first step towards automatic correction of firewall
play

First Step Towards Automatic Correction of Firewall Policy Faults - PowerPoint PPT Presentation

Aug 23, 2023 •220 likes •531 views

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu JeeHyun Hwang Tao Xie Computer Science and Engineering Computer Science Michigan State University North Carolina State University What do we do here?

  1. First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu JeeHyun Hwang Tao Xie Computer Science and Engineering Computer Science Michigan State University North Carolina State University

  2. What do we do here? � Most firewall policies are poorly configured and contain faults. [Wool 2004 & 2010] ─ A coworker may mess up your firewall rules ─ Any modification may introduce firewall faults. � We invent methods for fixing firewall policies automatically. ─ We first model 5 types of faults. ─ For each type of faults, we develop an algorithm to fix them. ─ Given a faulty firewall policy, we propose a systematic method to fix the faults automatically using the 5 algorithms. 2/29

  3. Roadmap � Background ─ Firewalls ─ Firewall Policies ─ Firewall Policy Faults � Technical Challenges � Fault model of firewall policies ─ Five types of faults � Problem formalization � Our solution � Experimental results 3/29

  4. Background – Firewalls � A firewall checks all outgoing and incoming packets � The firewall policy decides whether to accept or discard a packet Private Network Outgoing Packets Internet Incoming Packets Firewall 4/29

  5. Background – Firewall Policies � A firewall policy is usually specified as a sequence of rules � Each rule consists of a predicate and a decision. ─ A predicate typically includes five fields: source IP, destination IP, source port, destination port, protocol type ─ Typical decisions are accept and discard. Firewall Policy Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard r 3 * * * * * Discard Packet Src IP Dst IP Src Port Dst Port Protocol Payload 1.2.3.5 192.168.1.1 78 25 TCP � Conflict Resolution: first-match 5/29

  6. Background – Firewall Policy Faults � Most firewall policies are poorly configured and contain faults. [Wool 2004 & 2010] � It is dangerous to have faults in a firewall policy. A policy fault ─ either allows malicious traffic to sneak into the private network ─ or blocks legitimate traffic and disrupts normal business processes � A faulty policy evaluates some packets to unexpected decisions. ─ Such packets are called misclassified packets of a faulty firewall policy � Manually locating and correcting firewall faults are impractical. ─ A firewall may consist of thousands of rules � Automatically correcting firewall faults is an important problem. 6/29

  7. Roadmap � Background ─ Firewalls ─ Firewall Policies ─ Firewall Policy Faults � Technical Challenges � Fault model of firewall policies ─ Five types of faults � Problem formalization � Our solution � Experimental results 7/29

  8. Three Key Technical Challenges � It is difficult to determine the number of policy faults and the type of each fault. ─ A set of misclassified packets can be caused by different types of faults and different number of faults. � It is difficult to correct a firewall fault. ─ A firewall policy may consists of a large number of rules. ─ Each rule has a predicate over multi-dimensional fields. � It is difficult to correct a fault without introducing other faults ─ Due to the first match, correcting faults in a firewall rule affects the functionally of all the subsequent rules. 8/29

  9. Roadmap � Background ─ Firewalls ─ Firewall Policies ─ Firewall Policy Faults � Technical Challenges � Fault model of firewall policies ─ Five types of faults � Problem formalization � Our solution � Experimental results 9/29

  10. Fault Model of Firewall Policies (1/2) � We propose a fault model that includes five types of faults (1) Wrong order: the order of firewall rules is wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard Correction technique: Order Fixing (2) Missing rules: some rules are missed in the firewall policy. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r * r 2 1.2.3.9 192.168.1.1 * 25 * Discard Correction technique: Rule Addition (3) Wrong predicates: the predicates of some rules are wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept Correction technique: Predicate Fixing 10/29

  11. Fault Model of Firewall Policies (2/2) (4) Wrong decisions: the decisions of some rules are wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard Correction technique: Decision Fixing (5) Wrong extra rules: some rules are not needed in the policy. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard r 3 * * * * * Discard Correction technique: Rule Deletion Each operation of these five techniques is called a modification . 11/29

