This Article 
 Bibliographic References 
 Add to: 
Detecting and Resolving Firewall Policy Anomalies
May/June 2012 (vol. 9 no. 3)
pp. 318-331
Hongxin Hu, Arizona State University, Tempe
Gail-Joon Ahn, Arizona State University, Tempe
Ketan Kulkarni, Emerson Network Power, USA
The advent of emerging computing technologies such as service-oriented architecture and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services. Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. In particular, we articulate a grid-based representation technique, providing an intuitive cognitive sense about policy anomaly. We also discuss a proof-of-concept implementation of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our approach can discover and resolve anomalies in firewall policies through rigorous experiments.

[1] E. Al-Shaer and H. Hamed, "Discovery of Policy Anomalies in Distributed Firewalls," IEEE INFOCOM '04, vol. 4, pp. 2605-2616, 2004.
[2] A. Wool, "Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese," IEEE Internet Computing, vol. 14, no. 4, pp. 58-65, July/Aug. 2010.
[3] J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens, "Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies," Int'l J. Information Security, vol. 7, no. 2, pp. 103-122, 2008.
[4] F. Baboescu and G. Varghese, "Fast and Scalable Conflict Detection for Packet Classifiers," Computer Networks, vol. 42, no. 6, pp. 717-735, 2003.
[5] L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis, "Fireman: A Toolkit for Firewall Modeling and Analysis," Proc. IEEE Symp. Security and Privacy, p. 15, 2006.
[6] E. Lupu and M. Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Trans. Software Eng., vol. 25, no. 6, pp. 852-869, Nov./Dec. 1999.
[7] I. Herman, G. Melançon, and M. Marshall, "Graph Visualization and Navigation in Information Visualization: A Survey," IEEE Trans. Visualization and Computer Graphics, vol. 6, no. 1, pp. 24-43, Jan.-Mar. 2000.
[8] H. Hu, G. Ahn, and K. Kulkarni, "Anomaly Discovery and Resolution in Web Access Control Policies," Proc. 16th ACM Symp. Access Control Models and Technologies, pp. 165-174, 2011.
[9] L. Yuan, C. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network Measurement," ACM SIGCOMM Computer Comm. Rev., vol. 37, no. 4, p. 108, 2007.
[10] A. El-Atawy, K. Ibrahim, H. Hamed, and E. Al-Shaer, "Policy Segmentation for Intelligent Firewall Testing," Proc. First Workshop Secure Network Protocols (NPSec '05), 2005.
[11] G. Misherghi, L. Yuan, Z. Su, C.-N. Chuah, and H. Chen, "A General Framework for Benchmarking Firewall Optimization Techniques," IEEE Trans. Network and Service Management, vol. 5, no. 4, pp. 227-238, Dec. 2008.
[12] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, "Measuring Network Security Using Dynamic Bayesian Network," Proc. Fourth ACM Workshop Quality of Protection, 2008.
[13] M. Sahinoglu, "Security Meter: A Practical Decision-Tree Model to Quantify Risk," IEEE Security and Privacy, vol. 3, no. 3, pp. 18-24, May 2005.
[14] R. Sawilla and X. Ou, "Identifying Critical Attack Assets in Dependency Attack Graphs," Proc. 13th European Symp. Research in Computer Security (ESORICS), 2008.
[15] P. Mell, K. Scarfone, and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," Published by FIRST—Forum of Incident Response and Security Teams, June 2007.
[16] I. Fundulaki and M. Marx, "Specifying Access Control Policies for XML Documents with Xpath," Proc. Ninth ACM Symp. Access Control Models and Technologies, pp. 61-69, 2004.
[17] S. Jajodia, P. Samarati, and V.S. Subrahmanian, "A Logical Language for Expressing Authorizations," Proc. IEEE Symp. Security and Privacy, pp. 31-42, May 1997.
[18] T. Moses, "Extensible Access Control Markup Language (XACML), Version 2.0, Oasis Standard," Internet, , 2005.
[19] N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin, "Access Control Policy Combining: Theory Meets Practice," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 135-144, 2009.
[20] J. Jin, G. Ahn, H. Hu, M. Covington, and X. Zhang, "Patient-Centric Authorization Framework for Sharing Electronic Health Records," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 125-134, 2009.
[21] J. Jin, G. Ahn, H. Hu, M. Covington, and X. Zhang, "Patient-Centric Authorization Framework for Electronic Healthcare Services," Computers and Security, vol. 30, no. 2, pp. 116-127, 2011.
[22] J. Bentley and T. Ottmann, "Algorithms for Reporting and Counting Geometric Intersections," IEEE Trans. Computers, vol. 28, no. 9, 1979.
[23] E. Al-Shaer, W. Marrero, A. El-Atawy, and K. ElBadawi, "Network Configuration in a Box: Towards End-to-End Verification of Network Reachability and Security," Proc. Int'l Conf. Network Protocols (ICNP '09), pp. 123-132, 2009.
[24] "Java BDD," http:/, 2012.
[25] "Buddy Version 2.4,", 2012.
[26] "TENABLE Network Security," http://www.nessus.orgnessus, 2012.
[27] "," tissynbe_py , 2012.
[28] K. Ingols, R. Lippmann, and K. Piwowarski, "Practical Attack Graph Generation for Network Defense," Proc. 22nd Ann. Computer Security Applications Conf. (ACSAC), 2006.
[29] X. Ou, W. Boyer, and M. McQueen, "A Scalable Approach to Attack Graph Generation," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 336-345, 2006.
[30] A. Wool, "Architecting the Lumeta Firewall Analyzer," Proc. 10th Conf. USENIX Security Symp., vol. 10, p. 7, 2001.
[31] A. Mayer, A. Wool, and E. Ziskind, "Fang: A Firewall Analysis Engine," Proc. IEEE Symp. Security and Privacy, pp. 177-189, 2000.
[32] M. Gouda and X. Liu, "Firewall Design: Consistency, Completeness, and Compactness," Proc. 24th Int'l Conf. Distributed Computing Systems (ICDCS '04), p. 327, 2004.
[33] S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith, "Implementing a Distributed Firewall," Proc. Seventh ACM Conf. Computer and Comm. Security, p. 199, 2000.
[34] A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," Proc. IEEE INFOCOM, pp. 1203-1212, 2000.
[35] Z. Fu, S. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu, "IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution," Proc. Int'l Workshop Policies for Distributed Systems and Networks (POLICY '01), pp. 39-56, 2001.
[36] R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Bacon, K. How, and H. Strong, "Expandable Grids for Visualizing and Authoring Computer Security Policies," Proc. 26th Ann. SIGCHI Conf. Human Factors in Computing Systems, pp. 1473-1482, 2008.
[37] C. Brodie, C. Karat, and J. Karat, "An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench," Proc. Second Symp. Usable Privacy and Security, pp. 8-19, 2006.

Index Terms:
Firewall, policy anomaly management, access control, visualization tool.
Hongxin Hu, Gail-Joon Ahn, Ketan Kulkarni, "Detecting and Resolving Firewall Policy Anomalies," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 3, pp. 318-331, May-June 2012, doi:10.1109/TDSC.2012.20
Usage of this product signifies your acceptance of the Terms of Use.