Firewall Anomaly Detection & Resolution

ninetimesdissemblingSoftware and s/w Development

Nov 10, 2012 (4 years and 9 months ago)

567 views

CSE 548 Advanced Computer Network Security

Firewall Anomaly Detection

& Resolution

Mayank Verma

Prashant Kommireddi


Group Number: 13

Motivation & Goals

INTERNET
BrickYard
CSE Dept
149
.
169
.
10
.
0
/
24


149
.
169
.
200
.
0
/
24
149
.
169
.
201
.
0
/
24


149
.
169
.
255
.
0
/
24
GoldWater Center
EE Dept
Computer
Commons
(
General
129
.
169
.
0
.
0
/
16
Evil
Attacker

Motivation & Goals


Firewalls with different configuration within an
organization result in configuration anomalies.


Security holes in firewalls i.e. making internal network
vulnerable to attack.


Leaking unwarranted traffic to and from internal
network.


Blocking genuine traffic to and from internal network.


Decreased packet filtering performance by increasing
latency thus resulting in degraded Quality of service
(QoS).




Goal:

Our project is concentrated on detecting and removing anomalies
that result in above discussed problems.


Some Definitions

1.
A
firewall

is a network element that controls the traversal of packets
across the boundaries of a secured network based on a specific security
policy.

2.
A
firewall security policy

is a list of ordered filtering rules that define the
actions performed on packets that satisfy specific conditions.

3.
A
rule

is composed of set of filtering fields (also called network fields) such
as protocol type, source IP address, destination IP address, source port
and destination port, as well as an action field.

4.
An
firewall policy anomaly

is defined as the existence of two or more
filtering rules that may match the same packet or the existence of a rule
that can never match any packet on the network paths that cross the
firewall.



<order><protocol><src
ip
><src
port
><dest
ip
><dest
port
><action>


Rule format:

Types of anomalies



Shadowing anomaly:
A rule is shadowed when a previous rule
matches all the packets that match this rule, such that the shadowed
rule will never be activated.



Correlation anomaly:
Two rules are correlated if they have different
filtering actions, and the first rule in order matches some packets
that match the second rule and the second rule matches some
packets that match the first rule.



Generalization anomaly:
A rule is a generalization of a preceding
rule if they have different actions, and if the first rule can match all
the packets that match the second rule.



Redundancy anomaly:

A redundant rule performs the same action
on the same packets as another rule such that if the redundant rule
is removed, the security policy will not be affected.




Irrelevance anomaly:

A filtering rule in a firewall is irrelevant if this
rule cannot match any traffic that might flow through this firewall.

Project Description

Order

Protocol

SRC
ip

SRC
port

DST
ip

DST
port

Action

1

tcp

10.10.10.10

any

149.169.176.*

80

deny

2

tcp

*.*.*.*

any

129.219.10.*

80

accept

3

tcp

10.10.10.10

any

149.169.176.30

80

deny

4

tcp

10.10.10.*

any

149.169.176.*

21

deny

5

tcp

20.20.20.20

any

129.219.*.*

80

deny

6

tcp

10.10.*.*

any

129.219.10.*

80

accept

7

tcp

10.10.*.*

any

149.169.176.30

21

accept

8

udp

*.*.*.*

any

*.*.*.*

53

deny

9

udp

*.*.*.*

any

129.219.*.*

53

deny

10

tcp

10.10.10.*

any

149.169.176.30

53

accept

Project Description Cont.

DST
ip
DSTport
SRC
ip
SRCport
Protocol
Action
DSTport
SRC
ip
SRCport
Protocol
Action
149
.
169
.
176
.*
80
10
.
10
.
10
.
10
any
tcp
DSTport
SRC
ip
SRCport
Protocol
Action
129
.
219
.
10
.*
80
*.*.*.*
any
tcp
(
1
)
deny
(
3
)
deny
(
2
)
accept
(
5
)
accept
(
6
)
accept
SRCport
Protocol
Action
10
.
20
.*.*
any
tcp
(
4
)
deny
(
7
)
accept
SRC
ip
21
SRCport
Protocol
Action
20
.
20
.
20
.
20
any
tcp
(
5
)
accept
SRCport
Protocol
Action
10
.
10
.*.*
any
tcp
(
6
)
accept
149
.
169
.
177
.*
53
*.*.*.*
any
udp
(
8
)
deny
(
9
)
deny
SRCport
Protocol
Action
10
.
10
.
10
.*
any
tcp
(
10
)
accept
SRC
ip
53
1
-
3: Shadow