  12. Roadmap � Background ─ Firewalls ─ Firewall Policies ─ Firewall Policy Faults � Technical Challenges � Fault model of firewall policies ─ Five types of faults � Problem formalization � Our solution � Experimental results 12/29

  13. Detection of Faulty Firewall Policies � A faulty firewall policy is detected when ─ administrators find that the policy allows some malicious packets or blocks some legitimate packets. Faulty Firewall Policy Malicious Packets × Legitimate Packets Administrator � These packets cannot provide enough information about the faults ─ The number of these observed packets is typically small � Bruteforce testing every possible packets needs 2 104 � How to generate test packets for faulty firewall policies? 13/29

  14. Generating Test Packets for Faulty Policies � We employ the automated packet generation techniques in [Hwang et al. 2008] to generate test packets � Administrators identify passed/failed tests automatically or manually According to security requirements for the firewall policy, ─ If the decision of a packet is correct, administrators classify it as a passed test. ─ Otherwise, administrators classify it as a failed test. Faulty Firewall Packet Policy Generation Classify Packets Passed Failed Packets Packets 14/29

  15. Problem Statement � Input: (1) A faulty firewall policy FW (2) A set of passed tests PT, |PT| ≥ 0 (3) A set of failed tests FT, |FT|>0 � Output: A sequence of modifications <M 1 , …, M m >, where M j (1 ≤ j ≤ m) denotes one modifition, satisfies the following two conditions: (1) After applying <M 1 , …, M m > to FW, all tests in PT and FT become passed tests. (2) No other sequence that satisfies the first condition has the smaller number of modifications than m. � This is a global optimization problem and hard to solve because ─ a policy may consist of a large number of rules, and ─ different combinations of modifications can be made. 15/29

  16. Roadmap � Background ─ Firewalls ─ Firewall Policies ─ Firewall Policy Faults � Technical Challenges � Fault model of firewall policies ─ Five types of faults � Problem formalization � Our solution � Experimental results 16/29

  17. Automatic Correction of Firewall Policy Faults � We propose a greedy algorithm to address this problem. ─ For each step, we correct one fault in the policy such that |PT| increases. ─ To determine which technique should be used, we try the five correction techniques and then find the one that maximizes |PT|. Faulty Firewall Passed Failed Policy Packets Packets Order Rule Predicate Decision Rule Fixing Addition Fixing Fixing Deletion No |Failed Tests|=0 ? Yes Fixed Firewall Policy 17/29

  18. Running Example r 1 : F 1 ∈ [1, 5] ∧ F 2 ∈ [1, 10] → a r 2 : F 1 ∈ [1, 6] ∧ F 2 ∈ [3, 10] → a r 3 : F 1 ∈ [6,10] ∧ F 2 ∈ [1, 3] → d r 4 : F 1 ∈ [7,10] ∧ F 2 ∈ [4, 8] → a r 5 : F 1 ∈ [1,10] ∧ F 2 ∈ [1, 10] → d A faulty firewall policy p 1 : (3, 2) → a p 6 : (6, 3) → d p 2 : (5, 7) → a p 7 : (7, 9) → a p 3 : (6, 7) → a p 8 : (8, 5) → d p 4 : (7, 2) → d p 5 : (8,10) → d A set of failed tests A set of passed tests 18/29

  19. Order Fixing (1/2) � Swapping every two rules is computationally expensive. ─ There are (n-1)(n-2)/2 pairs of rules that can be swapped � We use all-match firewall decision diagrams (all-match FDDs) [Liu et al. 2008] as the core data structure. ─ Any firewall policy can be converted to an equivalent all-match FDD. r 1 : F 1 ∈ [1, 5] ∧ F 2 ∈ [1, 10] → a r 2 : F 1 ∈ [1, 6] ∧ F 2 ∈ [3, 10] → a r 3 : F 1 ∈ [6,10] ∧ F 2 ∈ [1, 3] → d r 4 : F 1 ∈ [7,10] ∧ F 2 ∈ [4, 8] → a r 5 : F 1 ∈ [1,10] ∧ F 2 ∈ [1, 10] → d F 1 [7, 10] [1, 5] [6, 6] F 2 F 2 F 2 [1, 2] [1,3] [9,10] [3, 10] [1,2] [4,10] [3,3] [4,8] 1,5 1,2,5 3,5 2,3,5 2,5 3,5 4,5 5 19/29

