Automated Firewall Analytics

Firewalls are core elements in network security. However, managing firewall rules, particularly in multi-firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intra- and inter-firewall analysis to determine the proper rule placement and ordering in the firewalls. In this chapter, we identify all anomalies that could exist in a single- or multi-firewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed legacy firewalls. These techniques are implemented in a software tool called the “Firewall Policy Advisor” that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

As firewall is the main front-end defense, IPSec is the standard for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. Unlike firewalls, IPSec exhibits more complex semantic that allows for triggering multiple rule actions of different security modes. This inherent complexity increases significantly the potential of policy misconfiguration and can violate the integrity of IPSec VPN security. Secure and safe deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for firewall and IPSec devices across the entire network. In this chapter, we present a general composable model based on using Boolean expressions that can represent different ACL filtering semantics. We use this model to derive a canonical representation for firewall and IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts in a single firewall and IPSec device (intra-policy conflicts) or between different firewall and IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach for identifying conflicts in firewall and IPSec policies.

Multiple firewalls typically cooperate to provide security properties for a network, despite the fact that these firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities. We propose FLIP, a high-level firewall configuration policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual firewall and between firewalls. We prove that the translation algorithm is both sound and complete. FLIP supports policy inheritance and customization features that enable defining a global firewall policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that firewall policy management for large-scale networks is efficient and accurate using FLIP.

Firewalls are the most deployed security devices in computer networks. Nevertheless, designing and configuring distributed firewalls, which include determining access control rules and device placement in the network, is still a significantly complex task as it requires balancing between connectivity requirements and the inherent risk and cost. Formal approaches that allow for investigating distributed firewall configuration space systematically are highly needed to optimize decision support under multiple design constraints. The objective of this chapter is to automatically synthesize the implementation of distributed filtering architecture and configuration that will minimize security risk while considering connectivity requirements, user usability and budget constraints. Our automatic synthesis generates not only the complete rule configuration for each firewall to satisfy risk and connectivity constraints, but also the optimal firewall placement in the networks to minimizes spurious traffic. We define fine-grain risk, usability and cost metrics tunable to match business requirements, and formalize the configuration synthesis as an optimization problem. We then show that distributed firewall synthesis is an NP-hard problem and provide heuristic approximation algorithms. We implemented our approach in a tool called FireBlanket that were rigorously evaluated under different network sizes, topologies and budget requirements. Our evaluation study shows that the results obtained by FireBlanket are close to the theoretical lower bound and the performance is scalable with the network size.

Security policies play a critical role in many of the current network security technologies such as firewalls, IPSec and IDS devices. The configuration of these policies not only determines the functionality of such devices, but also substantially affects their performance. The optimization of filtering policy configuration is critically important to provide high performance packet filtering particularly for firewalls. Current packet filtering techniques exploit the characteristics of the filtering policies, but they do not consider the traffic behavior in optimizing their search data structures. This often results in high space complexity, which undermines the performance gain offered by these techniques. Also, these techniques offer upper bounds for the worst case search times; nevertheless, the more common average case scenarios are not necessarily optimized.In this chapter, we first classify, describe and compare the existing dynamic firewall policy configuration techniques based on-line and off-line traffic analysis.Second, we present a novel technique that utilizes Internet traffic characteristics to dynamically optimize the rule ordering (DRO) of firewall policies dynamically. The proposed technique timely adapts to the traffic conditions using actively calculated statistics to dynamically optimize the ordering of packet filtering rules. The rule importance in traffic matching as well as its dependency on other rules are both considered in our optimization algorithm. Through extensive evaluation experiments using simulated and real Internet traffic traces, the proposed mechanism is shown to be efficient and easy to deploy in practical firewall implementations.