KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly

  • Kim, Sung-Hyun (Dept. of Computer Science and Engineering, Korea University) ;
  • Lee, Hee-Jo (Dept. of Computer Science and Engineering, Korea University)
  • Received : 2010.02.11
  • Accepted : 2010.07.23
  • Published : 2010.08.27
Download PDF
⟨ Previous Next ⟩

Abstract

The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single security device. The solution for policy anomalies requires complex and complicated algorithms. In this paper, we propose a new method to remove policy anomalies in a single security device and avoid policy anomalies among the rules in distributed security devices. The proposed method classifies rules according to traffic direction and checks policy anomalies in each device. It is unnecessary to compare the rules for outgoing traffic with the rules for incoming traffic. Therefore, classifying rules by in-out traffic, the proposed method can reduce the number of rules to be compared up to a half. Instead of detecting policy anomalies in distributed security devices, one adopts the rules from others for avoiding anomaly. After removing policy anomalies in each device, other firewalls can keep the policy consistency without anomalies by adopting the rules of a trusted firewall. In addition, it blocks unnecessary traffic because a source side sends as much traffic as the destination side accepts. Also we explain another policy anomaly which can be found under a connection-oriented communication protocol.

Keywords

References

  1. Strasberg,Gondek and Rollies, "The Complete Reference Firewalls," MacGrawHill, 2002.
  2. Avishai Wool, "A quantitative study of firewall configuration errors," IEEE Computer, vol.37, no.6, pp.62-67, Jun. 2004.
  3. Sunghyun Kim and Heejo Lee, "Abnormal policy detection and correction using overlapping transition," IEICE Transactions on Information and Systems, vol.E93-D, no.5, pp.1053-1061, 2010. https://doi.org/10.1587/transinf.E93.D.1053
  4. Ehab S. Al-Shaer and H. Hamed, "Modeling and management of firewall policies," IEEE eTransactions on Network and Service Management, vol.44, no.3, pp.134-141, Apr. 2004.
  5. E. S. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, "Conflict classification and analysis of distributed firewall policies," IEEE Journal on Selected Areas in Communications, vol.23, no.10, pp.2069-2084, Oct. 2005. https://doi.org/10.1109/JSAC.2005.854119
  6. E. S. Al-Shaer and H. Hamed, "Discovery of policy anomalies in distributed firewalls," in proc. of IEEE INFOCOM, pp. 2605-2616, Mar. 2004.
  7. H. Hamed and E. Al-Shaer, "Taxonomy of conflicts in network security policies," IEEE Communications Magazine, vol.44, pp.134-141, 2006.
  8. R. Bryant, "Graph-Based algorithms for Boolean function manipulation," IEEE Transactions on Computers, vol.35, no.8, pp.677-691, Aug. 1986.
  9. M. G. Gouda and A. X. Liu, "Firewall design: consistency, completeness, and compactness," in proc. of 24th International Conf. on Distributed Computing Systems (ICDCS), 2004.
  10. M. G. Gouda and A. X. Liu, "Structured firewall design," Computer Networks Journal, vol.51, no.4, pp.1106-1120, 2007. https://doi.org/10.1016/j.comnet.2006.06.015
  11. A. X. Liu, and M. G. Gouda, "Diverse firewall design," IEEE Transactions on Parallel and Distributed Systems, vol.19, no.6, pp.1237-1251, 2008. https://doi.org/10.1109/TPDS.2007.70802
  12. L. Lu, R. Safavi-Naini, J. Horton and W. Susilo, "Comparing and debugging firewall rule tables," International Journal of Information Security, vol.1, no.4, pp.143-151, 2007. https://doi.org/10.1504/IJICS.2007.012247
  13. L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra, "FIREMAN: A Toolkit for FIREwall Modeling and Analysis," IEEE Symposium on Security and Privacy, pp.199-213, 2006.
  14. J. G. Alfaro, N. Cuppens-Boulahia, and F. Cuppens, "Complete analysis of configuration rules to guarantee reliable network security policies," International Journal of Information Security, vol.7, no.5, pp.103-122, 2008. https://doi.org/10.1007/s10207-007-0045-7
  15. F. Cuppens, N. Cuppens-Boulahia, and J.G. Alfaro, "Detection and removal of firewall misconfiguration," in proc. of 2005 IASTED International Conf. on Communication, Network and Information Security, pp.154-162, 2005.
  16. J.G. Alfaro, F. Cuppens, and N. Cuppens-Boulahia, "Aggregating and deploying network access control policies," in proc. of Third International Conf. on Availability, Reliability and Security, 2007
  17. S. Pozo, R. Ceballos, and R. M. Gasca, "Fast algorithms for consistency-based diagnosis of firewall Rule Sets," in proc. of Second International Conf. on Availability, Reliability and Security, 2006.
  18. S. Pozo, R. Ceballos, and R. M. Gasca, "CSP-based firewall rule set diagnosis using security policies," in proc. of Third International Conf. on Availability, Reliability and Security, 2007.
  19. M. Abedin, S. Nessa, L. Khan, and B. Thuraisingham, "Detection and resolution of anomalies in firewall policy rules," in proc. of 20th Annual IFIP WG 11.3 Working Conf. on Data and Applications Security (DBSec), 2006.
  20. M. Yoon, S. Chen, and Z. Zhang, "Reducing the size of rule set in a Firewall," in Proc. of IEEE International Conf. on Communications, 2007.
  21. Sunghyun Kim and Heejo Lee, "Reducing payload inspection cost using rule classification for fast attack signature matching," IEICE Transactions on Information and Systems, Vol.E92-D, no.10, pp.1971-1978, 2009. https://doi.org/10.1587/transinf.E92.D.1971
  22. Snort: Open source Network Intrusion Detection System, http://www.snort.org.

Cited by

  1. Misconfiguration in Firewalls and Network Access Controls: Literature Review vol.13, pp.11, 2021, https://doi.org/10.3390/fi13110283