DETOX: Detecção de Inconsistências na Política de Segurança Implementada em Firewall Real
Abstract
It is a complex and demanding task to ensure the consistency of rules that implement a network security policy using a firewall. In particular, when such task is not performed properly, network vulnerabilities can arise. In this paper, we present the DETOX tool, a software that detects inconsistencies among rules that constitute a firewall. First, we validate the tool implementation by reproducing and extending the results presented in the literature. After such validation, we perform a real life case study, by analysing the firewall configuration currently in use at a university. During this investigation, the tool discovered several inconsistencies previously unknown.
References
Al-Shaer, E. and Hamed, H. (2004). Modeling and management of firewall policies. Network and Service Management, IEEE Transactions on, 1(1):2–10.
Bartal, Y., Mayer, A., Nissim, K., and Wool, A. (1999). Firmato: a novel firewall management toolkit. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 17–31.
Eppstein, D. and Muthukrishnan, S. (2001). Internet packet filter management and rectangle geometry. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA ’01, pages 827–835, Philadelphia, PA, USA. Society for Industrial and Applied Mathematics.
Hari, A., Suri, S., and Parulkar, G. (2000). Detecting and resolving packet filter conflicts. In INFOCOM 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, volume 3, pages 1203–1212 vol.3.
Khorchani, B., Halle, S., and Villemaire, R. (2012). Firewall anomaly detection with a model checker for visibility logic. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 466–469.
Mayer, A., Wool, A., and Ziskind, E. (2000). Fang: a firewall analysis engine. In Security and Privacy, 2000. S P 2000. Proceedings. 2000 IEEE Symposium on, pages 177–187.
Mukkapati, N. and Ch.V.Bhargavi (2013). Detecting policy anomalies in firewalls by relational algebra and raining 2d-box model. International Journal of Computer Science and Network Security, IJCSNS, 13(5).
Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., and Mohapatra, P. (2006). Fireman: a toolkit for firewall modeling and analysis. In Security and Privacy, 2006 IEEE Symposium on, pages 15 pp.–213.
Bartal, Y., Mayer, A., Nissim, K., and Wool, A. (1999). Firmato: a novel firewall management toolkit. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 17–31.
Eppstein, D. and Muthukrishnan, S. (2001). Internet packet filter management and rectangle geometry. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA ’01, pages 827–835, Philadelphia, PA, USA. Society for Industrial and Applied Mathematics.
Hari, A., Suri, S., and Parulkar, G. (2000). Detecting and resolving packet filter conflicts. In INFOCOM 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, volume 3, pages 1203–1212 vol.3.
Khorchani, B., Halle, S., and Villemaire, R. (2012). Firewall anomaly detection with a model checker for visibility logic. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 466–469.
Mayer, A., Wool, A., and Ziskind, E. (2000). Fang: a firewall analysis engine. In Security and Privacy, 2000. S P 2000. Proceedings. 2000 IEEE Symposium on, pages 177–187.
Mukkapati, N. and Ch.V.Bhargavi (2013). Detecting policy anomalies in firewalls by relational algebra and raining 2d-box model. International Journal of Computer Science and Network Security, IJCSNS, 13(5).
Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., and Mohapatra, P. (2006). Fireman: a toolkit for firewall modeling and analysis. In Security and Privacy, 2006 IEEE Symposium on, pages 15 pp.–213.
Published
2016-05-30
How to Cite
JESUS, Ygor Kiefer Follador de; MARTINELLO, Magnos; ZAMBON, Eduardo.
DETOX: Detecção de Inconsistências na Política de Segurança Implementada em Firewall Real. In: FAULT TOLERANCE WORKSHOP (WTF), 17. , 2016, Salvador/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 63-76.
ISSN 2595-2684.
DOI: https://doi.org/10.5753/wtf.2016.22876.