  20. Order Fixing (2/2) � All-match FDD has the following nice property. Swapping two rules is equivalent to swapping the sequence numbers of the two rules in the terminal nodes of all-match FDD ⇒ <r 1 , r 3 , r 2 , r 4 , r 5 > <r 1 , r 2 , r 3 , r 4 , r 5 > F 1 [7, 10] [1, 5] [6, 6] F 2 F 2 F 2 [1, 2] [4,10] [1,3] [9,10] [3, 10] [1,2] [3,3] [4,8] 3,2,5 1,5 1,2,5 3,5 2,3,5 2,5 3,5 4,5 5 � For the running example, this technique can find that swapping r 2 and r 3 can increase |PT| by 1 ─ change the failed test (6, 3) � d to a passed test 20/29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is sending its internal logs to the Splunk indexer. This takes place by default with all Splunk forwarder installations, and will prevent you from going

364 views • 9 slides
Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic

Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic

Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic Control, Basic Course, Lecture 3 Gustav Nilsson 17 November 2016 Lund University, Department of Automatic Control Content 1. Step Response Analysis 2.

617 views • 57 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 &gt; L2 ) network at network at security

1.07k views • 67 slides
Automatic Classifiers as Scientific Instruments: One Step Further Away from Ground-Truth Jacob

Automatic Classifiers as Scientific Instruments: One Step Further Away from Ground-Truth Jacob

Automatic Classifiers as Scientific Instruments: One Step Further Away from Ground-Truth Jacob Whitehill and Anand Ramakrishnan Worcester Polytechnic Institute (WPI), Massachusetts, USA ICML2019 Machine learning to advance basic

398 views • 13 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Neural Network Approach for Photon-counting Detection The First Step: PPE Correction Ruibin

Neural Network Approach for Photon-counting Detection The First Step: PPE Correction Ruibin

Neural Network Approach for Photon-counting Detection The First Step: PPE Correction Ruibin Feng, Ph.D. Ge Wang, Ph.D. David Rundle Biomedical Imaging Center, Biomedical Imaging Center, JairiNovus Technologies Ltd. CBIS/BME, RPI

552 views • 26 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP

AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP

AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP Lausanne, 6 March 2018 David Violi Head Regulatory &amp; Compliance Financial Services Western Switzerland Director, Attorney-at-law Agenda

487 views • 24 slides
Blind restoration of atmospherically degraded images by automatic best step-edge detection Ormi

Blind restoration of atmospherically degraded images by automatic best step-edge detection Ormi

Blind restoration of atmospherically degraded images by automatic best step-edge detection Ormi Shacham, Oren Haik, Yitzhak Yitzhaky Ben-Gurion University, Department of Electro-Optics Engineering, Israel Pattern Recognition Letters, Volume 28

197 views • 19 slides
A new automatic spelling correction model aimed at improving parsability Rob van der Goot and

A new automatic spelling correction model aimed at improving parsability Rob van der Goot and

A new automatic spelling correction model aimed at improving parsability Rob van der Goot and Gertjan van Noord Old approach IV/OOV Generate candidates Rank candidates New approach IV/OOV Generate candidates Rank

299 views • 16 slides
Eight Truths about Correction from the Book of Proverbs 3 1. The right attitude to correction

Eight Truths about Correction from the Book of Proverbs 3 1. The right attitude to correction

10/15/2020 1 W ISDOM : L IVING S UCCESSFULLY IN A T REACHEROUS W ORLD Accepting Correction 2 1 10/15/2020 Eight Truths about Correction from the Book of Proverbs 3 1. The right attitude to correction begins with the acknowledgement of

