"For each step, administrators can choose their preferred technique for correcting a fault in [a firewall] policy. If administrators do not want to supervise the process, our greedy algorithm can automatically produce the fixed policy," stated researchers from Michigan State and North Carolina State Universities respectively. "With each step of the greedy algorithm, we try every correction technique and choose one technique that can maximize the number of passed tests (or minimize the number of failed tests). We then repeat this step until there are no failed tests."
The researchers say their model looked to address five key firewall faults: Wrong order, missing rules, wrong decisions, wrong predicates, and wrong extra rules. After testing faulty firewall policies generated from 40 real-life firewall policies that the groups collected from universities, ISPs, and network device manufacturers, they found that "for three types of faults, wrong order, wrong decisions, and wrong extra rules, our approach can effectively correct misclassified packets. For two other types of faults, missing rules and wrong predicates, our approach does not achieve satisfactory results, deserving further study."
Researchers Fei Chen and Alex Liu of Michigan State and JeeHyun Hwang and Tao Xie of North Carolina State are expected to present their research at next week's Usenix Large Installation System Administration symposium.
"A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem," the researchers stated.
The researchers said those challenges include the difficulty in determining the number of policy faults and the type of each fault in a firewall. That's because a set of misclassified packets can be caused by different types of faults and different number of faults. Correcting a firewall fault is also difficult. A firewall policy may consist of thousands of rules and locating a fault in a large number of rules and further correcting it by checking the field of each dimension are difficult tasks. Finally it is hard to correct a fault without introducing other faults.
"Our proposed approach cannot guarantee to correct all faults in a firewall policy because it is practically impossible unless the formal representation of the policy is available. However, in practice, most administrators do not have such formal representations of their firewall policies. To correct a faulty firewall policy without its formal representation, administrators need to examine the decisions of all packets and manually correct each of misclassified packets; doing so is practically impossible," the researchers state. "Our work serves as a good starting point towards policy-fault fixing."
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: