Abstract
A firewall is a system acting as an interface of a network to one or more external networks. It implements the security policy of the network by deciding which packets to let through based on rules defined by the network administrator. Any error in defining the rules may compromise the system security by letting unwanted traffic pass or blocking desired traffic. Manual definition of rules often results in a set that contains conflicting, redundant or overshadowed rules, resulting in anomalies in the policy. Manually detecting and resolving these anomalies is a critical but tedious and error prone task. Existing research on this problem have been focused on the analysis and detection of the anomalies in firewall policy. Previous works define the possible relations between rules and also define anomalies in terms of the relations and present algorithms to detect the anomalies by analyzing the rules. In this paper, we discuss some necessary modifications to the existing definitions of the relations. We present a new algorithm that will simultaneously detect and resolve any anomaly present in the policy rules by necessary reorder and split operations to generate a new anomaly free rule set. We also present proof of correctness of the algorithm. Then we present an algorithm to merge rules where possible in order to reduce the number of rules and hence increase efficiency of the firewall.
Chapter PDF
References
Al-Shaer, E., Hamed, H.: Design and implementation of firewall policy advisor tools. Technical Report CTI-techrep0801, School of Computer Science Telecommunications and Information Systems, DePaul University (August 2002)
Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly detection and rule editing. In: IEEE/IFIP Integrated Management Conference (IM 2003) (March 2003)
Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: Proc. 23rd Conf. IEEE Communications Soc. (INFOCOM 2004), vol. 23(1), pp. 2605–2616 (March 2004)
Al-Shaer, E., Hamed, H.: Taxonomy of conflicts in network security policies. IEEE Communications Magazine 44(3) (March 2006)
Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE Journal on Selected Areas in Communications (JSAC) 23(10) (October 2005)
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, Cambridge (2001)
Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Proceedings of the 12th Annual ACM–SIAM Symposium on Discrete Algorithms (SODA 2001), pp. 827–835 (January 2001)
Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107 (November 2001)
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN security policy: Correctness, conflict detection, and resolution. In: Proceedings of Policy 2001 Workshop (January 2001)
Golnabi, K., Min, R.K., Khan, L., Al-Shaer, E.: Analysis of firewall policy rules using data mining techniques. In: IEEE/IFIP Network Operations and Management Symposium (NOMS 2006) (April 2006)
Hari, A., Suri, S., Parulkar, G.M.: Detecting and resolving packet filter conflicts. In: INFOCOM, vol. 3, pp. 1203–1212 (March 2000)
Hazelhurst, S.: Algorithms for analysing firewall and router access lists. Technical Report TR-WitsCS-1999-5, Department of Computer Science, University of the Witwatersrand, South Africa (July 1999)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings, IEEE Symposium on Security and Privacy, pp. 177–187. IEEE Computer Society Press, Los Alamitos (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Abedin, M., Nessa, S., Khan, L., Thuraisingham, B. (2006). Detection and Resolution of Anomalies in Firewall Policy Rules. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_2
Download citation
DOI: https://doi.org/10.1007/11805588_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)