230 research outputs found
Misconfiguration in Firewalls and Network Access Controls: Literature Review
Firewalls and network access controls play important roles in security control and protection. Those firewalls may create an incorrect sense or state of protection if they are improperly configured. One of the major configuration problems in firewalls is related to misconfiguration in the access control roles added to the firewall that will control network traffic. In this paper, we evaluated recent research trends and open challenges related to firewalls and access controls in general and misconfiguration problems in particular. With the recent advances in next-generation (NG) firewalls, firewall roles can be auto-generated based on networks and threats. Nonetheless, and due to the large number of roles in any medium to large networks, roles’ misconfiguration may occur for several reasons and will impact the performance of the firewall and overall network and protection efficiency
Handling Stateful Firewall Anomalies
Part 4: Access ControlInternational audienceA security policy consists of a set of rules designed to protect an information system. To ensure this protection, the rules must be deployed on security components in a consistent and non-redundant manner. Unfortunately, an empirical approach is often adopted by network administrators, to the detriment of theoretical validation. While the literature on the analysis of configurations of first generation (stateless) firewalls is now rich, this is not the case for second and third generation firewalls, also known as stateful firewalls. In this paper, we address this limitation, and provide solutions to analyze and handle stateful firewall anomalies and misconfiguration
Directed Security Policies: A Stateful Network Implementation
Large systems are commonly internetworked. A security policy describes the
communication relationship between the networked entities. The security policy
defines rules, for example that A can connect to B, which results in a directed
graph. However, this policy is often implemented in the network, for example by
firewalls, such that A can establish a connection to B and all packets
belonging to established connections are allowed. This stateful implementation
is usually required for the network's functionality, but it introduces the
backflow from B to A, which might contradict the security policy. We derive
compliance criteria for a policy and its stateful implementation. In
particular, we provide a criterion to verify the lack of side effects in linear
time. Algorithms to automatically construct a stateful implementation of
security policy rules are presented, which narrows the gap between
formalization and real-world implementation. The solution scales to large
networks, which is confirmed by a large real-world case study. Its correctness
is guaranteed by the Isabelle/HOL theorem prover.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Modelling and Analysis of Network Security Policies
Nowadays, computers and network communications have a pervasive presence in all our daily activities. Their correct configuration in terms of security is becoming more and more complex due to the growing number and variety of services present in a network.
Generally, the security configuration of a computer network is dictated by specifying the policies of the security controls (e.g. firewall, VPN gateway)
in the network. This implies that the specification of the network security policies is a crucial step to avoid errors in network configuration (e.g., blocking
legitimate traffic, permitting unwanted traffic or sending insecure data).
In the literature, an anomaly is an incorrect policy specification that an administrator may introduce in the network. In this thesis, we indicate as policy anomaly any conflict (e.g. two triggered policy rules enforcing contradictory actions), error (e.g. a policy cannot be enforced because it requires a cryptographic algorithm not supported by the security controls) or sub-optimization (e.g. redundant policies) that may arise in the policy specification phase.
Security administrators, thus, have to face the hard job of correctly specifying the policies, which requires a high level of competence. Several studies have
confirmed, in fact, that many security breaches and breakdowns are attributable to administrators’ responsibilities.
Several approaches have been proposed to analyze the presence of anomalies among policy rules, in order to enforce a correct security configuration. However, we have identified two limitations of such approaches. On one hand, current literature identifies only the anomalies among policies of a single security technology (i.e., IPsec, TLS), while a network is generally configured with many technologies. On the other hand, existing approaches work on a single policy type, also named domain (i.e., filtering, communication protection). Unfortunately, the complexity of real systems is not self-contained and each
network security control may affect the behavior of other controls in the same network.
The objective of this PhD work was to investigate novel approaches for modelling security policies and their anomalies, and formal techniques of anomaly analysis. We present in this dissertation our contributions to the current policy analysis state of the art and the achieved results.
A first contribution was the definition of a new class of policy anomalies, i.e. the inter-technology anomalies, which arises in a set of policies of multiple
security technologies. We provided also a formal model able to detect these new types of anomalies. One of the results achieved by applying the inter-technology analysis to the communication protection policies was to categorize twelve new types of anomalies. The second result of this activity was derived from an empirical assessment that proved the practical significance of detecting such new anomalies.
The second contribution of this thesis was the definition of a newly-defined type of policy analysis, named inter-domain analysis, which identifies any
anomaly that may arise among different policy domains. We improved the state of the art by proposing a possible model to detect the inter-domain
anomalies, which is a generalization of the aforementioned inter-technology model. In particular, we defined the Unified Model for Policy Analysis (UMPA)
to perform the inter-domain analysis by extending the analysis model applied for a single policy domain to comprehensive analysis of anomalies among many
policy domains. The result of this last part of our dissertation was to improve the effectiveness of the analysis process. Thanks to the inter-domain analysis,
indeed, administrators can detect in a simple and customizable way a greater set of anomalies than the sets they could detect by running individually any
other model
A model for the analysis of security policies in service function chains
Two emerging architectural paradigms, i.e., Software Defined Networking (SDN)
and Network Function Virtualization (NFV), enable the deployment and management
of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract
Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that
packets have to traverse in the route from source to destination. While this
appealing solution offers significant advantages in terms of flexibility, it
also introduces new challenges such as the correct configuration and ordering
of SFs in the chain to satisfy overall security requirements. This paper
presents a formal model conceived to enable the verification of correct policy
enforcements in SFCs. Software tools based on the model can then be designed to
cope with unwanted network behaviors (e.g., security flaws) deriving from
incorrect interactions of SFs in the same SFC
Misconfiguration Analysis of Network Access Control Policies
Network access control (NAC) systems have a very important role in network security. However,
NAC policy configuration is an extremely complicated and error-prone task due to the semantic
complexity of NAC policies and the large number of rules that could exist. This significantly
increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy
misconfigurations jeopardize network security and can result in a severe consequence such as
reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC
policy configuration of two significant network security devices, namely, firewall and IDS/IPS.
In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and
policies to efficiently enhance the understanding and inspection of firewall configuration. This is
implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as
‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all
misconfigurations in the firewall policy.
In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular
IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important
features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits
misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the
flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the
misconfiguration and formally prove that the solutions are complete and sound
Consistent SDNs through Network State Fuzzing
The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Nevertheless, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to continuously test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly
A stateful mechanism for the tree-rule firewall
© 2014 IEEE. In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Net filter's Conn Track module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and processing time, our proposed model uses one node per connection instead of using two nodes as appeared in Net filter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Net filter/IPTABLES
- …