Firewall Policy Anomalies- Detection and Resolution

Transcription

1 Firewall Policy Anomalies- Detection and Resolution Jitha C K #1, Sreekesh Namboodiri *2 #1 MTech student(cse),mes College of Engineering,Kuttippuram,India #2 Assistant Professor(CSE),MES College of Engineering,Kuttippuram,India Abstract Firewalls have an important role in network security. However, managing firewall policies is an extremely complex task because the large number of interacting rules in single or distributed firewalls significantly increases the possibility of policy misconfiguration and network vulnerabilities. Moreover, due to low-level representation of firewall rules, the semantic of firewall policies become very incomprehensible, which makes inspecting of firewall policy s properties a difficult and errorprone task. In existing approach they can only detect the firewall policy anomaly can t resolving these policy, and also policy conflict detection time was also increased. Therefore in our proposed, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. In particular, we articulate a firewall rule, providing an intuitive cognitive sense about policy anomaly. After detecting the policy conflict we need to resolve these conflicts. We can resolve the conflict based on the some risk assessment value. Based on these risk value conflict rule can be effectively resolved. After resolving these conflicts, we need to re-order the rule. We also perform firewall log analysis.it would generate a set of primitive rules with repeated and rare outcomes. This is used to add more security in frequent log. Keywords Anomaly, FIREMAN, Firewall, Firewall policy, Segmentation. I. INTRODUCTION Network security is essential to the development of internet and has attracted much attention in research and industrial communities. With the increase of network attack threats, firewalls are considered effective network barriers and have become important elements not only in enterprise networks but also in small-size and home networks. A firewall is a program or a hardware device to protect a network or a computer system by filtering out unwanted network traffic. The filtering decision is based on a set of ordered filtering rules written based on predefined security policy requirements. Firewalls can be deployed to secure one network from another. However, firewalls can be significantly ineffective in protecting networks if policies are not managed correctly and efficiently. It is very crucial to have policy management techniques and tools that users can use to examine, refine and verify the correctness of written firewall filtering rules in order to increase the effectiveness of firewall security. It is true that humans are well adapted to capture data essences and patterns when presented in a way that is visually appealing. This truth promotes visualization on data, on which the analysis is very hard or ineffective to carry out because of its huge volume and complexity. The amount of data that can be processed and analyzed has never been greater, and continues to grow rapidly. As the number of filtering rules increases largely and the policy becomes much more complex, firewall policy visualization is an indispensable solution to policy management. Firewall policy visualization helps users understand their policies easily and grasp complicated rule patterns and behaviors efficiently. In this paper, we present a useful tool in visualizing firewall policies and distinct a structure for firewall policy management that provide conflict detection and resolution techniques by identifying rules involved in conflicts and resolve the conflicts based on risk assessment values. Our proposed conflict resolution method acts as a flexible conflict resolution technique with respect to risk assessment. Our main contribution in this work aims to ultimately resolve the conflicts associated with specified action constraints by rule reordering and perform firewall log analysis that help to add more security in frequent log. II. RELATED WORK Firewall is the de facto core technology of today s network security and defense. However, the management of firewall rules has been proven to be complex, error-prone, costly and inefficient for many large-networked organizations. These firewall rules are mostly custom-designed and hand-written thus in constant need for tuning and validation, due to the dynamic nature of the traffic characteristics, ever-changing network environment and its market demands. Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. Therefore, effective mechanisms and tools for policy management are crucial to the success of firewalls. Existing policy analysis tools, such as Firewall Policy Advisor[4] and FIREMAN[3], with the goal of detecting policy anomalies have been introduced. Firewall Policy Advisor only has the capability of detecting pairwise anomalies in firewall rules. FIREMAN can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived from all ISSN: Page 2371

