Sage Journals: Discover world-class research

Abstract

Firewalls are essential for managing and protecting computer networks. They permit specifying which packets are allowed to enter a network, and also how these packets are modified by IP address translation and port redirection. Configuring a firewall is notoriously hard, and one of the reasons is that it requires using low level, hard to interpret, configuration languages. Equally difficult are policy maintenance and refactoring, as well as porting a configuration from one firewall system to another.

To address these issues we introduce a pipeline that assists system administrators in checking if: (i) the intended security policy is actually implemented by a configuration; (ii) two configurations are equivalent; (iii) updates have the desired effect on the firewall behavior; (iv) there are useless or redundant rules; additionally, an administrator can (v) transcompile a configuration into an equivalent one in a different language; and (vi) maintain a configuration using a generic, declarative language that can be compiled into different target languages.

The pipeline is based on IFCL, an intermediate firewall language equipped with a formal semantics, and it is implemented in an open source tool called FWS. In particular, the first stage decompiles real firewall configurations for iptables, ipfw, pf and (a subset of) Cisco IOS into IFCL. The second one transforms an IFCL configuration into a logical predicate and uses the Z3 solver to synthesize an abstract specification that succinctly represents the firewall behavior. System administrators can use FWS to analyze the firewall by posing SQL-like queries, and update the configuration to meet the desired security requirements. Finally, the last stage allows for maintaining a configuration by acting directly on its abstract specification and then compiling it to the chosen target language. Tests on real firewall configurations show that FWS can be fruitfully used in real-world scenarios.

Keywords

Firewall configuration languages Semantic-based tool Configuration analysis refactoring maintaining porting

Get full access to this article

View all access options for this article.

References

Adão,

Bozzato,

Dei Rossi,

Focardi and

F.L.

Luccio, Mignis: A semantic based tool for firewall configuration, in: Proc. of the 27th IEEE CSF, 2014, pp. 351–365.

Adão,

Focardi,

J.D.

Guttman and

F.L.

Luccio, Localizing firewall security policies, in: Proc. of the 29th IEEE CSF, Lisbon, Portugal, June 27–July 1, 2016, pp. 194–209.

C.J.

Anderson,

Foster,

Guha,

J.-B.

Jeannin,

Kozen,

Schlesinger and

Walker, NetKAT: Semantic foundations for networks, in: Proc. of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2014), ACM, 2014.

Bartal,

A.J.

Mayer,

Nissim and

Wool, Firmato: A novel firewall management toolkit, ACM Transactions on Computer Systems 22(4) (2004), 381–420. doi:10.1145/1035582.1035583.

Bodei,

Degano,

Focardi,

Galletta and

Tempesta, Transcompiling firewalls, in: Proc. 7th International Conference on Principles of Security and Trust,

Bauer and

Küsters, eds, LNCS, Vol. 10804, 2018, pp. 303–324.

Bodei,

Degano,

Focardi,

Galletta,

Tempesta and

Veronese, Language-independent synthesis of firewall policies, in: Proc. 2018 IEEE European Symposium on Security and Privacy,

Piessens and

Smith, eds, 2018, pp. 92–106.

Bringhenti,

Marchetto,

Sisto,

Valenza and Towards a fully automated and optimized network security functions orchestration, in: 2019 4th International Conference on Computing, Communications and Security (ICCCS), Rome, Italy, October 10–12, 2019, 2019, pp. 1–7.

Ceragioli,

Degano and

Galletta, Are all firewall systems equally powerful? in: Procs of ACM SIGSAC 14th Workshop on Programming Languages and Analysis for Security, 2019, pp. 1–17. doi:10.1145/3338504.3357340.

Cisco: NAT order of operation, https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html/.

10.

Cisco IOS Technologies, https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html.

11.

Cuppens,

Cuppens-Boulahia,

García-Alfaro,

Moataz and

Rimasson, Handling stateful firewall anomalies, in: SEC, IFIP Advances in Information and Communication Technology, Vol. 376, Springer, 2012, pp. 174–186.

12.

Cuppens,

Cuppens-Boulahia,

Sans and

Miège, A formal approach to specify and deploy a network security policy, in: Formal Aspects in Security and Trust (FAST’04), 2004, pp. 203–218.

13.

Diekmann,

Hupel,

Michaelis,

M.P.L.

Haslbeck and

Carle, Verified iptables firewall analysis and verification, J. Autom. Reasoning 61(1–4) (2018), 191–242. doi:10.1007/s10817-017-9445-1.

14.

Diekmann,

Michaelis,

M.P.L.

Haslbeck and

Carle, Verified iptables firewall analysis, in: The 15th IFIP Networking Conference, Vienna, Austria, May 17–19, 2016, 2016, pp. 252–260.

15.

Firestarter, 2007, http://www.fs-security.com/.

16.

Firewall builder, 2012, http://www.fwbuilder.org/.

17.

Firewall management: 5 challenges every company must address, https://www.algosec.com/wp-content/uploads/2016/03/Firewall-Management-5-Challenges-Every-Company-Must-Address-WEB.pdf.

18.

FireWall Synthesizer (FWS): Tool and examples, https://github.com/secgroup/fws.

19.

