Sage Journals: Discover world-class research

Abstract

Network and host-based access controls, for example, firewall systems, are important points of security-demarcation, operating as a front-line defence for networks and networked systems. A firewall policy is conventionally defined as a sequence of order-dependant rules, and when a network packet matches with two or more policy rules, the policy is anomalous. Policies for access-control mechanisms may consist of thousands of access-control rules, and correct management is complex and error-prone. We argue that a firewall policy should be anomaly-free by construction, and as such, there is a need for a firewall policy language that allows for constructing, comparing, and composing anomaly-free policies. In this paper, an algebra is proposed for constructing and reasoning about anomaly-free firewall policies. Based on the notion of refinement as safe replacement, the algebra provides operators for sequential composition, union and intersection of policies. The effectiveness of the algebra is demonstrated by its application to anomaly detection, and standards compliance. The effectiveness of the approach in practice is evaluated through a mapping to/from iptables. The algebra is used to specify and reason about iptables firewall policy configurations. A prototype policy management toolkit has been implemented.

Keywords

Firewalls algebra iptables anomalies policy-composition

Get full access to this article

View all access options for this article.

References

Adão,

Bozzato,

Dei Rossi,

Focardi and

F.L.

Luccio, Mignis: A semantic based tool for firewall configuration, in: Computer Security Foundations Symposium (CSF), 2014 IEEE 27th, IEEE, 2014, pp. 351–365. doi:10.1109/CSF.2014.32.

Al-Shaer and

Hamed, Firewall policy advisor for anomaly discovery and rule editing, in: 8th IFIP/IEEE International Symposium on Integrated Network Management, Colorado Springs, USA, March, 2003.

Al-Shaer,

Hamed,

Boutaba and

Hasan, Conflict classification and analysis of distributed firewall policies, IEEE Journal on Selected Areas in Communications 23(10) (2005), 2069–2084.

Bartal,

Mayer,

Nissim and

Wool, Firmato: A novel firewall management toolkit, in: 20th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May, 1999.

Birkhoff, Lattice Theory, 3rd edn, American Mathematical Society Colloquium Publications, Vol. XXV, American Mathematical Society, 1967.

A.D.

Brucker,

Brügger and

Wolff, Formal firewall conformance testing: An application of test and proof techniques, Softw. Test. Verif. Reliab. 25(1) (2015), 34–71. doi:10.1002/stvr.1544.

Buttyán,

Pék and

T.V.

Thong, Consistency verification of stateful firewalls is not harder than the stateless case, Infocommunications Journal 64(1) (2009), 2–8.

Chomsiri and

Pornavalai, Firewall rules analysis, in: International Conference on Security and Management (SAM), Las Vegas, Nevada, USA, June, 2006.

Cotton and

Vegoda, Special use IPv4 addresses, RFC 5735, January 2010.

10.

Cuppens,

Cuppens-Boulahia and

García-Alfaro, Detection and removal of firewall misconfiguration, in: IASTED International Conference on Communication, Network and Information Security (CNIS), November, 2005.

11.

Cuppens,

Cuppens-Boulahia,

García-Alfaro,

Moataz and

Rimasson, Handling stateful firewall anomalies, in: Information Security and Privacy Research – 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, Heraklion, Crete, Greece, June 4–6, Proceedings, 2012, pp. 174–186.

12.

Cuppens,

Cuppens-Boulahia,

Sans and

Miège, A formal approach to specify and deploy a network security policy, in: 2nd Workshop on Formal Aspects in Security and Trust (FAST), August, 2004.

13.

D.E.

Denning, A lattice model of secure information flow, Commun. ACM 19(5) (1976), 236–243. doi:10.1145/360051.360056.

14.

Diekmann,

Michaelis,

M.P.L.

Haslbeck and

Carle, Verified iptables firewall analysis, in: 2016 IFIP Networking Conference, Networking 2016 and Workshops, Vienna, Austria, May 17–19, IEEE, 2016, pp. 252–260. doi:10.1109/IFIPNetworking.2016.7497196.

15.

Eronen and

Zitting, An expert system for analyzing firewall rules, in: 6th Nordic Workshop on Secure IT Systems (NordSec), Copenhagen, Denmark, November, 2001, pp. 100–107.

16.

Fabrice, iptables extensions – time module, http://ipset.netfilter.org/iptables-extensions.man.html (accessed February 2017).

17.

W.M.

Fitzgerald and

S.N.

Foley, Management of heterogeneous security access control configuration using an ontology engineering approach, in: 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig 2010, Chicago, IL, USA, October 4, 2010, pp. 27–36.

18.

W.M.

Fitzgerald,

Neville and

S.N.

Foley, MASON: Mobile autonomic security for network access controls, Journal of Information Security and Applications (JISA) 18(1) (2013), 14–29. doi:10.1016/j.jisa.2013.08.001.

19.

S.N.

Foley, Reasoning about confidentiality requirements, in: Seventh IEEE Computer Security Foundations Workshop – CSFW ’94, Franconia, New Hampshire, USA, June 14–16, Proceedings, 1994, pp. 150–160. doi:10.1109/CSFW.1994.315939.

20.

S.N.

