Efficiency Of Rule Reordering Algorithm Computer Science Essay

Published Date: 02 Nov 2017

Abstract – With the global internet connection, network security has gained significant attention in industrial communities. Firewalls are the frontier defense for secure networks against malicious attack and unauthorized traffic by filtering out unwanted network traffic coming from or going to the secured network. In that, firewall policy dictates how firewalls should handle network traffic for specific IP addresses, protocols and applications. Although deployment of firewall technology is an important step toward securing our networks, managing firewall policies is a challenging task due to the complexity and interdependency of policy rules. The effectiveness of firewall security depends on efficient management of firewall policies. On the other hand, system administrators are often faced with a more challenging problem in resolving anomalies, in particular, resolving policy conflicts due to the complex nature of policy anomalies. To address this issue, we present a novel firewall anomaly management framework based on rule reordering algorithm. Our proposed algorithm not only detects the anomalies accurately, but also resolves the policy conflicts more effectively. The new framework designed by us will enhance the firewall security significantly and accomplish effective policy conflict resolution as compared with the existing universal steganalytic algorithms.

Key words – firewall policy, rule reordering, policy conflicts, anomaly management.

INTRODUCTION

Network security is essential to the development of internet and has attracted much attention in research and industrial communities. With the increase of network attack threats, firewalls are considered effective network barriers and have become important elements not only in enterprise networks but also in small-size and home networks. A firewall is a program or a hardware device to protect a network or a computer system by filtering out unwanted network traffic. The filtering decision is based on a set of ordered filtering rules written based on predefined security policy requirements.

Firewalls can be deployed to secure one network from another. However, firewalls can be significantly ineffective in protecting networks if policies are not managed correctly and efficiently. It is very crucial to have policy management techniques and tools that users can use to examine, refine and verify the correctness of written firewall filtering rules in order to increase the effectiveness of firewall security.

The amount of data that can be processed and analyzed has never been greater, and continues to grow rapidly. As the number of filtering rules increases largely and the policy becomes much more complex, firewall policy visualization is an indispensable solution to policy management. Firewall policy visualization helps users understand their policies easily and grasp complicated rule patterns and behaviors efficiently. The complexity of managing firewall rule policy might limit the effectiveness of firewall security.

When the filtering rules are defined, serious attention has to be given to rule relations and interactions in order to determine the proper rule ordering and guarantee correct security policy. As the number of filtering rules increases, the difficulty of writing a new rule or modifying an existing one also increases. It is very likely; in this case, to introduce conflicting rules such as rules having the same filtering part but different actions, one general rule shadowing another specific related rule, or correlated rules whose relative ordering determines different actions for the same packets. In addition, a typical large-scale enterprise network might involve hundreds of rules that might be written by different administrators in various times. This significantly increases the potential of anomalies (conflicts) in the firewall rules and makes the network more vulnerable.

Therefore, the effectiveness of firewall security is dependent on providing policy management techniques that enable network administrators to analyze, purify and verify the correctness of written firewall legacy rules. In this paper, we define a framework for firewall policy management that provides practical resolution method to identify which rule involved in a conflict situation and also provide policy conflict resolution technique. The proposed model is simple and visually comprehensible. We use this model to develop an anomaly discovery and resolution based on rule reordering algorithm to report any anomaly that exists among the filtering rules.

The rest of the paper is structured as follows: In section 2 we review the related works in existing literature based on the issues of managing firewall policies in a network. Section 3 describes our proposed framework for policy conflict resolution technique by exploiting rule reordering algorithm. Implementation and experimental results of our proposed work is depicted in section 4, then finally section 5 sums up the proposed work with some conclusion along with future perspectives.

RELATED REVIEW

This section gives basic definitions and describes the expressiveness of the underlying anomalies in firewall policies in the context of works related to firewall policy management.

Firewalls are a fact of life for companies that are connected to the Internet. However, firewalls are not simple appliances that can be activated "out of the box". Once a company acquires a firewall to protect its intranet, a security/systems administrator has to configure and manage the firewall to realize an appropriate security policy for the particular needs of the company. To resolve the lacking of firewall security management, author in [14] presented Firmato, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity relationship model containing, in a unified form, global knowledge of the security policy and of the network topology (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model (3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files and (4) a graphical firewall rule illustrator. This toolkit attains significant improvement toward streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations. Similarly, authors in [8] and [1] developed a firewall analysis tool (Fang and Lumeta) to perform customized queries on a set of filtering rules and extract the related rules in the policy. These two firewall analysis tool also configure and managing firewalls in a very complex environment as like [14].

