Diverse Firewall Design

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. An error in a firewall policy either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. It has been observed that most firewall policies on the Internet are poorly designed and have many errors. Therefore, how to design firewall policies correctly is an important issue. In this paper, we propose the method of diverse firewall design, which consists of three phases: a design phase, a comparison phase, and a resolution phase. In the design phase, the same requirement specification of a firewall policy is given to multiple teams who proceed independently to design different versions of the firewall policy. In the comparison phase, the resulting multiple versions are compared with each other to detect all functional discrepancies between them. In the resolution phase, all discrepancies are resolved and a firewall that is agreed upon by all teams is generated.     

防火墙在传输网络中的吞吐量与管理问题及解决方案

讨论防火墙在大型传输网络(Transit Network )应用中的管理和吞吐量问题：一是手工方式配置分布在各个接入点的多个防火墙,无法适应开放的、动态的网络环境;二是大量的过滤规则导致防火墙吞吐量下降.针对大量防火墙的管理问题,该文提出了一种访问控制政策的自动分配与动态配置模型,将全局过滤规则自动地分发到相应的防火墙;同时利用入侵监测系统和搜索引擎的结果,自动定位防火墙、动态配置过滤规则,实时地过滤不良站点,终止攻击行为.针对单个防火墙的吞吐量问题,提出了一种基于散列表的规则匹配算法,该算法可以将时间复杂度从O(N)降低到O(1),从而大大提高防火墙的吞吐量.     

Optimization of parallel firewalls filtering rules

As filtering policies are getting larger and more complex, packet filtering at firewalls needs to keep low delays. New firewall architectures are needed to enforce security and meet the increasing demand for high-speed networks. Two main architectures exist for parallelization, data-parallel and function-parallel firewalls. In the first, packets are distributed across a set of identical firewalls that implement the entire policy. In the second, each firewall implements a subset of the policy with a fewer number of rules, but the packets have to be duplicated and processed by all the firewalls. This paper proposes a new architecture function-parallel with pre-processing that combines the advantages of both architectures. The proposed architecture has the advantage of not duplicating the data, so that the processing time can be significantly reduced. Moreover, our architecture enables stateful inspection of packets, which is necessary to prevent multiple types of attacks. The performances of this architecture have been proven to be scalable for large security policies.

     

面向大规模网络的基于政策的访问控制框架

研究防火墙(或过滤路由器)应用于传输网络中的管理问题与吞吐量问题.一方面,手工配置分布在各个接入点的大量防火墙,无法满足开放的、动态的网络环境的安全管理需求;另一方面,大量过滤规则的顺序查找导致了防火墙吞吐量下降.针对一个典型的传输网络和它的安全政策需求,提出了一种基于政策的访问控制框架(PACF),该框架基于3个层次的访问控制政策的抽象:组织访问控制政策(OACP)、全局访问控制政策(GACP)和本地访问控制政策(LACP).根据OACP,GACP从入侵监测系统和搜索引擎产生,作为LACP自动地、动态地分配到各防火墙中,由防火墙实施LACP.描述了GACP的分配算法和LACP的实施算法,提出了一种基于散列表的过滤规则查找算法.PACF能够大量减轻管理员的安全管理工作,在描述的安全政策需求下,基于散列表的规则查找算法能够将传统顺序查找算法的时间复杂度从O(N)降低到O(1),从而提高了防火墙的吞吐量.     

Practical firewall policy inspection using anomaly detection and its visualization

Due to the increasing cyber threats, firewall has become the one of the core elements in network security. The effectiveness of firewall security is dependent on providing policy management techniques. For this reason, it is highly required to have an automatic tool that is real applicable to running firewalls and it should help administrators use in easy. This paper represents a first step toward a practically applicable tool called Firewall Policy Checker for firewall policy inspection based on four anomaly types. It also focuses on detecting dangerous services such as telnet, ftp and so on which many administrators set as time goes and detecting illegal servers. In addition, this tool supports a large number of rules with the high speed using efficient N-ary tree module. The experimental results using real organizations’ rules are introduced. Finally, this paper illustrates an easy 3D visualization even for non experts.     

