Browse > Article
http://dx.doi.org/10.3837/tiis.2010.08.013

Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly  

Kim, Sung-Hyun (Dept. of Computer Science and Engineering, Korea University)
Lee, Hee-Jo (Dept. of Computer Science and Engineering, Korea University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.4, no.4, 2010 , pp. 671-690 More about this Journal
Abstract
The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single security device. The solution for policy anomalies requires complex and complicated algorithms. In this paper, we propose a new method to remove policy anomalies in a single security device and avoid policy anomalies among the rules in distributed security devices. The proposed method classifies rules according to traffic direction and checks policy anomalies in each device. It is unnecessary to compare the rules for outgoing traffic with the rules for incoming traffic. Therefore, classifying rules by in-out traffic, the proposed method can reduce the number of rules to be compared up to a half. Instead of detecting policy anomalies in distributed security devices, one adopts the rules from others for avoiding anomaly. After removing policy anomalies in each device, other firewalls can keep the policy consistency without anomalies by adopting the rules of a trusted firewall. In addition, it blocks unnecessary traffic because a source side sends as much traffic as the destination side accepts. Also we explain another policy anomaly which can be found under a connection-oriented communication protocol.
Keywords
Firewall; security policy; policy anomalies; network security; ACL;
Citations & Related Records

Times Cited By Web Of Science : 0  (Related Records In Web of Science)
Times Cited By SCOPUS : 1
연도 인용수 순위
  • Reference
1 L. Lu, R. Safavi-Naini, J. Horton and W. Susilo, "Comparing and debugging firewall rule tables," International Journal of Information Security, vol.1, no.4, pp.143-151, 2007.   DOI
2 L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra, "FIREMAN: A Toolkit for FIREwall Modeling and Analysis," IEEE Symposium on Security and Privacy, pp.199-213, 2006.
3 J. G. Alfaro, N. Cuppens-Boulahia, and F. Cuppens, "Complete analysis of configuration rules to guarantee reliable network security policies," International Journal of Information Security, vol.7, no.5, pp.103-122, 2008.   DOI
4 F. Cuppens, N. Cuppens-Boulahia, and J.G. Alfaro, "Detection and removal of firewall misconfiguration," in proc. of 2005 IASTED International Conf. on Communication, Network and Information Security, pp.154-162, 2005.
5 J.G. Alfaro, F. Cuppens, and N. Cuppens-Boulahia, "Aggregating and deploying network access control policies," in proc. of Third International Conf. on Availability, Reliability and Security, 2007
6 S. Pozo, R. Ceballos, and R. M. Gasca, "Fast algorithms for consistency-based diagnosis of firewall Rule Sets," in proc. of Second International Conf. on Availability, Reliability and Security, 2006.
7 S. Pozo, R. Ceballos, and R. M. Gasca, "CSP-based firewall rule set diagnosis using security policies," in proc. of Third International Conf. on Availability, Reliability and Security, 2007.
8 M. Abedin, S. Nessa, L. Khan, and B. Thuraisingham, "Detection and resolution of anomalies in firewall policy rules," in proc. of 20th Annual IFIP WG 11.3 Working Conf. on Data and Applications Security (DBSec), 2006.
9 M. Yoon, S. Chen, and Z. Zhang, "Reducing the size of rule set in a Firewall," in Proc. of IEEE International Conf. on Communications, 2007.
10 Sunghyun Kim and Heejo Lee, "Reducing payload inspection cost using rule classification for fast attack signature matching," IEICE Transactions on Information and Systems, Vol.E92-D, no.10, pp.1971-1978, 2009.   DOI   ScienceOn
11 Snort: Open source Network Intrusion Detection System, http://www.snort.org.
12 Ehab S. Al-Shaer and H. Hamed, "Modeling and management of firewall policies," IEEE eTransactions on Network and Service Management, vol.44, no.3, pp.134-141, Apr. 2004.
13 Strasberg,Gondek and Rollies, "The Complete Reference Firewalls," MacGrawHill, 2002.
14 Avishai Wool, "A quantitative study of firewall configuration errors," IEEE Computer, vol.37, no.6, pp.62-67, Jun. 2004.
15 Sunghyun Kim and Heejo Lee, "Abnormal policy detection and correction using overlapping transition," IEICE Transactions on Information and Systems, vol.E93-D, no.5, pp.1053-1061, 2010.   DOI   ScienceOn
16 E. S. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, "Conflict classification and analysis of distributed firewall policies," IEEE Journal on Selected Areas in Communications, vol.23, no.10, pp.2069-2084, Oct. 2005.   DOI
17 E. S. Al-Shaer and H. Hamed, "Discovery of policy anomalies in distributed firewalls," in proc. of IEEE INFOCOM, pp. 2605-2616, Mar. 2004.
18 H. Hamed and E. Al-Shaer, "Taxonomy of conflicts in network security policies," IEEE Communications Magazine, vol.44, pp.134-141, 2006.
19 R. Bryant, "Graph-Based algorithms for Boolean function manipulation," IEEE Transactions on Computers, vol.35, no.8, pp.677-691, Aug. 1986.
20 M. G. Gouda and A. X. Liu, "Firewall design: consistency, completeness, and compactness," in proc. of 24th International Conf. on Distributed Computing Systems (ICDCS), 2004.
21 M. G. Gouda and A. X. Liu, "Structured firewall design," Computer Networks Journal, vol.51, no.4, pp.1106-1120, 2007.   DOI   ScienceOn
22 A. X. Liu, and M. G. Gouda, "Diverse firewall design," IEEE Transactions on Parallel and Distributed Systems, vol.19, no.6, pp.1237-1251, 2008.   DOI