risk
assessment for conflicts is performed [8]. A risk level of a
conflicting segment is used to directly determine the expected
action taken for the network packets in the conflicting
segment. If the risk level is very high, the expected action
should deny packets considering the protection of network
perimeters. Else, if the risk level is quite low, the expected
action should allow packets to pass through the firewall so
that the availability and usage of network services cannot be
affected. These risk levels are assigned by admin to the
conflicted segments according to the weight or the importance
value got for the conflicted rules.
Thus, conflict resolution strategies can be generated
automatically for conflict segments by comparing the risk
levels with two thresholds, upper threshold (UT) and lower
threshold (LT), which can be set by system administrators
based on the different situations of protected networks. To
resolve policy conflicts based on the results of risk assessment
of the network covered by corresponding conflicting segments
following strategies are used.
1) Deny-overrides: This strategy indicates that “deny”
rules take precedence over “allow” rules. In general, a system
administrator may directly take this strategy to harden his
network if the risk level of a conflict is very high.
2) Allow-overrides: This strategy states that “allow” rules
take precedence over “deny” rules. A system administrator
may apply this strategy to resolve a conflict, which has a
lower risk level.
3) Recency-overrides: This strategy indicates that rules
take precedence over rules specified earlier. As the security
requirements may change over a period of time, an
administrator may define new rules along with his evolving
security requirements which may be in conflict with previous
security requirements. So obviously, in this case, newer rules
should take precedence over older rules.
4) High-majority-overrides: This strategy allows a packet
if the number of rules taking “allow” action is greater than the
number of rules taking “deny” action and denies a packet if
the number of rules taking “deny” action is greater than the
number of rules taking “allow” action.
5) High-authority-overrides: This strategy states that a
rule defined by an administrator with a higher authority level
takes precedence.
V. CONCLUSIONS
In this paper, a firewall policy anomaly management
framework is used with the help of generic algorithms that can
http://www.ijettjournal.org
Page 202
International Journal of Engineering Trends and Technology (IJETT) – Volume 20 Number 4 – Feb 2015
perform systematic detection and resolution of firewall policy
anomalies raised and experienced during high network traffic
scenarios. Rule-based segmentation mechanism and technique
achieves the goal of effective and efficient anomaly analysis
and the results validate our claim. We implemented user
access control policies of a network host which transforms a
normal host to a bastion host like environments which can be
used in high end systems such as servers. Results suggest that
it is an empirical and helpful system for system administrators
to ensure a secured network environment.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
Arosha, B., K. Kakas, A.L. Emil and C.R. Alessandra, 2006. Using
argumentation logic for firewall policy specification and analysis.
Proceedings of the 17th IFIP/IEEE Distributed Systems: Operations
and Management (DSOM), Springer Verlag.
Lubna K, Robin Cyriac “A Study on Firewall Policy Anomaly
Representation Techniques,” International Journal of Advanced
Research in Computer and Communication Engineering Vol. 2, Issue 4,
April 2013.
Liu, A. and M. Gouda, 2005. Complete redundancy detection in
firewalls. Proceedings of the 19th Annual IFIP Conference on Data and
Applications Security.
Yuan, L., J. Mai, Z. Su, H. Chen, C. Chuah and P. Mohapatra, 2006.
FIREMAN: A toolkit for FIREwall Modeling and Analysis, in Proc.
IEEE Symposium on Security and Privacy, pp: 199-213.
Adiseshu, H., S. Suri and G. Parulkar, 2000. “Detecting and Resolving
Packet Filter Conflict,”Proceedings of IEEE Infocom.
Al-Shaer and H. Hamed, “Design and implementation of firewall
policy advisor tools,” Technical Report CTI-techrep0801, School of
Computer Science Telecommunications and Information Systems,
DePaul University, August 2002.
Mrudul Dixit, Anuja Kale, Madhavi Narote, Sneha Talwalkar, and B.
V. Barbadekar, “Fast Packet Classification Algorithms,” International
Journal of Computer Theory and Engineering, Vol. 4, No. 6, December
2012.
Hongxin Hu, Student Member, IEEE, Gail-Joon Ahn, Senior Member,
IEEE, and Ketan Kulkarni, “Detecting and Resolving Firewall Policy
Anomalies,” IEEE Transactions On Dependable And Secure
Computing, Vol. 9, No. 3, May/June 2012.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 203
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
1 2
1 2
Firewalking
Firewalking
SI110 Spring AY13 Alpha:___________ Name:________________________________
SI110 Spring AY13 Alpha:___________ Name:________________________________
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
Why we all care: the changing home
Why we all care: the changing home
Firewall Services Request
Firewall Services Request
Download
advertisement