防火墙的动态访问控制机制

防火墙的静态过滤规则对安全的管理是基于IP地址而非基于用户,这在实际应用中是很不方便的。针对这种情况,文章提出了一个防火墙的动态访问控制机制,它可以在验证用户身份的基础上,实施基于用户的灵活的动态安全策略。该机制利用HTTP重定向技术实现透明的WEB认证,采用事件驱动方式、BitMap和Hash表算法等保证系统具有良好的性能。目前该机制的原型已经在Linux下实现,并应用在防火墙上,实践表明该机制具有安全策略灵活且可管理,使用简单,大用户量下扩展性好等优点。     

A novel three-tiered visualization approach for firewall rule validation

Firewall is one of the most critical elements of the current Internet, which can protect the entire network against attacks and threats. While configuring the firewalls, rule configuration has to conform to, or say be consistent with, the demands of the network security policies such that the network security would not be flawed. For the security consistency, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a large-scale and multifirewall-equipped network. Nevertheless, a network operator is prone to incorrectly configure the firewalls because there are typically thousands or hundreds of filtering/admission rules (i.e., rules in the Access Control List file, or ACL for short), which could be set up in a firewall; not mentioning these rules among firewalls affect mutually and can make the matter worse. Under this situation, the network operator would hardly know his/her misconfiguration until the network functions beyond the expectation. For this reason, our work is to build a visualized validation system for facilitating the check of security consistency between the rule configuration of firewalls and the demands of network security policies. To do so, the developed validation system utilizes a three-tiered visualization hierarchy along with different compound viewpoints to provide users with a complete picture of firewalls and relationships among them for error debugging and anomaly removal. In addition, in this paper, we also enumerate the source of security inconsistency while setting ACLs and make use of it as a basis of the design of our visualization model. Currently, part of the firewall configuration of our campus network has been used as our system's input to demonstrate our system's implementation.     

A quantitative study of firewall configuration errors

The protection that firewalls provide is only as good as the policy they are configured to implement. Analysis of real configuration data show that corporate firewalls are often enforcing rule sets that violate well established security guidelines. Firewalls are the cornerstone of corporate intranet security. Once a company acquires a firewall, a systems administrator must configure and manage it according to a security policy that meets the company's needs. Configuration is a crucial task, probably the most important factor in the security a firewall provides.     

Formal firewall conformance testing: an application of test and proof techniques

Firewalls are an important means to secure critical ICT infrastructures. As configurable off‐the‐shelf products, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT , to which a specification‐based conformance test case generation approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics‐preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented. Copyright © 2014 John Wiley & Sons, Ltd.     

Detection of firewall configuration errors with updatable tree

The fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file.     

New enhancements to the SOCKS communication network security protocol: Schemes and performance evaluation

In this paper we propose two new enhancements to the SOCKS protocol in the areas of IP multicasting and UDP tunneling. Most network firewalls deployed at the entrance to a private network block multicast traffic. This is because of potential security threats inherent with IP multicast. Multicasting is the backbone of many Internet technologies like voice and video conferencing, real time gaming, multimedia streaming, and online stock quotes, among others. There is a need to be able to safely and securely allow multicast streams to enter into and leave a protected enterprise network. Securing multicast streams is challenging. It poses many architectural issues. The SOCKS protocol is typically implemented in a network firewall as an application-layer gateway. Our first enhancement in the area of IP multicast to the SOCKS protocol is to enable the application of security and access control policies and safely allow multicast traffic to enter into the boundaries of a protected enterprise network. The second enhancement we propose is to allow the establishment of a tunnel between two protected networks that have SOCKS based firewalls to transport UDP datagrams.     

Automated policy generation for testing access control software

Access control systems (ACS) are a critical component of modern information technology systems and require rigorous testing. If the ACS has defects, then the deployment is not secure and is a threat to system security. Firewalls are an important example of an ACS, and formally verifying firewall systems has recently attracted attention. We present an automated software-testing tool, PG, for the production of firewall policies for use in firewall policy enforcement testing. PG utilizes a number of heuristic techniques to improve space coverage over traditional systems based on randomly generated firewall policies. An empirical study is presented demonstrating that PG generates firewall policies with superior coverage compared to traditional policy-generation techniques. The extension of PG beyond firewall systems to other ACS situations is outlined.     

