Creating a firewall policy fault model with automatic correction

Firewall policy problems may be at the heart of firewalls that mistakenly block legitimate traffic or allow in troubled traffic. At LISA 2010, researchers propose creating a firewall policy fault model that can be used to implement automated correction techniques.

The research paper "First Step Towards Automatic Correction of Firewall Policy Faults" is one of a series of papers presented at the LISA 2010 conference in San Jose,, November 7-12. LISA 2010 research papers covered topics ranging from firewall analysis tools to using TCP/IP traffic shaping in Storage Area Networks (SANs) and Netflow-based network awareness tools.

The strategy for dealing with faulty firewalls that allow malicious traffic in, or block legitimate traffic, may be in examining firewall policy problems, and specifically implementing automatic correction of these firewall policy errors.

At the Large Installation System Administration (LISA) conference in San Jose this week, researchers Fei Chen and Alex X. Liu of Michigan State University, and JeeHyun Hwang and Tao Xie of North Carolina State University, presented a paper called "First Step Towards Automatic Correction of Firewall Policy Faults," (awarded Best Student Paper at the conference), which outlines a comprehensive firewall policy fault model that outlines five types of common policy problems and a proposes automated correction techniques for each one.

The paper's basic premise is that it is essential to correct all misclassified packets, yet it is impossible to find and every one of these packets to correct. Therefore, it is best to create policy change based on samples of misclassified packets, which can be applied to larger groups of packets.

According to the paper, the five most common firewall policy faults are:

  1. Wrong order: Firewalls that are out of order can misconfigure a firewall. Creating the wrong order can occur when adding a new rule at the beginning of a firewall policy without carefully considering the order between the new rule and the original rules.
  2. Missing rules: This type of fault occurs when administrators add new rules, but fail to add them to the original firewall policy.
  3. Wrong predicates: This type of fault can occur when administrators define predicates of rules based on security requirements, but some special cases can -- and should be -- overlooked.
  4. Wrong decisions: This fault lies in making the wrong decisions behind setting the rules.
  5. Wrong extra rules: This type of fault indicates that administrators may need to delete some rules from their original policies. This problem can arise when administrators add new rules but forget to delete old ones that filter a similar set of packets as the new rule.

Implementing automatic correction for firewall policy faults

The researchers propose creating automated fixes for each of the above problematic policies by using a greedy algorithm. During their testing, researchers fixed one fault in the policy at each step and then measured the number of passed or failed tests to determine whether that was the appropriate correction technique. Then they calculated the number of passed tests for each type of modification to choose the technique that corresponded to the maximum number of passed tests to create the automatic corrections going forward.

To understand the specifics of common firewall policy problems, and to learn the specific techniques for implementing automatic corrections, read the entire research paper "First Step Towards Automatic Correction of Firewall Policy Faults." Also, view the entire table of contents for all LISA 2010 research papers to learn more about research presented.

This was first published in November 2010

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close