skip to main content
research-article

Firewall policy change-impact analysis

Published:23 March 2008Publication History
Skip Abstract Section

Abstract

Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, many firewalls used today have policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. A major cause of policy errors are policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. Users behind a firewall often request the firewall administrator to modify rules to allow or protect the operation of some services.

In this article, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it. We implemented our firewall change-impact analysis algorithms, and tested them on both real-life and synthetic firewall policies. The experimental results show that our algorithms are effective in terms of ensuring firewall policy correctness and efficient in terms of computing the impact of policy changes. Thus, our tool can be practically used in the iterative process of firewall policy design and maintenance. Although the focus of this article is on firewalls, the change-impact analysis algorithms proposed in this article are not limited to firewalls. Rather, they can be applied to other rule-based systems, such as router access control lists (ACLs), as well.

References

  1. Al-Shaer, E. and Hamed, H. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 2605--2616.Google ScholarGoogle Scholar
  2. Baboescu, F., Singh, S., and Varghese, G. 2003. Packet classification for core routers: Is there an alternative to CAMs? In Proceedings of the Annual Joint Conference of the IEEE Computer and Communication Societies (InfoCom).Google ScholarGoogle Scholar
  3. Baboescu, F. and Varghese, G. 2002. Fast and scalable conflict detection for packet classifiers. In Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy. 17--31.Google ScholarGoogle Scholar
  5. Bohner, S. and Arnold, R. 1996. An introduction to software change impact analysis. In Software Change Impact Analysis, S. Bohner and R. Arnold, Eds., IEEE Computer Society Press, 1--26.Google ScholarGoogle Scholar
  6. Bryant, R. E. 1986. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 35, 8, 677--691. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Eppstein, D. and Muthukrishnan, S. 2001. Internet packet filter management and rectangle geometry. In Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms. 827--835. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Eronen, P. and Zitting, J. 2001. An expert system for analyzing firewall rules. In Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec). 100--107.Google ScholarGoogle Scholar
  9. Fisler, K., Krishnamurthi, S., Meyerovich, L., and Tschantz, M. 2005. Verification and change impact analysis of access-control policies. In Proceedings of the International Conference on Software Engineering (ICSE). 196--205. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Gouda, M., Liu, A. X., and Jafry, M. 2008. Verification of distributed firewalls. In Proceedings of the IEEE Global Communications Conference (GLOBECOM).Google ScholarGoogle Scholar
  11. Gouda, M. G. and Liu, A. X. 2005. A model of stateful firewalls and its properties. In Proceedings of the IEEE International Conference on Dependable Systems and Networks (DSN). 320--327. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Gouda, M. G. and Liu, A. X. 2007. Structured firewall design. Comput. Netw. J. 51, 4, 1106--1120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Gupta, P. 2000. Algorithms for routing lookups and packet classification. Ph.D. thesis, Stanford University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Gupta, P. and McKeown, N. 2001. Algorithms for packet classification. IEEE Network 15, 2, 24--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Guttman, J. D. 1997. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy. 120--129. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hari, A., Suri, S., and Parulkar, G. M. 2000. Detecting and resolving packet filter conflicts. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 1203--1212.Google ScholarGoogle Scholar
  17. Hazelhurst, S., Attar, A., and Sinnappan, R. 2000. Algorithms for improving the dependability of firewall and filter rule lists. In Proceedings of the Workshop on Dependability of IP Applications, Platforms, and Networks. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Hoffman, D., Prabhakar, D., and Strooper, P. 2003. Testing iptables. In Proceedings of the Conference of the IBM Centre for Advanced Studies (CASCON). 80--91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hoffman, D. and Yoo, K. 2005. Blowtorch: a framework for firewall test automation. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE). 96--103. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Horwitz, S. 1990. Identifying the semantic and textual differences between two versions of a program. In Proceedings of the ACM International Conference on Programming Language Design and Implementation (SIGPLAN). 234--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hwang, J., Xie, T., Chen, F., and Liu, A. X. 2008. Systematic structural testing of firewall policies. In Proceedings of the 27th IEEE International Symposium on Reliable Distributed Systems (SRDS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Jürjens, J. and Wimmel, G. 2001. Specification-based testing of firewalls. In Proceedings of the 4th International Conference on Perspectives of System Informatics (PSI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kerravala, Z. 2004. As the value of enterprise networks escalates, so does the need for configuration management. In Enterprise Computing & Networking, The Yankee Group Report.Google ScholarGoogle Scholar