659 views • 18 slides
Automatic Enrolment GUIDANCE FOR CHURCH EMPLOYERS Joel Ryan Church of England Pensions Board

Automatic Enrolment GUIDANCE FOR CHURCH EMPLOYERS Joel Ryan Church of England Pensions Board

Automatic Enrolment GUIDANCE FOR CHURCH EMPLOYERS Joel Ryan Church of England Pensions Board joel.ryan@churchofengland.org Agenda 1 . Recap on Automatic Enrolment 2. Step-by-step guide 3. Check your staging date 4. Check who you need to

417 views • 19 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Optional Life and Optional AD&amp;D Insurance Oregon Educators Benefit Board Standard Insurance

Optional Life and Optional AD&amp;D Insurance Oregon Educators Benefit Board Standard Insurance

Optional Life and Optional AD&amp;D Insurance Oregon Educators Benefit Board Standard Insurance Company Optional Life Insurance Life insurance helps protect your loved ones from financial hardship should you pass away. What is it for?

407 views • 7 slides
Coding and decoding in classes of structures Alexandra A. Soskova 1 Sofia University WDCM 2020,

Coding and decoding in classes of structures Alexandra A. Soskova 1 Sofia University WDCM 2020,

Coding and decoding in classes of structures Alexandra A. Soskova 1 Sofia University WDCM 2020, Novosibirsk, Russia 1 Supported by Bulgarian National Science Fund DN 02/16 /19.12.2016, FNI, SU 80-10-128/16.04.2020 and NSF grant DMS 1600625/2016

877 views • 33 slides
Credits This material is based upon work supported by the National Science Foundation Learn Math

Credits This material is based upon work supported by the National Science Foundation Learn Math

Credits This material is based upon work supported by the National Science Foundation Learn Math and Achieve Victory under: KCP Technologies Award ID: 0918735 UMass Amherst Award ID: 0918653 through Data Analysis Grant period: September 1,

654 views • 6 slides
The EC/OpenAIRE FP7 Post-Grant Open Access Pilot What is this FP7 Post-Grant Pilot? The EC

The EC/OpenAIRE FP7 Post-Grant Open Access Pilot What is this FP7 Post-Grant Pilot? The EC

Pablo de Castro Open Access Project Officer LIBER Ligue des bibliothques europennes de recherche Open-Access-Tage Zrich, Sep 8 nd , 2015 The EC/OpenAIRE FP7 Post-Grant Open Access Pilot What is this FP7 Post-Grant Pilot? The EC

347 views • 14 slides
Network Stack as a Service in the Cloud Zhixiong Niu 1 , Hong Xu 1 , Dongsu Han 2 , Peng Cheng 3 ,

Network Stack as a Service in the Cloud Zhixiong Niu 1 , Hong Xu 1 , Dongsu Han 2 , Peng Cheng 3 ,

Network Stack as a Service in the Cloud Zhixiong Niu 1 , Hong Xu 1 , Dongsu Han 2 , Peng Cheng 3 , Yongqiang Xiong 3 , Guo Chen 3 , Keith Winstein 4 1 City University of Hong Kong 2 KAIST 3 Microsoft Research Asia 4 Stanford University Imagine

890 views • 50 slides
Questions around the environmental footprint of housing Philippe Thalmann EPFL Input for the

Questions around the environmental footprint of housing Philippe Thalmann EPFL Input for the

Philippe Thalmann Questions around the environmental footprint of housing Philippe Thalmann EPFL Input for the SDSN Switzerland and NRP 73 Sustainable economy ' workshop: 'Sustainable construction &amp; housing ' Philippe Thalmann

360 views • 23 slides
Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon

Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon

Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon Credentials 19/09/2019 www.carboncredentials.com www.carboncredentials.com www.carboncredentials.com Speakers Chair Sam Ca Sa Carson Emma Wats

1.02k views • 35 slides
LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING

LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING

II Timothy 3:16-17 LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING Every Scripture (II Timothy 3:16) If you were to write the Bible, would you have made it more appealing to

198 views • 4 slides

More recommend