A typical large-scale enterprise network might involve hundreds of rules that might be written by different administrators in various times. This significantly increases the potential of anomaly occurrence in the firewall policy, jeopardizing the security of the protected network [7]. Managing rule relation is necessary for analyzing the firewall policy and designing management techniques such as anomaly discovery and policy editing. Research in policy conflict analysis has been actively growing for many years. However, most of the work in this area addresses general management policies rather than firewall-specific policies. For example, authors in [9] classify possible policy conflicts in role-based management frameworks, and develop techniques to discover them.

Firewalls are essential for organizations that are connected to the Internet. However, it is not enough to simply have a firewall it must also be configured properly. Firewall configurations are often written in a low-level language which is very hard to understand. For instance, the order of the rules is often very important. Thus, it is often quite difficult to find out which connections and services are actually allowed by the configuration.

Scholars in [11] presented an expert system that helps the administrators in analyzing firewall rules. The tool is designed to be interactive: the administrator can ask questions about the network traffic permitted, and the tool answers, for instance, by listing which ports are allowed on a given host. No network traffic is generated; the analysis is based solely on the configuration files and topology information given by the user. The rules can use the following fields from the IP protocol header: next level protocol (e.g., TCP or UDP), source and destination IP addresses, type-of-service, and precedence. This expert system presents an elegant framework for adding new rules and making complex queries. In addition to performing relatively simple operations on the list, for instance, it aims in finding rules which are never matched. Another technique proposed in [3] presented an algorithm for automatic discovery of firewall policy anomalies. There are two goal focused in this technique. First one is the automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls. Next goal is to achieve anomaly-free policy editing for rule insertion, removal and modification. This is implemented in a user-friendly tool called "Firewall Policy Advisor". The Firewall Policy Advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule misconfiguration.

A firewall policy consists of a sequence of rules that define the actions performed on packets that satisfy certain conditions. The rules are specified in the form of <condition, actions>. A condition in a rule is composed of a set of fields to identify a certain type of packets matched by this rule. Several related work has categorized different types of firewall policy anomalies [12] [4]. The typical firewall anomalies include shadowing, generalization, correlation, redundancy. A rule can be shadowed by one or a set of preceding rules that match all the packets which also match the shadowed rule, while they perform a different action. In this case, all the packets that one rule intends to deny can be accepted by previous rule. Thus, the shadowed rule will never be taken effect. A rule is a generalization of one or a set of previous rules if a subset of the packets matched by this rule is also matched by the preceding rule but taking a different action. A rule is correlated when one rule is correlated with other rules, if a rule intersects with others but defines a different action. In this case, the packets matched by the intersection of those rules may be permitted by one rule, but denied by others. A rule is redundant if there is another same or more general rule available that has the same effect.

On the other hand, few related work [10] [2] present a resolution for the correlation conflict problem only. In [10] a geometric model is used to represent 2-tuple filtering rules. Because these models were designed particularly to optimize packet classification in high-speed networks, it is too complex to use for firewall policy rule analysis such as anomaly detection, translation and editing. Both [10] and [2] provide algorithms for detecting and resolving conflicts among general packet filters. However, they only detect correlation anomaly defined because it causes ambiguity in packet classifiers.

An alternative approach proposed in [15] uses Relational Algebra (RA) technique and Raining 2DBox Model for finding anomaly within the rule-set. It can ascertain the entire hidden anomaly when considering more than two rules together. They represent anomalies as a two-dimension box that contains relations that are mapped from rules in the order described in the rule-set. A rectangular is used to represent relation of the rule and specified action within each box. If action is not specified in the rectangular, it can be any actions (accept or deny). This model simulates packets that fall from the top to the bottom like raining. For example, when the part of the relation in the box is not wet, means that it is shadowed then the shadowed rules are discovered and removed to reduce the size of rule-set.

To solve the conflicts like shadowing of rules and redundancy, scholars in [5] presented a new algorithm called range algorithm intended to get the best case for solving conflict and shadowing problems. Also get result rules that is free inconsistency and finding rules that cause inconsistency. The advantages of this approach are the following. First of all, the transformation process verifies that the resulting rules are completely independent between them. Otherwise, each redundant or shadowed rule considered as useless during the process and is removed from the configuration. On the other hand, the discovering process provides an evidence of error to the administration console. This way, the security officer can check whether the security policy is consistent, in order to verify the correctness of the process. More traditional anomaly detection approaches have been proposed in [6] [13] but it prove inconsistency and is limited to detect pair wise redundancy.