  24. Khakpour, A. R. and Liu, A. X. 2010. Quantifying and querying network reachability. In Proceedings of the 29th International Conference on Distributed Computing Systems (ICDCS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Kung, D. C., Gao, J., Hsia, P., Wen, F., Toyoshima, Y., and Chen, C. 1994. Change impact identification in object oriented software maintenance. In Proceedings of the International Conference on Software Maintenance (ICSM). 202--211. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Lee, M., Offutt, A. J., and Alexander, R. T. 2000. Algorithmic analysis of the impacts of changes to object-oriented software. In Proceedings of the 34th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS). 61--70. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Liu, A. X. 2007. Change-impact analysis of firewall policies. In Proceedings of the 12th European Symposium Research Computer Security (ESORICS). 82--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Liu, A. X. 2008. Firewall policy verification and troubleshooting. In Proceedings of the IEEE International Conference on Communications (ICC).Google ScholarGoogle Scholar
  29. Liu, A. X. 2009. Firewall policy verification and troubleshooting. J. Comput. Netw. 53, 16, 2800--2809. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Liu, A. X. and Gouda, M. G. 2009. Firewall policy queries. IEEE Trans. Parallel Distrib. Syst. 20, 6, 766--777. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Liu, A. X. and Gouda, M. G. 2004. Diverse firewall design. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). 595--604. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Liu, A. X. and Gouda, M. G. 2005. Complete redundancy detection in firewalls. In Proceedings of the 19th Annual IFIP Conference on Data and Applications Security. 196--209. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Liu, A. X. and Gouda, M. G. 2008. Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19, 8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Liu, A. X. and Gouda, M. G. 2010. Complete redundancy removal for packet classifiers in TCAMs. IEEE Trans. Parallel Distrib. Syst 21, 4, 424--437. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Liu, A. X., Gouda, M. G., Ma, H. H., and Ngu, A. H. 2004. Firewall queries. In Proceedings of the 8th International Conference on Principles of Distributed Systems (OPODIS). 124--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Lyu, M. R. and Lau, L. K. Y. 2000. Firewall security: Policies, testing and performance evaluation. In Proceedings of the 24th International Conference on Computer Systems and Applications (COMPSAC). 116--121. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Moffett, J. D. and Sloman, M. S. 1994. Policy conflict analysis in distributed system management. J. Organizational Comput. 4, 1, 1--22.Google ScholarGoogle ScholarCross RefCross Ref
  38. Oppenheimer, D., Ganapathi, A., and Patterson, D. A. 2003. Why do Internet services fail, and what can be done about it? In Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Rajlich, V. and Gosavi, P. 2004. Incremental change in object-oriented programming. IEEE Softw., 2--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Ren, X., Chesley, O. C., and Ryder, B. G. 2006. Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Trans. Softw. Eng. 32, 9, 718--732. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Richardson, R. 2008. CSI/FBI computer crime and security survey. www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf.Google ScholarGoogle Scholar
  42. Rovniagin, D. and Wool, A. 2004. The geometric efficient matching algorithm for firewalls. In Proceedings of the 23rd IEEE Convention of Electrical & Electronics Engineers in Israel (IEEEI). 153--156.Google ScholarGoogle Scholar
  43. Senn, D., Basin, D., and Caronni, G. 2005. Firewall conformance testing. In Proceedings of the International Conference on Testing of Communicating Systems (TESTCOM). Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Somenzi, F. 2009. Cudd: Cu decision diagram package (release 2.4.1). http://vlsi.colorado.edu/fabio/CUDD/.Google ScholarGoogle Scholar
  45. Tonella, P. 2003. Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Trans. Softw. Eng. 29, 6, 495--509. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Wool, A. 2004. A quantitative study of firewall configuration errors. IEEE Comput. 37, 6, 62--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Wool, A. 2010. Trends in firewall configuration errors: Measuring the holes in swiss cheese. IEEE Internet Comput. 14, 4, 58--65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., and Mohapatra, P. 2006. Fireman: A toolkit for firewall modeling and analysis. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Firewall policy change-impact analysis

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Internet Technology
          ACM Transactions on Internet Technology  Volume 11, Issue 4
          March 2012
          80 pages
          ISSN:1533-5399
          EISSN:1557-6051
          DOI:10.1145/2109211
          Issue’s Table of Contents

          Copyright © 2008 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Accepted: 1 November 2011
          • Revised: 1 September 2010
          • Received: 1 October 2008
          • Published: 23 March 2008
          Published in toit Volume 11, Issue 4

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!