Fogel,

Fung,

Pedrosa,

Walraed-Sullivan,

Govindan,

Mahajan and

T.D.

Millstein, A general approach to network configuration analysis, in: 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI 15, 2015, pp. 469–483.

20.

S.N.

Foley and

Neville, A firewall algebra for OpenStack, in: Proceedings of the 3rd IEEE Conference on Communications and Network Security, CNS 2015, 2015, pp. 541–549. doi:10.1109/CNS.2015.7346867.

21.

M.G.

Gouda and

A.X.

Liu, Structured firewall design, Computer Networks 51(4) (2007), 1106–1120. doi:10.1016/j.comnet.2006.06.015.

22.

W.T.

Hallahan,

Zhai and

Piskac, Automated repair by example for firewalls, in: 2017 Formal Methods in Computer Aided Design (FMCAD), 2017, pp. 220–229. doi:10.23919/FMCAD.2017.8102263.

23.

Hazelhurst, Algorithms for analysing firewall and router access lists, CoRR cs.NI/0008006 (2000), https://arxiv.org/abs/cs/0008006.

24.

Hazelhurst,

Attar and

Sinnappan, Algorithms for improving the dependability of firewall and filter rule lists, in: 2000 International Conference on Dependable Systems and Networks (DSN 2000), IEEE Computer Society, 2000, pp. 576–585. doi:10.1109/ICDSN.2000.857593.

25.

High level firewall language, 2003, http://www.hlfl.org.

26.

Jayaraman,

Bjørner,

Outhred and

Kaufman, Automated analysis and debugging of network connectivity policies, Technical Report, Microsoft, 2014.

27.

Jeffrey and

Samak, Model checking firewall policy configurations, in: Proceedings of the 10th IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009, 2009, pp. 60–67.

28.

Kazemian,

Varghese and

McKeown, Header space analysis: Static checking for networks, in: Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2012, 2012, pp. 113–126.

29.

KMyFirewall, 2008, https://sourceforge.net/projects/kmyfirewall/.

30.

R.M.

Marmorstein, Formal analysis of firewall policies, PhD thesis, College of William and Mary, 2008.

31.

Martínez,

Cabot,

Garcia-Alfaro,

Cuppens and

Cuppens-Boulahia, A model-driven approach for the extraction of network access-control policies, in: Proc. MDSec’12, ACM, 2012, pp. 5:1–5:6.

32.

A.J.

Mayer,

Wool and

Ziskind, Fang: A firewall analysis engine, in: Proc. of the 21st IEEE S&P 2000, 2000, pp. 177–187.

33.

Nelson,

Barratt,

D.J.

Dougherty,

Fisler and

Krishnamurthi, The Margrave tool for firewall analysis, in: Proceedings of the 24th Large Installation System Administration Conference, LISA 2010, 2010.

34.

Netfilter, https://www.netfilter.org/.

35.

NeTSPoC: A network security policy compiler, 2011, http://netspoc.berlios.de.

36.

Nipkow,

L.C.

Paulson and

Wenzel, Isabelle/HOL – a Proof Assistant for Higher-Order Logic, Lecture Notes in Computer Science, Vol. 2283, Springer, 2002. doi:10.1007/3-540-45949-9.

37.

Open Networking Foundation, Software-defined networking (SDN) definition, https://www.opennetworking.org/sdn-resources/sdn-definition.

38.

Packet Filter (PF), https://www.openbsd.org/faq/pf/.

39.

Pyroman, 2011, http://pyroman.alioth.debian.org/.

40.

Ranathunga,

Roughan,

Kernick and

Falkner, Malachite: Firewall policy comparison, in: 2016 IEEE Symposium on Computers and Communication (ISCC), 2016, pp. 310–317. doi:10.1109/ISCC.2016.7543759.

41.

Russell, Linux 2.4 packet filtering HOWTO, http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html.

42.

Shorewall, IPtables made easy, Shorewall, 2014, http://www.shorewall.net/.

43.

Stanford University backbone network configuration ruleset, https://bitbucket.org/peymank/hassel-public/.

44.

The IPFW Firewall, https://www.freebsd.org/doc/handbook/firewalls-ipfw.html.

45.

The Netfilter Project, Traversing of tables and chains, http://www.iptables.info/en/structure-of-iptables.html.

46.

Uncomplicated firewall, https://help.ubuntu.com/community/UFW.

47.

Valenza,

Spinoso and

Sisto, Formally specifying and checking policies and anomalies in service function chaining, J. Network and Computer Applications 146 (2019). doi:10.1016/j.jnca.2019.102419.

48.

Yuan,

Mai,

Su,

Chen,

Chuah and

Mohapatra, FIREMAN: A toolkit for FIREwall modeling and ANalysis, in: 27th IEEE S&P, 2006, pp. 199–213.

49.

Z3 theorem prover, https://github.com/Z3Prover/z3.

50.

Zhang,

Al-Shaer,

Jagadeesan,

Riely and

Pitcher, Specifications of a high-level conflict-free firewall policy language for multi-domain networks, in: Proc. of ACM Symposium on Access Control Models and Technologies (SACMAT 2007), ACM, 2007.

FWS: Analyzing,maintaining and transcompiling firewalls

Abstract

Keywords

Get full access to this article

References