PROPOSED METHODOLOGY

In this section we propose a novel anomaly management framework for firewalls based on Dynamic Rule Reordering algorithm. Furthermore, this section also describes the role and importance of resolving the anomalies in firewall policies. The overall flow of our proposed anomaly management is depicted in fig 1.

3.1 FIREWALL POLICY ANOMALY DISCOVERY

The ordering of filtering rules in a firewall policy is very crucial in determining the security policy. If filtering rules are completely disjoint, the ordering of the rules is insignificant. However, it is very common to have filtering rules that are inter-related. In this case, if the relative rule ordering is not carefully assigned, some rules may be always screened by other rules producing an incorrect security policy. Moreover, when a security policy contains a large number of filtering rules, the possibility of writing conflicting or redundant rules is relatively high.

A firewall policy anomaly is defined as the existence of two or more different filtering rules that match the same packet. A firewall policy consists of a sequence of rules that define the actions performed on packets that satisfy certain conditions. The rules are specified in the form of <condition, action>. A condition in a rule is composed of a set of fields to identify a certain type of packets matched by this rule. We define a number of possible firewall policy anomalies as enumerated below. These include errors for definite conflicts that cause some rules to be always suppressed by other rules, or warnings for potential conflicts that may be implied in related rules.

Shadowing anomaly: Consider two rules and . A rule is shadowed when a previous rule matches all the packets that match this rule, such that the shadowed rule will never be activated. Rule is shadowed by rule if follows in the order, and is a subset match of , and the actions of and are different. Shadowing is a critical error in the policy, as the shadowed rule never takes effect. This might cause a permitted traffic to be blocked and vice versa. It is important to discover shadowed rules and alert the administrator who might correct this error by reordering or removing the shadowed rule.

Correlation anomaly: Two rules are correlated if the first rule in order matches some packets that match the second rule and the second rule matches some packets that match the first rule. Rule Rx and rule Ry have a correlation anomaly if Rx and Ry are correlated, and the actions of Rx and Ry are different. Therefore, in order to resolve this conflict, we point out the correlation between the rules and prompt the user to choose the proper order that complies with the security policy requirements.

Generalization anomaly: A rule is a generalization of another rule if this general rule can match all the packets that match a specific rule that precedes it. Rule Ry is a generalization of rule Rx if Ry follows Rx in the order, and Ry is a superset match of Rx, and the actions of Ry and Rx are different. Generalization is considered only an anomaly warning because the specific rule makes an exception of the general rule, and thus it is important to highlight its action to the administrator for confirmation.

Redundancy anomaly: A redundant rule performs the same action on the same packets as another rule such that if the redundant rule is removed, the security policy will not be affected. Rule Ry is redundant to rule Rx if Rx precedes Ry in the order, and Ry is a subset or exact match of Rx, and the actions of Rx and Ry are similar. If Rx precedes Ry in the order, and Rx is a subset match of Ry, and the actions of Rx and Ry are similar, then Rule Rx is redundant to rule Ry provided that Rx is not involved in any generalization or correlation anomalies with other rules preceding Ry. Redundancy is considered an error. A redundant rule may not contribute in making the filtering decision, however, it adds to the size of the filtering rule table, and might increase the search time and space requirements. It is important to discover redundant rules so that the administrator may modify its filtering action or remove it altogether.

3.2 POLICY ANOMALIES RESOLVING AND RULE REORDERING

To resolve all the aforementioned conflicts in firewall, we propose a novel anomaly management framework which is composed of two core functionalities like anomaly detection and anomaly resolution. For conflict detection and resolution, initially conflicting segments are identified. Each conflicting segment associates with a policy conflict and a set of conflicting rules. Also, the correlation relationships among conflicting segments are identified and conflict correlation groups (CG) are derived. Policy conflicts belonging to different conflict correlation groups can be resolved separately. By this way, we reduce the searching space for resolving conflicts by correlation process.

