Detecting and Resolving Firewall Policy Anomalies
1Detecting and Resolving.pdf
(Size: 1.55 MB / Downloads: 68)
The advent of emerging computing technologies such as service-oriented architecture and cloud computing has enabled
us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by
unauthorized actions in business services. Firewalls are the most widely deployed security mechanism to ensure the security of private
networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the
quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the
complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent
an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy
anomalies and derive effective anomaly resolutions. In particular, we articulate a grid-based representation technique, providing an
intuitive cognitive sense about policy anomaly. We also discuss a proof-of-concept implementation of a visualization-based firewall
policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our
approach can discover and resolve anomalies in firewall policies through rigorous experiments.
AS one of essential elements in network and information
system security, firewalls have been widely deployed
in defending suspicious traffic and unauthorized access to
Internet-based enterprises. Sitting on the border between a
private network and the public Internet, a firewall examines
all incoming and outgoing packets based on security rules.
To implement a security policy in a firewall, system
administrators define a set of filtering rules that are derived
from the organizational network security requirements.
Firewall policy management is a challenging task due to
the complexity and interdependency of policy rules. This is
further exacerbated by the continuous evolution of network
and system environments. For instance, Al-Shaer and
Hamed  reported that their firewall policies contain
anomalies even though several administrators including
nine experts maintained those policies. In addition, Wool 
recently inspected firewall policies collected from different
organizations and indicated that all examined firewall
policies have security flaws.
ANOMALY REPRESENTATION BASED ON PACKET
Packet Space Segmentation and Classification
As we discussed in Section 2, existing anomaly detection
methods could not accurately point out the anomaly
portions caused by a set of overlapping rules. In order to
precisely identify policy anomalies and enable a more
effective anomaly resolution, we introduce a rule-based
segmentation technique, which adopts a binary decision
diagram (BDD)-based data structure to represent rules
and perform various set operations, to convert a list of rules
into a set of disjoint network packet spaces. This technique
has been recently introduced to deal with several research
problems such as network traffic measurement , firewall
testing  and optimization .
Grid Representation of Policy Anomaly
To enable an effective anomaly resolution, complete and
accurate anomaly diagnosis information should be represented
in an intuitive way. When a set of rules interacts, one
overlapping relation may be associated with several rules.
Meanwhile, one rule may overlap with multiple other rules
and can be involved in a couple of overlapping relations
(overlapping segments). Different kinds of segments and
associated rules can be viewed in the uniform representation
of anomalies (Fig. 1c). However, it is still difficult for an
administrator to figure out how many segments one rule is
involved in. To address the need of a more precise anomaly
representation, we additionally introduce a grid representation
that is a matrix-based visualization of policy anomalies.
ANOMALY MANAGEMENT FRAMEWORK
Our policy anomaly management framework is composed of
two core functionalities: conflict detection and resolution, and
redundancy discovery and removal, as depicted in Fig. 3. Both
functionalities are based on the rule-based segmentation
technique. For conflict detection and resolution, conflicting
segments are identified in the first step. Each conflicting
segment associates with a policy conflict and a set of
conflicting rules. Also, the correlation relationships among
conflicting segments are identified and conflict correlation
groups (CG) are derived. Policy conflicts belonging to
different conflict correlation groups can be resolved separately;
thus, the searching space for resolving conflicts is
reduced by the correlation process. The second step
generates an action constraint for each conflicting segment
by examining the characteristics of each conflicting segment.
IMPLEMENTATION AND EVALUATION
Our framework is realized as a proof-of-concept prototype
called Firewall Anomaly Management Environment. Fig. 9
shows a high-level architecture of FAME with two levels.
The upper level is the visualization layer, which visualizes
the results of policy anomaly analysis to system administrators.
Two visualization interfaces, policy conflict viewer
and policy redundancy viewer, are designed to manage
policy conflicts and redundancies, respectively. The lower
level of the architecture provides underlying functionalities
addressed in our policy anomaly management
framework and relevant resources including rule information,
strategy repository, network asset information, and
There exist a number of algorithms and tools designed to
assist system administrators in managing and analyzing
firewall policies. Lumeta  and Fang  allow user
queries for the purpose of analysis and management of
firewall policies. Essentially, they introduced lightweight
firewall testing tools but could not provide a comprehensive
examination of policy misconfigurations. Gouda et al. 
devised a firewall decision diagram (FDD) to support
consistent, complete, and compact firewall policy generation.
Bellovin et al.  introduced a distributed firewall model
that supports centralized policy specification. Several other
approaches presenting policy analysis tools with the goal of
detecting policy anomalies are closely related to our work.
Al-Shaer and Hamed  designed a tool called Firewall
Policy Advisor to detect pairwise anomalies in firewall rules.
Yuan et al.  presented FIREMAN, a toolkit to check for
misconfigurations in firewall policies through static analysis.
As we discussed previously, our tool, FAME, overcomes the
limitations of those tools by conducting a complete anomaly
detection and providing more accurate anomaly diagnosis
information. In particular, the key distinction of FAME is its
capability to perform an effective conflict resolution, which
has been ruled out in other firwall policy analysis tools.
In this paper, we have proposed a novel anomaly management
framework that facilitates systematic detection and
resolution of firewall policy anomalies. A rule-based
segmentation mechanism and a grid-based representation
technique were introduced to achieve the goal of effective
and efficient anomaly analysis. In addition, we have
described a proof-of-concept implementation of our anomaly
management environment called FAME and demonstrated
that our proposed anomaly analysis methodology is
practical and helpful for system administrators to enable an
assurable network management.
Our future work includes usability studies to evaluate
functionalities and system requirements of our policy
visualization approach with subject matter experts. Also,
we would like to extend our anomaly analysis approach to
handle distributed firewalls. Moreover, we would explore
how our anomaly management framework and visualization
approach can be applied to other types of access