2
-
5: Correlation

4
-
7: Generalization

2
-
6: Redundant

8
-
9: Irrelevant

Anomaly resolution




Shadowing anomaly:
This error is removed by reordering or removing the
shadowed rule.




Correlation anomaly:

To resolve this conflict, we choose the proper order
that complies with the security policy requirements.




Generalization anomaly:

Remove generalization rule or define more
specific rules for specific network.




Redundancy anomaly:

To avoid redundant rules, a superset rule following
a subset rule should have an opposite filtering action.




Irrelevance anomaly:

Simply remove the rule.


Technical Details


We will be implementing using


Java NetBeans 5.5.1 (Front
-
end)


JDK 1.5.0


XML (For storing results)


Gantt Chart

9/4/2007
9/14/2007
9/24/2007
10/4/2007
10/14/2007
10/24/2007
11/3/2007
11/13/2007
Topic Search
Problem Understanding
Research Problem statement (Related Work)
Solution Brainstroming
Implementation
Project Proposal
Interim report Writing
Intermin Project Presentation Preparation
Interim Project Presentation
Final Report
Final Project Presentation Prepration
Final Report Presentation
Presentation Prepration
Deliverables
Wiki Page Updation
Testing and Performace Evaluation
Risks and Benefits


Novel aspects of this project:


Detecting firewall anomalies for large organizations.


Proposing solution for firewall anomaly correction.



Potential Risks/challenges:


Anomalies resulting after anomaly resolution.


Determining effects/conflict resulting from hardware.



Potential applications & benefits:


Large/Small organization with centralized or distributed firewall
system.


Remove firewall loopholes.


Prevent attacks resulting from firewall anomaly.


Improve QoS and remove latency in packet filtering.





Researched problem statement and related
work.


Came up with an innovative solution for resolving
firewall anomalies for centralized and distributed
system.


Created a front
-
end to the application using
NetBeans IDE.



Tasks Accomplished by Now

DELIVERABLES & MILESTONES

Till 11/14/2007


An implementation of Firewall anomaly
detection tool.


A research paper addressing firewall
anomalies issues, proposed solution and
performance results.

References

[1] R. Crandell, J. Clifford, and A. Kent. A secure and transparent firewall web proxy. the Proceedings of 17th Large
Installation System Administration Conference, 2003.


[2] D. Eppstein and S. Muthukrishnan. Internet packet filter management and rectangle geometry. Proceedings of the
twelfth annual ACM
-
SIAM symposium on Discrete algorithms, pages 827

835, 2001.


[3] P. Eronen and J. Zitting. An expert system for analyzing firewall rules. Proceedings of the 6
th

Nordic Workshop on
Secure IT Systems (NordSec 2001), pages 100

107.


[4] Z. Fu, S.F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu. IPSec/VPN Security Policy: Correctness, Conflict
Detection and Resolution. IEEE Policy 2001 Workshop, 1, 2001.


[5] S. Hinrichs. Policy
-
Based Management: Bridging the Gap. 15th Annual Computer Security Applications Conference,
pages 254

265.


[6] S. Ioannidis, A.D. Keromytis, S.M. Bellovin, and J.M. Smith. Implementing a distributed firewall. Proceedings of the
7th ACM conference on Computer and communications security, pages 190

199, 2000.


[7] I. Luck, C. Schafer, and H. Krumm. Model
-
based tool
-
assistance for packet
-
filter design. Proc. IEEE Workshop
Policy, pages 120

136, 2001.


[8] V.P. Ranganath and D. Andresen. A set
-
based approach to packet classification. Proceedings of the IASTED
International Conference on Parallel and Distributed Computing and Systems, pages 889

894, 2003.