Fig 1: Proposed Anomaly Management framework

Our proposed conflict resolution mechanism introduces that an action constraint is assigned to each conflicting segment. An action constraint for a conflicting segment defines a desired action (Allow or Deny) that the firewall policy should take when any packet within the conflicting segment comes to the firewall. Once conflicts in a firewall policy are discovered and conflict correlation groups are identified, the risk assessment for conflicts is performed. Risk (security) levels are determined based on the vulnerability assessment of the protected network. If the risk level is very high, the expected action should deny packets considering the protection of network perimeters. On the contrary, if the risk level is quite low, the expected action should allow packets to pass through the firewall so that the availability and usage of network services cannot be affected.

The most ideal solution for conflict resolution is that all action constraints for conflicting segments can be satisfied by reordering conflicting rules. In other words, if we can find out conflicting rules in order that satisfies all action constraints, this order must be the optimal solution for the conflict resolution.

To discover near optimal conflict resolution for policy conflicts we utilizes a Rule reordering algorithm, which is a combination of a permutation algorithm, greedy algorithm and our proposed Dynamic Rule Reordering.

3.3 MEASURING THE EFFECTIVENESS OF OUR PROPOSED RULE REORDERING

A naive way to find an optimal solution is to exhaustively search all permutations of correlated conflicting rules. We then compute a resolving score for each permutation by counting how many action constraints can be satisfied, and select the permutation with the maximum resolving score as the best solution for a conflict resolution. However, a key limitation of using the permutation algorithm is its computational complexity which is O(n!). Even though the search space can be significantly reduced by applying our correlation scheme, the number of correlated conflicting rules may still be large, leading to the permutation algorithm inapplicable.

A greedy algorithm makes the locally optimal choice at each stage. For all conflicting rules in a correlation group, greedy conflicting resolution algorithm first calculates a resolving score for each conflicting rule individually. Then, the rule with the greatest resolving score is selected to solve the conflicts. A position range with the best conflict resolution is identified for the selected rule and moving the selected rule to the new position achieves a locally optimal conflicting resolution. But in greedy algorithm, a critical process is to calculate the resolving score for each conflicting rule within a conflict correlation group.

To address above mentioned issue in greedy and permutation algorithm, we proposed a novel algorithm for rule reordering named as Dynamic Rule Reordering that effectively reorder the conflicted rules for optimal conflict resolution. Our proposed algorithm makes the locally optimal choice at each stage with the hope of finding the global optimum solution.

IV. EXPERIMENTAL RESULTS AND DISCUSSIONS

This section demonstrates how our proposed anomaly management framework works in terms of anomaly detection and resolution. For evaluation, we perform experiments with firewall policy. First, we generate firewall policy.

Fig 2: Generated firewall policy

Then we explore the conflicted policies in firewall among those available policies as shown in fig 2.

Notice that different anomalies exist in firewall policy, which include shadowing of rules, Generalization, Correlated rules and redundant rules. The ratio of conflicted firewall policy along with anomaly types is illustrated in fig 3.

Fig 3: Conflict ratio in firewall policy

Then we evaluate the conflict resolution time of our proposed approach, which is reflected by the number of resolved conflicts (i.e., satisfied action constraints). We compare the results of applying our proposed approach with the results of applying the existing mechanism for conflict resolution. Resolving time for conflict policy compared with existing and proposed approach is shown in fig 4.

Fig 4: Resolution time for conflict policy compared with existing vs proposed

When conflicts in a policy are resolved, the risk value of the resolved policy should be reduced and the availability of protected network should be improved comparing with the situation prior to conflict resolution. From the fig 4: It is seen that conflict resolution time taken by the existing approach is very high than our proposed framework. Our proposed approach achieves significant efficiency in resolving policy conflicts.

Fig 5: Rule reordering

In order to achieve the objective of resolving conflicts effectively and efficiently, our conflict resolution mechanism adopts a combination algorithm incorporating features from permutation, greedy algorithms and Dynamic rule based reordering. When the number of conflicting rules is less then the permutation or greedy algorithm is utilized for resolving conflicts. Otherwise, apply our proposed Dynamic Rule reordering algorithm is applied to resolve conflicts.

CONCLUSION

A framework for the semantic detection and resolution of firewall is proposed in this paper. To proficiently detect the anomaly we introduced the dynamic rule reordering segmentation mechanism. The experimental results show that the proposed techniques detect the anomalies quickly than the existing technique. It also represents that the different type of anomaly nature exist in the firewall policy. This work fully concentrates on the risk value to determine the anomaly in the firewall. In future, we extend our work by using the usability study to determine the anomaly.