一种分布式防火墙规则冲突的检测算法

为解决分布式防火墙中因规则冲突而导致策略异常问题,提出了一种基于XML的DFW策略异常的发现算法;该算法在分布式防火墙系统中,对于处在不同防火墙策略中的每条规则,设计一棵单根结点的树来表示分布式防火墙策略,即策略树(Policy Tree),然后通过集合全部的策略树,完成防火墙之间策略异常的发现过程;通过对算法的模拟运行,发现该算法在速度性能和可伸缩性方面较其他算法有很大的改进。     

Application of evolutionary algorithm in performance optimization of embedded network firewall

With the development of the network, the problem of network security is becoming increasingly serious. The importance of a firewall as the "first portal" to network security is obvious. In order to cope with a complex network environment, the firewall must formulate a large number of targeted rules to help it implement network security policies. Based on the characteristics of the cloud environment, this paper makes in-depth research on network security protection technology, and studies the network firewall system. The system implements unified configuration of firewall policy rules on the cloud management end and delivers them to the physical server where the virtual machine is located. Aiming at the characteristics of virtual machines sharing network resources through kernel bridges, a network threat model for virtual machines in a cloud environment is proposed. Through analysis of network security threats, a packet filtering firewall scheme based on kernel bridges is determined. Various conflict relationships between rules are defined, and a conflict detection algorithm is designed. Based on this, a rule order adjustment algorithm that does not destroy the original semantics of the rule table is proposed. Starting from the matching probability of the rules, simple rules are separated from the default rules according to the firewall logs, the relationships between these rules and the original rules are analyzed, and the rules are merged into new rules to evaluate the impact of these rules on the performance of the firewall. New rules are added to the firewall rule base to achieve linear firewall optimization. It can be seen from the experimental results that the optimization strategy proposed in this paper can effectively reduce the average number of matching rules and improve the performance of the firewall.     

Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable for working on some networks with huge firewall rule sizes. The Listed-Rule firewall is mathematically tested in this paper to prove that the firewall potentially causes conflict rules and redundant rules and hence leads to problematic network security systems and slow functional speed. To overcome these problems, we show the design and development of Tree-Rule firewall that does not create conflict rules and redundant rules. In a Tree-Rule firewall, the rule positioning is based on a tree structure instead of traditional rule listing. To manage firewall rules, we implement a Tree-Rule firewall on the Linux platform and test it on a regular network and under a cloud environment respectively to show its performance. It is demonstrated that the Tree-Rule firewall offers better network security and functional speed than the Listed-Rule firewall. Compared to the Listed-Rule firewall, rules of the Tree-Rule firewall are easier to be created, especially on a large network such as a cloud network.     

基于区块链的域间路由策略符合性验证方法

域间路由系统自治域(ASes)间具有不同的商业关系和路由策略.违反自治域间出站策略协定的路由传播可能引发路由泄露,进而导致网络中断、流量窃听、链路过载等严重后果.路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要.但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度,使其一直是域间路由安全领域尚未妥善解决的难点问题.提出一种基于区块链的域间路由策略符合性验证方法.该方法以区块链和密码学技术作为信任背书,使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望,通过生成对应路由更新的路由证明,保证路由传播过程的真实性,从而以多方协同的方式完成路由策略符合性验证.通过实现原型系统并基于真实路由数据开展实验与分析,结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证,以合理的开销有效抑制策略违规路由传播,在局部部署情况下也具有显著的策略违规路由抑制能力.     

On the use of open-source firewalls in ICS/SCADA systems

ABSTRACT

Firewalls are one of the most widely used security devices to protect a communications network. They help secure it by blocking unwanted traffic from entering or leaving the protected network. Several commercial vendors have extended their firewall capabilities to support SCADA protocols or designed SCADA-specific firewalls. Although open-source firewalls are used successfully in IT networks, their use in SCADA networks has not been properly investigated. In this research we investigate the major open-source firewalls for their use in SCADA networks and identify Linux iptables’ potential as an effective SCADA firewall. Iptables is a powerful open-source firewall solution available as part of most Linux distributions in use today. In general, use of iptables as a network-level firewall for SCADA systems has been limited to basic port and host filtering, without further inspection of control messages. We propose and demonstrate a novel methodology to use iptables as an effective firewall for SCADA systems. This is achieved by utilizing advanced iptables features that allow for dynamic inspection of packet data. It is noteworthy to mention that the proposed solution does not require any modification to the netfilter/iptables framework, making it possible to turn a Linux system into an effective SCADA firewall. The approach has been tested by defining filtering rules for the Modbus TCP protocol and validating its ability to defend against various attacks on the protocol.     

一种防火墙规则冲突检测算法

在入侵检测系统和状态检测防火墙等应用中,规则冲突检测及冲突解析算法是影响安全性及服务质量的关键。首先对防火墙过滤规则之间的关系进行了建模和分类。然后在过滤规则关系分类的基础上提出了一种冲突检测算法。该算法能够自动检测、发现规则冲突和潜在的问题,并且能够对防火墙过滤规则进行无冲突的插入、删除和修改。实现该算法的工具软件能够显著简化防火墙策略的管理和消除防火墙的规则冲突。