2 preceding rules. However, FIREMAN also has limitations in detecting anomalies. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. In addition, each analysis result from FIREMAN can only show that there is a misconfiguration between one rule and its preceding rules, but cannot accurately indicate all rules involved in an anomaly[3]. III. PROPOSED SYSTEM In existing approach they can only detect the firewall policy anomaly and can not resolve these policy anomaly, and also policy conflict detection time was also increased. Therefore in proposed, represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique[1] to identify policy anomalies and derive effective anomaly resolutions and perform firewall log analysis. IV. FIREWALL POLICIES AND ANOMALIES A firewall policy rule is defined as a set of criteria and an action to perform when a packet matches the criteria. The criteria of a rule consist of the elements direction, protocol, source IP, source port, destination IP and destination port. Therefore a complete rule may be defined by the ordered tuple <direction, protocol, source IP, source port, destination IP, destination port, action>. Each attribute can be defined as a range of values, which can be represented and analyzed as sets. The relation between two rules essentially mean the relation between the set of packets they match. Thus the action field does not come into play when considering the relation between two rules. Firewall policy anomaly is defined as the existence of two or more filtering rules that may match the same packet. The existence of a rule that can never match any packet on the network paths that cross the firewall also cause anomaly. Till date, five types of anomalies are discovered,shadowing Anomalies, Correlation Anomalies, Generalization Anomalies, Redundancy Anomalies, and Irrelevance Anomalies [2][5] Shadowing anomaly Two rules are said to have shadowing anomaly,whenever the rule which comes first in rule set matches all the packets and the second rule which is positioned after the first rule in rule set does not get chance to match any packet because the previous rule has matched all the packets. It is a very critical problem since the rule coming later to the previous rule will never get activated. Hence the traffic to be blocked will be allowed or the traffic to be permitted can be blocked. 4.2 Correlation anomaly Two rules are said to have correlation anomaly if both of them matches some common packets that is the rule one matches some packets, which are also matched by the rule second. The problem here is that the action performed by both the rules is different. Hence in order to get the proper action such correlated rules must be detected and should be specified with proper action to be performed. 4.3 Generalization anomaly Two rules which are in order one of them is said to be in generalization of another if the first rules matches all the packets which can be also matched by the second rule but the action performed is different in both the rules. In this case if the order is reversed then the corresponding action will also be changed. The rule, which comes later in the rule list, is shadowed by the previous rule and also it has no effect on incoming packets. The super set rule is called General rule and the subset rule is called Specific rule. If such generalization relation exists between two rules then the super set rule should be placed after the subset rule in the rule list. 4.4 Redundancy anomaly Two rules are said to be redundant if both of them matches some packets and the action performed is also the same. So there is no effect on the firewall policy if one of redundant rules will be removed from the rule set. It is very necessary to search and remove the redundant rules from the rule set because they increase the search time, space required to store the rule set and thus decrease the efficiency of the firewall. The firewall administrator should detect and remove such redundant rules to increase the performance of the firewall. 4.5 Irrelevance anomaly Any rule is said to be irrelevant if for a given time interval it does not matches any of the packets either incoming or outgoing. Thus if any type of the packets do not match a rule then it is irrelevant i.e. there is no need to put that rule in the rule set. V. POLICY ANOMALY DISCOVERY In order to precisely identify policy anomalies we adopts a rule-based segmentation technique[1]. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation among those rules. To enable an effective anomaly resolution, complete and accurate anomaly diagnosis information should be represented in an intuitive way. So we use a grid representation of anomalies[1]. It is a matrix-based visualization of policy anomalies, in which space segments are displayed along the horizontal axis of the matrix, rules are shown along the vertical axis, and the intersection of a segment and a rule is a grid that displays a rule s subspace covered by the segment. Algorithm 1[1] given below is the segment generation for a network packet space of a set of rules R ISSN: Page 2372

