Researchers tout unique automated firewall fault fixer

Automated policy tool can ease admin burden of managing firewalls

Researchers will next will detail a tool they say will automate changes and significantly reduce the administrative upkeep of firewalls.

The tool applies what known as a greedy algorithm which addresses problems in a step-by-step manner. 

"For each step, administrators can choose their preferred technique for correcting a fault in [a firewall] policy. If administrators do not want to supervise the process, our greedy algorithm can automatically produce the fixed policy," stated researchers from Michigan State and North Carolina State Universities respectively. "With each step of the greedy algorithm, we try every correction technique and choose one technique that can maximize the number of passed tests (or minimize the number of failed tests). We then repeat this step until there are no failed tests."

Research project aims to simplify large-scale network control

The researchers say their model looked to address five key firewall faults: Wrong order, missing rules, wrong decisions, wrong predicates, and wrong extra rules. After testing faulty firewall policies generated from 40 real-life firewall policies that the groups collected from universities, ISPs, and network device manufacturers, they found that "for three types of faults, wrong order, wrong decisions, and wrong extra rules, our approach can effectively correct misclassified packets. For two other types of faults, missing rules and wrong predicates, our approach does not achieve satisfactory results, deserving further study."

Researchers Fei Chen and Alex Liu of Michigan State and JeeHyun Hwang and Tao Xie of North Carolina State are expected to present their research at next week's Usenix Large Installation System Administration symposium.

"A firewall determines whether to accept or discard a packet that passes through it based on its policy. However, most real-life firewalls have been plagued with policy faults, which either allow malicious traffic or block legitimate traffic. Due to the complexity of firewall policies, manually locating the faults of a firewall policy and further correcting them are difficult. Automatically correcting the faults of a firewall policy is an important and challenging problem," the researchers stated.

The researchers said those challenges include the difficulty in  determining the number of policy faults and the type of each fault in a firewall. That's because a set of misclassified packets can be caused by different types of faults and different number of faults.  Correcting a firewall fault is also difficult. A firewall policy may consist of thousands of rules and locating a fault in a large number of rules and further correcting it by checking the field of each dimension are difficult tasks. Finally it is hard to correct a fault without introducing other faults. 

"Our proposed approach cannot guarantee to correct all faults in a firewall policy because it is practically impossible unless the formal representation of the policy is available. However, in practice, most administrators do not have such formal representations of their firewall policies. To correct a faulty firewall policy without its formal representation, administrators need to examine the decisions of all packets  and manually correct each of misclassified packets; doing so is practically impossible," the researchers state.  "Our work serves as a good starting point towards policy-fault fixing."

Follow Michael Cooney on Twitter: nwwlayer8  

Layer 8 Extra

Check out these other hot stories:

NASA wants more hypersonic spaceship research

Air Force bounces Windows XP, goes all-in for Windows 7

Watching orbital objects: Air Force Space Fence project moves forward

IBM, European Union team to swat electronic vampires

Ghosts of NASA satellite will haunt Johns Hopkins new data center

NASA to auction automated software code generation patents

Boeing adopts NASA software to boost airline fuel efficiency

NASA space telescope spots "starquakes"

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)