research-article

Firewall policy change-impact analysis

Author:

Alex X. LiuAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 11, Issue 4

Article No.: 15, Pages 1 - 24

https://doi.org/10.1145/2109211.2109212

Published: 23 March 2008 Publication History

Abstract

Firewalls are the cornerstones of the security infrastructure for most enterprises. They have been widely deployed for protecting private networks. The quality of the protection provided by a firewall directly depends on the quality of its policy (i.e., configuration). Due to the lack of tools for analyzing firewall policies, many firewalls used today have policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. A major cause of policy errors are policy changes. Firewall policies often need to be changed as networks evolve and new threats emerge. Users behind a firewall often request the firewall administrator to modify rules to allow or protect the operation of some services.

In this article, we first present the theory and algorithms for firewall policy change-impact analysis. Our algorithms take as input a firewall policy and a proposed change, then output the accurate impact of the change. Thus, a firewall administrator can verify a proposed change before committing it. We implemented our firewall change-impact analysis algorithms, and tested them on both real-life and synthetic firewall policies. The experimental results show that our algorithms are effective in terms of ensuring firewall policy correctness and efficient in terms of computing the impact of policy changes. Thus, our tool can be practically used in the iterative process of firewall policy design and maintenance. Although the focus of this article is on firewalls, the change-impact analysis algorithms proposed in this article are not limited to firewalls. Rather, they can be applied to other rule-based systems, such as router access control lists (ACLs), as well.

References

[1]

Al-Shaer, E. and Hamed, H. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 2605--2616.

[2]

Baboescu, F., Singh, S., and Varghese, G. 2003. Packet classification for core routers: Is there an alternative to CAMs&quest; In Proceedings of the Annual Joint Conference of the IEEE Computer and Communication Societies (InfoCom).

[3]

Baboescu, F. and Varghese, G. 2002. Fast and scalable conflict detection for packet classifiers. In Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP).

Digital Library

[4]

Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy. 17--31.

[5]

Bohner, S. and Arnold, R. 1996. An introduction to software change impact analysis. In Software Change Impact Analysis, S. Bohner and R. Arnold, Eds., IEEE Computer Society Press, 1--26.

[6]

Bryant, R. E. 1986. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 35, 8, 677--691.

Digital Library

[7]

Eppstein, D. and Muthukrishnan, S. 2001. Internet packet filter management and rectangle geometry. In Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms. 827--835.

Digital Library

[8]

Eronen, P. and Zitting, J. 2001. An expert system for analyzing firewall rules. In Proceedings of the 6^th Nordic Workshop on Secure IT Systems (NordSec). 100--107.

[9]

Fisler, K., Krishnamurthi, S., Meyerovich, L., and Tschantz, M. 2005. Verification and change impact analysis of access-control policies. In Proceedings of the International Conference on Software Engineering (ICSE). 196--205.

Digital Library

[10]

Gouda, M., Liu, A. X., and Jafry, M. 2008. Verification of distributed firewalls. In Proceedings of the IEEE Global Communications Conference (GLOBECOM).

[11]

Gouda, M. G. and Liu, A. X. 2005. A model of stateful firewalls and its properties. In Proceedings of the IEEE International Conference on Dependable Systems and Networks (DSN). 320--327.

Digital Library

[12]

Gouda, M. G. and Liu, A. X. 2007. Structured firewall design. Comput. Netw. J. 51, 4, 1106--1120.

Digital Library

[13]

Gupta, P. 2000. Algorithms for routing lookups and packet classification. Ph.D. thesis, Stanford University.

Digital Library

[14]

Gupta, P. and McKeown, N. 2001. Algorithms for packet classification. IEEE Network 15, 2, 24--32.

Digital Library

[15]

Guttman, J. D. 1997. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy. 120--129.

Digital Library

[16]

Hari, A., Suri, S., and Parulkar, G. M. 2000. Detecting and resolving packet filter conflicts. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 1203--1212.

[17]

Hazelhurst, S., Attar, A., and Sinnappan, R. 2000. Algorithms for improving the dependability of firewall and filter rule lists. In Proceedings of the Workshop on Dependability of IP Applications, Platforms, and Networks.

Digital Library

[18]

Hoffman, D., Prabhakar, D., and Strooper, P. 2003. Testing iptables. In Proceedings of the Conference of the IBM Centre for Advanced Studies (CASCON). 80--91.

Digital Library

[19]

Hoffman, D. and Yoo, K. 2005. Blowtorch: a framework for firewall test automation. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE). 96--103.

Digital Library

[20]

Horwitz, S. 1990. Identifying the semantic and textual differences between two versions of a program. In Proceedings of the ACM International Conference on Programming Language Design and Implementation (SIGPLAN). 234--245.

Digital Library

[21]

Hwang, J., Xie, T., Chen, F., and Liu, A. X. 2008. Systematic structural testing of firewall policies. In Proceedings of the 27th IEEE International Symposium on Reliable Distributed Systems (SRDS).

Digital Library

[22]

Jürjens, J. and Wimmel, G. 2001. Specification-based testing of firewalls. In Proceedings of the 4th International Conference on Perspectives of System Informatics (PSI).

Digital Library

[23]

Kerravala, Z. 2004. As the value of enterprise networks escalates, so does the need for configuration management. In Enterprise Computing & Networking, The Yankee Group Report.

[24]

Khakpour, A. R. and Liu, A. X. 2010. Quantifying and querying network reachability. In Proceedings of the 29th International Conference on Distributed Computing Systems (ICDCS).

Digital Library

[25]

Kung, D. C., Gao, J., Hsia, P., Wen, F., Toyoshima, Y., and Chen, C. 1994. Change impact identification in object oriented software maintenance. In Proceedings of the International Conference on Software Maintenance (ICSM). 202--211.

Digital Library

[26]

Lee, M., Offutt, A. J., and Alexander, R. T. 2000. Algorithmic analysis of the impacts of changes to object-oriented software. In Proceedings of the 34th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS). 61--70.

Digital Library

[27]

Liu, A. X. 2007. Change-impact analysis of firewall policies. In Proceedings of the 12th European Symposium Research Computer Security (ESORICS). 82--96.

Digital Library

[28]

Liu, A. X. 2008. Firewall policy verification and troubleshooting. In Proceedings of the IEEE International Conference on Communications (ICC).

[29]

Liu, A. X. 2009. Firewall policy verification and troubleshooting. J. Comput. Netw. 53, 16, 2800--2809.

Digital Library

[30]

Liu, A. X. and Gouda, M. G. 2009. Firewall policy queries. IEEE Trans. Parallel Distrib. Syst. 20, 6, 766--777.

Digital Library

[31]

Liu, A. X. and Gouda, M. G. 2004. Diverse firewall design. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). 595--604.

Digital Library

[32]

Liu, A. X. and Gouda, M. G. 2005. Complete redundancy detection in firewalls. In Proceedings of the 19th Annual IFIP Conference on Data and Applications Security. 196--209.

Digital Library

[33]

Liu, A. X. and Gouda, M. G. 2008. Diverse firewall design. IEEE Trans. Parallel Distrib. Syst. 19, 8.

Digital Library

[34]

Liu, A. X. and Gouda, M. G. 2010. Complete redundancy removal for packet classifiers in TCAMs. IEEE Trans. Parallel Distrib. Syst 21, 4, 424--437.

Digital Library

[35]

Liu, A. X., Gouda, M. G., Ma, H. H., and Ngu, A. H. 2004. Firewall queries. In Proceedings of the 8th International Conference on Principles of Distributed Systems (OPODIS). 124--139.

Digital Library

[36]

Lyu, M. R. and Lau, L. K. Y. 2000. Firewall security: Policies, testing and performance evaluation. In Proceedings of the 24th International Conference on Computer Systems and Applications (COMPSAC). 116--121.

Digital Library

[37]

Moffett, J. D. and Sloman, M. S. 1994. Policy conflict analysis in distributed system management. J. Organizational Comput. 4, 1, 1--22.

[38]

Oppenheimer, D., Ganapathi, A., and Patterson, D. A. 2003. Why do Internet services fail, and what can be done about it&quest; In Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS).

Digital Library

[39]

Rajlich, V. and Gosavi, P. 2004. Incremental change in object-oriented programming. IEEE Softw., 2--9.

Digital Library

[40]

Ren, X., Chesley, O. C., and Ryder, B. G. 2006. Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Trans. Softw. Eng. 32, 9, 718--732.

Digital Library

[41]

Richardson, R. 2008. CSI/FBI computer crime and security survey. www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf.

[42]

Rovniagin, D. and Wool, A. 2004. The geometric efficient matching algorithm for firewalls. In Proceedings of the 23rd IEEE Convention of Electrical & Electronics Engineers in Israel (IEEEI). 153--156.

[43]

Senn, D., Basin, D., and Caronni, G. 2005. Firewall conformance testing. In Proceedings of the International Conference on Testing of Communicating Systems (TESTCOM).