3 Algorithm 1: Segment Generation for a Network Packet Space of a Set of Rule R: Partition (R) Input: A set of rules, R Output: A set of packet space segments, S. 1. for each r ϵ R do 2. sr PacketSpace(r); 3. for each s ϵ S do 4. /* sr is a subset of s */ 5. if sr Ϲ s then 6. S.Append ( s \ sr ) 7. s sr; 8. break; 9. /* sr is a superset of s */ 10. elseif sr Ͻ s then 11. sr sr \ s; 12. /* sr partially matches s */ 13. elseif sr s Ф then 14. S.Append ( s \ sr ) 15. sr sr s; 16. sr sr \ s; 17. S.Append ( sr ); 18. return S; VI ANOMALY MANAGEMENT FRAMEWORK The overall flow of our proposed anomaly management is depicted in fig 2 and 3. Fig. 2 End user aspect in proposed system Proposed system divides the task of detecting and resolving the conflict firewall policy and firewall log analysis into framework, which are enumerated as follows: 1. Rule Generation: The administrator generates a rule by giving rule name and various fields.here we calculate the threshold value. Depending upon the threshold value, the action may be allow or deny. Fig.1 Administrator aspect in proposed system 2. Conflicted Rule Updating There are various types of firewall policy anomalies. If there is any conflicted rule occurred in that means it will automatically updated. The conflicts can be resolved by conflict resolution mechanism depending upon the value occurred in the risk assessment. It is shown in fig 3. Once we identify the conflicts in a firewall policy, the task of risk assessment for conflicts is performed on firewall policy. On the basis of vulnerability assessment within the protected network, the risk (security) level is determined. When the value of risk assessment is maximum, then the imagined action should deny or block the data packets against the consideration for the security of network perimeters. In contrast when the value of risk assessment is minimum, then the imagined action be supposed to permits the data to flow through the firewall. ISSN: Page 2373

4 Fig.5 Firewall log analysis design Fig. 3 Representation of Conflicts can be Resolved Based on Risk Value 3. File Transformation : The file which should be going to transfer is chosen. Afterwards, the file is first encrypted and sends to the rule engine. During the transformation the encrypted file only selected to broadcast the data. The file should be encrypted with regard to one of the firewall policy, and then it is selected for the transferring process. 4. Rule Engine: Conflict resolution strategy obtains the most ideal solution only when all the action constraints for each conflicting segments is fulfilled by reordering the anomaly rules, shown in fig 4. In conflict resolution, Reordering of conflict occurred rules which meet the expectations of all action constraints then this sort be the best resolution. VII. Experimental Results This anomaly management framework provides a user friendly tool for purifying and protecting the firewall policy from anomalies. The administrator can use this framework for firewall policy generation and it was able to detect and resolve anomalies in rules written by expert network administrators. The end user can transfer file based on the risk value using the firewall rules.this framework can perform firewall log analysis that can be used to add more security in frequent log. We evaluate the time taken to resolve and reorder the policy conflicts and make a comparison with existing technique. Our proposed framework resolves the policy conflicts for firewall in short duration of time and proves to be useful for the deployment in firewall technology. Resolving and rule reordering time for conflict policy compared with existing and proposed approach is shown in fig 6 and 7. Fig. 6 Table Representation of time taken for Conflict segment resolution Fig. 4 Representation of Rule Reordering 5. Firewall Log Analysis: It would generate a set of primitive rules with repeated and rare outcomes. This is used to add more security in frequent log. Design of firewall log analysis is shown in fig 5. Fig 7. Network Firewall Perfomance ISSN: Page 2374

5 VIII. CONCLUSIONS Firewall security, like any other technology, requires proper management to provide the proper security service. Thus, just having a firewall on the boundary of a network may not necessarily make the network any secure. One reason of this is the complexity of managing firewall rules and the potential network vulnerability due to rule conflicts. Our proposed anomaly management framework facilitates systematic detection and resolution of firewall policy anomalies and firewall log analysis. This policy managing tool is practical and helpful for system administrators to enable an assurable network management. Our future work includes to extend our anomaly analysis approach to handle distributed firewalls. REFERENCES [1]Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni, Detecting and resolving firewall policy anomalies, IEEE Transactions on Dependable and Secure Computing, 9(3): , [2] Rupali Chaurei, An Implementaion of Anomaly Detection Mechanism for Centralized and Distributed Firewalls, International Journal of Computer Applications, 7(4), September [3] L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C.Davis, Fireman: A Toolkit for Firewall Modeling and Analysis, Proc. IEEE Symp. Security and Privacy, p. 15, 2006 [4] E. Al-Shaer and H. Hamedl, Firewall policy advisor for anomaly detection and rule editing, In Proceedings of Data and Application Security (LNCS4127), March [5] M. Abedin, S. Nessa, L. Khan, and B. Thuraisingham, Detection and resolution of anomalies in firewall policy rule, Data and Applications Security XX, pages 15-29, ISSN: Page 2375