Foley, The specification and implementation of commercial security requirements including dynamic segregation of duties, in: ACM Conference on Computer and Communications Security, 1997, pp. 125–134.

21.

S.N.

Foley and

W.M.

Fitzgerald, An approach to security policy configuration using semantic threat graphs, in: 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec), LNCS, Springer, 2009, pp. 33–48.

22.

S.N.

Foley and

Neville, A firewall algebra for openstack, in: 2015 IEEE Conference on Communications and Network Security, CNS 2015, Florence, Italy, September 28–30, 2015, pp. 541–549. doi:10.1109/CNS.2015.7346867.

23.

García-Alfaro,

Cuppens,

Cuppens-Boulahia,

Martínez Perez and

Cabot, Management of stateful firewall misconfiguration, Computers & Security 39 (2013), 64–85. doi:10.1016/j.cose.2013.01.004.

24.

García-Alfaro,

Cuppens,

Cuppens-Boulahia and

Preda, MIRAGE: A management tool for the analysis and deployment of network security policies, in: Data Privacy Management and Autonomous Spontaneous Security – 5th International Workshop, DPM 2010 and 3rd International Workshop, SETOP 2010, Athens, Greece, September 23, Revised Selected Papers, 2010, pp. 203–215.

25.

Gheorghe, Designing and Implementing Linux Firewalls with QoS Using Netfilter, iproute2, NAT and l7-Filter, PACKT Publishing, 2006.

26.

J.D.

Guttman, Filtering postures: Local enforcement for global policies, in: IEEE Symposium on Security and Privacy, May, 1997, pp. 120–129.

27.

Hari,

Suri and

Parulkar, Detecting and resolving packet filter conflicts, in: 19th Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM, Vol. 3, 2000, pp. 1203–1212.

28.

J.L.

Jacob, The varieties of refinement, in: Proceedings of the 4th Refinement Workshop,

J.M.

Morris and

R.C.

Shaw, eds, Springer, Heidelberg, 1991, pp. 441–455. doi:10.1007/978-1-4471-3756-6_19.

29.

Jajodia,

Samarati,

M.L.

Sapino and

V.S.

Subrahmanian, Flexible support for multiple access control policies, ACM Trans. Database Syst. 26(2) (2001), 214–260. doi:10.1145/383891.383894.

30.

Jarraya,

Eghtesadi,

Debbabi,

Zhang and

Pourzandi, Cloud calculus: Security verification in elastic cloud computing platform, in: International Conference on Collaboration Technologies and Systems (CTS), IEEE, 2012, pp. 447–454. doi:10.1109/CTS.2012.6261089.

31.

Launay, High level firewall language, 2003, https://www.cusae.com/hlfl/ (accessed August 2016).

32.

Levandoski

et al., iptables L7-filter pattern writing, 2008, http://l7-filter.sourceforge.net/Pattern-HOWTO (accessed February 2017).

33.

Levandoski

et al., iptables L7-filter supported protocols, 2008, http://l7-filter.sourceforge.net/protocols (accessed February 2017).

34.

Liu,

Gouda,

Ma and

Hgu, Firewall queries, in: 8th International Conference on Principles of Distributed Systems (OPODIS), Grenoble, France, December, 2004, pp. 197–212.

35.

Mayer,

Wool and

Ziskind, Fang: A firewall analysis engine, in: 21st IEEE Symposium on Security and Privacy, Oakland, CA, USA, May, 2000.

36.

Nebehaj, Python-iptables – Python bindings for iptables, https://pypi.python.org/pypi/python-iptables (accessed August 2016).

37.

Netfilter Core Team, Linux iptables – CLI for configuring the Linux kernel firewall, Netfilter, http://www.netfilter.org/projects/iptables/index.html (accessed February 2017).

38.

Neville and

S.N.

Foley, Reasoning about firewall policies through refinement and composition, in: Data and Applications Security and Privacy XXX – 30th Annual IFIP WG 11.3 Conference, DBSec 2016, Trento, Italy, July 18–20, Proceedings, 2016, pp. 268–284.

39.

Ocean, Pyinter – a small and simple library written in Python for performing interval and discontinous range arithmetic, 2015, https://pypi.python.org/pypi/pyinter/ (accessed August 2016).

40.

Postel,

Johnson,

Markson,

Simpson and

Su, Internet control message protocol (ICMP) parameters, 2013, https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml (accessed February 2017).

41.

Scarfone and

Hoffman, Guidelines on firewalls and firewall policy: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-41, Revision 1, September 2009.

42.

J.M.

Spivey, The Z Notation: A Reference Manual, 2nd edn, Series in Computer Science, Prentice Hall International, 1992.

43.

Wool, Trends in firewall configuration errors: Measuring the holes in Swiss cheese, IEEE Internet Computing 14(4) (2010), 58–65. doi:10.1109/MIC.2010.29.

44.

Yuan,

Chen,

Mai,

Chuah,

Su and

Mohapatra, Fireman: A toolkit for firewall modeling and analysis, in: 2006 IEEE Symposium on Security and Privacy, IEEE, 2006, 15 pp. doi:10.1109/SP.2006.16.

45.

Zhao and

S.M.

Bellovin, Policy algebras for hybrid firewalls, Number CUCS-017-07, March 2007.