Digital Library

[44]

Somenzi, F. 2009. Cudd: Cu decision diagram package (release 2.4.1). http://vlsi.colorado.edu/fabio/CUDD/.

[45]

Tonella, P. 2003. Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Trans. Softw. Eng. 29, 6, 495--509.

Digital Library

[46]

Wool, A. 2004. A quantitative study of firewall configuration errors. IEEE Comput. 37, 6, 62--67.

Digital Library

[47]

Wool, A. 2010. Trends in firewall configuration errors: Measuring the holes in swiss cheese. IEEE Internet Comput. 14, 4, 58--65.

Digital Library

[48]

Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., and Mohapatra, P. 2006. Fireman: A toolkit for firewall modeling and analysis. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

Cited By

Andalib ABabamir S(2023)Anomaly detection of policies in distributed firewalls using data log analysisThe Journal of Supercomputing10.1007/s11227-023-05417-779:17(19473-19514)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1007/s11227-023-05417-7
Togay CKasif ACatal CTekinerdogan B(2022)A Firewall Policy Anomaly Detection Framework for Reliable Network SecurityIEEE Transactions on Reliability10.1109/TR.2021.308951171:1(339-347)Online publication date: Mar-2022
https://doi.org/10.1109/TR.2021.3089511
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Show More Cited By

Index Terms

Firewall policy change-impact analysis
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Software configuration management and version control systems

Recommendations

Firewall policy verification and troubleshooting

Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). ...
SP 800-41 Rev. 1. Guidelines on Firewalls and Firewall Policy
First step towards automatic correction of firewall policy faults

Firewalls are critical components of network security and have been widely deployed for protecting private networks. A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 11, Issue 4

March 2012

80 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/2109211

Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Accepted: 01 November 2011

Revised: 01 September 2010

Received: 01 October 2008

Published: 23 March 2008

Published in TOIT Volume 11, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Division of Computer and Network Systems

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
1,087
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)1

Reflects downloads up to 18 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Andalib ABabamir S(2023)Anomaly detection of policies in distributed firewalls using data log analysisThe Journal of Supercomputing10.1007/s11227-023-05417-779:17(19473-19514)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1007/s11227-023-05417-7
Togay CKasif ACatal CTekinerdogan B(2022)A Firewall Policy Anomaly Detection Framework for Reliable Network SecurityIEEE Transactions on Reliability10.1109/TR.2021.308951171:1(339-347)Online publication date: Mar-2022
https://doi.org/10.1109/TR.2021.3089511
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Moskal SYang SKuhl M(2017)Cyber threat assessment via attack scenario simulation using an integrated adversary and network modeling approachThe Journal of Defense Modeling and Simulation: Applications, Methodology, Technology10.1177/154851291772540815:1(13-29)Online publication date: 15-Aug-2017
https://doi.org/10.1177/1548512917725408
Lai CWang P(2017)Fast and Complete Conflict Detection for Packet ClassifiersIEEE Systems Journal10.1109/JSYST.2014.236716011:2(1137-1148)Online publication date: Jun-2017
https://doi.org/10.1109/JSYST.2014.2367160
Tseng KLo JLiu YChang SMerabti MNg FWu C(2017)A feasibility study of stateful automaton packet inspection for streaming application detection systemsEnterprise Information Systems10.1080/17517575.2016.123407011:9(1317-1336)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1080/17517575.2016.1234070
Ucar EOzhan E(2017)The Analysis of Firewall Policy Through Machine Learning and Data MiningWireless Personal Communications: An International Journal10.1007/s11277-017-4330-096:2(2891-2909)Online publication date: 1-Sep-2017
https://dl.acm.org/doi/10.1007/s11277-017-4330-0
Chen HChowdhury OLi NKhern-am-nuai WChari SMolloy IPark YWang XBauer LKerschbaum F(2016)Tri-Modularization of Firewall PoliciesProceedings of the 21st ACM on Symposium on Access Control Models and Technologies10.1145/2914642.2914646(37-48)Online publication date: 6-Jun-2016
https://dl.acm.org/doi/10.1145/2914642.2914646
Amri SGuan L(2016)Infrastructure as a service: Exploring network access control challenges2016 SAI Computing Conference (SAI)10.1109/SAI.2016.7556042(596-603)Online publication date: Jul-2016
https://doi.org/10.1109/SAI.2016.7556042
Liu MDou WYu SZhang Z(2015)A Decentralized Cloud Firewall Framework with Resources Provisioning Cost OptimizationIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2014.231467226:3(621-631)Online publication date: 1-Mar-2015
https://doi.org/10.1109/TPDS.2014.2314672
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents