A Matrix Model for Designing and Implementing Multi-firewall Environments

Abstract

Firewalls are core elements in network security, the effectiveness of firewall security is dependent on configuring the firewall policy correctly. A firewall policy describes the access that will be permitted or denied from the trusted network. In a corporate network several firewalls are setup and administrated by different individuals. The consistency between those firewall policies is crucial to corporate network security. However, the managing of these has become a complex and error-prone task. Bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicting filtering rules lead to block legitimate traffic or to accept unwanted packets. In this paper, we provide a firewall policy matrix for helping guide firewall administrators and designers overcome differences in interpreting firewall policies. The matrix presents how each firewall policy allows or denies traffic through the various firewalls in a distributive environment. The model was also tested in a university environment.

Keywords

• Firewall policy, Multi-firewall environments, Firewall design, Firewall management, Inter-policy Errors

References

1. T. Abbes, A. Bouhoula and M. Rusinowitch, “An inference system for detecting firewall filtering rules anomalies”, SAC 08, Ceara, Brazil, pp. 2122-2128, 16-20 March 2008.
2. J. G. Alfaro, N. Boulahia-Cuppens, F. Cuppens, “Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies”, International Journal of Information Security, Vol. 7, Issue 2, pp. 103-122, 2008.
3. J. G. Alfaro, F. Cuppens and N. Cuppens- Boulahia, “Aggregating and deploying network access control policies”, ARES 07, Vienna, Austria, pp. 532-542, 10-13 April 2007.
4. E. Al-Shaer, H. H. Hamed, “Modeling and Management Transactions
5. Management, Vol. 1, No. 1, pp. 2-10, April 2004a. Network and
6. Service [5] E. Al-Shaer and H. H. Hamed, “Discovery of policy anomalies in distributed firewalls”, IEEE Communications Society, Hong Kong, China, pp. 2605-2616 7-11 March 2004b.
7. E. Al-Shaer, H. Hamed, R. Boutaba, M. Hasan, “Conflict
8. Distributed Firewall Policies”, IEEE Journal on Communications, Vol. 23, No. 10, pp. 2069-2084, October 2005. and Analysis

9. of [7] F. Cuppens, N. Cuppens-Boulahia and J. Garcia-Alfaro, “Detection and removal of firewall misconfiguration”, CNIS 05, Phoenix, AZ, pp. 154-162, 14-16 November 2005.
10. W. Deng, Y. Liang and K. Gao, “Discover inconsistencies between firewall policies”, KAM 08, Wuhan, China, pp. 809-813, 21-22 December 2008.
11. K. Golnabi, R. K. Min, L. Khan and E. Al- Shaer, “Analysis of firewall policy rules using data mining techniques”, Vancouver, Canada, pp. 305- 315, 3-7 April 2006.
12. M. G. Gouda, A. X. Liu, “Structured Firewall Design”, Computer Networks: The International Journal of Computer and Telecommunications Networking, Vol. 51, No. 4, pp. 1106-1120, August 2006.
13. H. Hamed, E. Al-Shaer, “Taxonomy of Conflicts in Network Security Policies”, IEEE Communications Magazine, Vol. 44, Issue 3, pp. 134-141, March 2006a.
14. H. Hamed, E. Al-Shaer, “On Autonomic Optimization of Firewall Policy Organization”, Journal of High Speed Networks, Vol. 15, Issue 3, pp. 209-227, August 2006b.
15. Y. Liang and W. Deng, “Verify consistency between security policy and firewall policy with answer set programming”, CSSE 08, Wuhan, China, pp. 196-200. 12-14 December 2008.
16. A. Liu, M. G. Gouda, “Diverse Firewall Design”, IEEE Transactions of Parallel and Distributed Systems, Vol. 19, No. 8, pp. 1237- 1251, September 2008.
17. R. M. Marmorstein, “Formal Analysis of Firewall Policies”, College of William and Mary, doctoral dissertation, 2008.
18. R. Marmorstein and P. Kearns, “Firewall analysis with policy-based host classification”, LISA 06, Washington, DC, pp. 41-51, 3-8 December 2006.
19. A. Mayer, A. Wool, E. Ziskind, “Offline Firewall Analysis”, International Journal of Information Security, Vol. 5, Issue 3, pp.125-144, July 2006.
20. S. Pozo, R. Ceballos and R. M. Gasca, “CSP- based firewall rule set diagnosis using security policies”, ARES 07, Vienna, Austria, pp. 723-729, 10-13 April 2007.
21. A. Tongaonkar, N. Inamdar and R. Sekar, “Inferring higher level policies from firewall rules”, LISA 07, Dallas, TX, pp. 17-26, 11-16 November 2007.
22. A. Wool, “A Quantitative Study of Firewall Configuration Errors”, Computer, Vol. 37, No. 6, pp. 62-67, June 2004.
23. L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su and P. Mohapatra, “FIREMAN: A toolkit for firewall modeling and analysis”, IEEE Security and Privacy, Berkeley, CA, pp. 199-213, 21-24 May 2006.
24. V. Zaliva, “Firewall Policy Modeling, Analysis
25. http://www.crodile.org/lord/fwpolicy.pdf, 2008. A
26. Survey”, [23] B. Zhang, E. Al-Shaer, R. Jagadeesan, J. Riely and C. Pitcher, (2007), “Specifications of a high-level conflict-free firewall policy language for multi-domain networks”, SACMAT 2007, Sophia Antipolis, France, pp. 185-194, 20-22 June 2007.
27. C. C. Zhang, M. Winslett and C. A. Gunter, (2007), “On the safety and efficiency of firewall policy deployment”, IEEE Security and Privacy, Berkeley, CA, pp. 33-50, 20-23 May 2007.