# A HEURISTIC POLYNOMIAL ALGORITHM FOR LOCAL INCONSISTENCY DIAGNOSIS IN FIREWALL RULE SETS

### S. Pozo, R. Ceballos, R. M. Gasca

#### Abstract

Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First, we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that optimal characterization can be now applied to several smaller problems (the result of the diagnosis process) rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not having the minimal diagnosis. Experimental results with real ACLs are given.

#### References

- Abedin, M., Nessa, S., Khan, L., Thuraisingham, B. “Detection and Resolution of Anomalies in Firewall Policy Rules”. Proceedings of the Annual IFIP Working Conference on Data and Applications Security (DBSec), LNCS 4127. Sophia Antipolis, France, 2006.
- Al-Shaer, E., Hamed, H. Modeling and Management of Firewall Policies". IEEE eTransactions on Network and Service Management (eTNSM) Vol.1, No.1, 2004.
- Baboescu, F., Varguese, G. “Fast and Scalable Conflict Detection for Packet Classifiers.” Elsevier Computers Networks (42-6) (2003) 717-735.
- Bollig, B., Wegener, I. “Improving the Variable Ordering of OBDDs is NP-Complete”. IEEE Transactions on Computers, Vol.45 No.9, September 1996.
- Eppstein, D., Muthukrishnan, S. “Internet Packet Filter Management and Rectangle Geometry.” Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), January 2001.
- García-Alfaro, J., Boulahia-Cuppens, N., Cuppens, F. Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies, Springer-Verlag International Journal of Information Security (Online) (2007) 1615-5262.
- Hamed, H., Al-Shaer, E. "Taxonomy of Conflicts in Network Security Policies." IEEE Communications Magazine Vol.44, No.3, 2006.
- Hari, B., Suri, S., Parulkar, G. “Detecting and Resolving Packet Filter Conflicts.” Proceedings of IEEE INFOCOM, March 2000.
- Luis, S., Condell, M. "Security policy protocol." IETF Internet Draft IPSPSPP-01, 2002.
- Pozo, S., Ceballos, R., Gasca, R.M. “Fast Algorithms for Consistency-Based Diagnosis of Firewalls Rule Sets.” International Conference on Availability, Reliability and Security (ARES), Barcelona, Spain. IEEE Computer Society Press, March 2008.
- Pozo2, S., Ceballos, R., Gasca, R.M. "Fast Algorithms for Local Inconsistency Detection in Firewall ACL Updates". 1st International Workshop on Dependability and Security in Complex and Critical Information Systems (DEPEND). Cap Esterel, France. IEEE Computer Society Press, 2008.
- Pozo3, S., Ceballos, R., Gasca, R.M. "AFPL, An Abstract Language Model for Firewall ACLs". 8th International Conference on Computational Science and Its Applications (ICCSA). Perugia, Italy. SpringerVerlag, 2008.
- Pozo4, S., Ceballos, R., Gasca, R.M. "Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets". 2nd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE). Cap Esterel, France. IEEE Computer Society Press, 2008.
- Srinivasan, V., Varguese, G, Suri, S., Waldvogel, M. “Fast and Scalable Layer Four Switching.” Proceedings of the ACM SIGCOMM conference on Applications, Technologies, Architectures and Protocols for Computer Communication, Vancouver, British Columbia, Canada, ACM Press, 1998.
- Taylor, David E. Survey and taxonomy of packet classification techniques. ACM Computing Surveys, Vol. 37, No. 3, 2005. Pages 238 - 275.
- Yuan, L., Mai, J., Su, Z., Chen, H., Chuah,, C. Mohapatra, P. FIREMAN: A Toolkit for FIREwall Modelling and ANalysis. IEEE Symposium on Security and Privacy (S&P'06). Oakland, CA, USA. May 2006.
- Wool, A. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62-67, 2004.

#### Paper Citation

#### in Harvard Style

Pozo S., Ceballos R. and M. Gasca R. (2008). **A HEURISTIC POLYNOMIAL ALGORITHM FOR LOCAL INCONSISTENCY DIAGNOSIS IN FIREWALL RULE SETS** . In *Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)* ISBN 978-989-8111-59-3, pages 430-441. DOI: 10.5220/0001921504300441

#### in Bibtex Style

@conference{secrypt08,

author={S. Pozo and R. Ceballos and R. M. Gasca},

title={A HEURISTIC POLYNOMIAL ALGORITHM FOR LOCAL INCONSISTENCY DIAGNOSIS IN FIREWALL RULE SETS},

booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},

year={2008},

pages={430-441},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0001921504300441},

isbn={978-989-8111-59-3},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)

TI - A HEURISTIC POLYNOMIAL ALGORITHM FOR LOCAL INCONSISTENCY DIAGNOSIS IN FIREWALL RULE SETS

SN - 978-989-8111-59-3

AU - Pozo S.

AU - Ceballos R.

AU - M. Gasca R.

PY - 2008

SP - 430

EP - 441

DO - 10.5220/0001921504300441