Policy Anomaly Detection for Distributed IPv6 Firewalls

Claas Lorenz, Bettina Schnor

2015

Abstract

Concerning the design of a security architecture, Firewalls play a central role to secure computer networks. Facing the migration of IPv4 to IPv6, the setup of capable firewalls and network infrastructures will be necessary. The semantic differences between IPv4 and IPv6 make misconfigurations possible that may cause a lower performance or even security problems. For example, a cycle in a firewall configuration allows an attacker to craft network packets that may result in a Denial of Service. This paper investigates model checking techniques for automated policy anomaly detection. It shows that with a few adoptions existing approaches can be extended to support the IPv6 protocol with its specialities like the tremendously larger address space or extension headers. The performance is evaluated empirically by measurements with our prototype implementation ad6.

References

  1. Abedin, M., Nessa, S., Khan, L., and Thuraisingham, B. M. (2006). Detection and Resolution of Anomalies in Firewall Policy Rules. In Data and Applications Security, 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security 2006, Proceedings, pages 15-29.
  2. Al-Shaer, E. S. and Hamed, H. H. (2003). Firewall Policy Advisor for Anomaly Discovery and Rule Editing. In Integrated Network Management VII, Managing It All, IFIP/IEEE Eighth International Symposium on Integrated Network Management (IM 2003), pages 17-30.
  3. Al-Shaer, E. S. and Hamed, H. H. (2004). Discovery of Policy Anomalies in Distributed Firewalls. In INFOCOM 2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, volume 4, pages 2605-2616.
  4. Arkko, J. and Baker, F. (2011). Guidelines for Using IPv6 Transition Mechanisms during IPv6 Deployment. RFC 6180.
  5. Baier, C. and Katoen, J.-P. (2008). Principles of model checking. The MIT Press.
  6. Biere, A., Heljanko, K., Junttila, T. A., Latvala, T., and Schuppan, V. (2006). Linear Encodings of Bounded LTL Model Checking. Logical Methods in Computer Science, 2(5).
  7. Biondi, P. and Ebalard, A. (2006). Scapy and IPv6 networking. Slides from http://www.secdev.org/conf/scapyIPv6 HITB06.pdf.
  8. Caicedo, C. E., Joshi, J. B., and Tuladhar, S. R. (2009). IPv6 Security Challenges. Computer, 42(2):36-42.
  9. Cook, S. A. (1971). The Complexity of Theorem-Proving Procedures. Technical report, University of Toronto.
  10. Emerson, E. A. and Halpern, J. Y. (1986). ”Sometimes” and ”Not Never” revisited: on branching versus linear time temporal logic. Journal of the Association for Computing Machinery (JACM), 33(1):151-178.
  11. Golnabi, K., Min, R., Khan, L., and Al-Shaer, E. (2006). Analysis of Firewall Policy Rules Using Data Mining Techniques. In Network Operations and Management Symposium, 2006. NOMS 2006. 10th IEEE/IFIP, pages 305-315.
  12. Google (2015). Google IPv6 - Statistics. https://www.google.com/intl/en/ipv6/statistics.html.
  13. IDSv6-Project (2013). Exemplary ip6tables init script. http://www.idsv6.de/Downloads/iptables ruleset.sh.
  14. Jeffrey, A. and Samak, T. (2009). Model Checking Firewall Policy Configurations. In POLICY, pages 60-67. IEEE Computer Society.
  15. Kaufmann, B., Schaub, T., and et. al. (2012). A conflict-driven nogood learning answer set solver. http://www.cs.uni-potsdam.de/clasp/.
  16. Kotenko, I. and Polubelova, O. (2011). Verification of security policy filtering rules by Model Checking. In IEEE 6th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2011, Prague, Czech Republic, September 15-17, 2011, Volume 2, pages 706-710. IEEE.
  17. Kozen, D. (1983). Results on the Propositional muCalculus. Theor. Comput. Sci., 27:333-354.
  18. Kripke, S. (1963). Semantical Considerations on Modal Logic. Acta Philosophica Fennica, 16:83-94.
  19. Lorenz, C. (2014). Paper Discussion: Policy Advisor and FIREMAN. Technical report, University of Potsdam. http://www.cs.unipotsdam.de/bs/research/docs/techreports/2014/l14.pdf.
  20. NetCitadel (2012). FirewallBuilder. www.fwbuilder.org.
  21. Pivotal Software (2014). Redis Documentation. http://redis.io/documentation.
  22. Pnueli, A. (1977). The Temporal Logic of Programs. In 18th Annual Symposium on Foundations of Computer Science, Providence, Rhode Island, USA, 31 October - 1 November 1977, pages 46-57. IEEE Computer Society.
  23. Poole, D. and Mackworth, A. (2010). Lecture 3.2 on Artificial Intelligence. Slides from http://artint.info/slides/ch03/lect2.pdf.
  24. Welte, H. and Ayuso, P. N. (2014). The netfilter.org ”iptables” project. http://www.netfilter.org/projects/iptables/.
  25. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., and Mohapatra, P. (2006). FIREMAN: A Toolkit for FIREwall Modeling and ANalysis. In IEEE Symposium on Security and Privacy, pages 199-213. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Lorenz C. and Schnor B. (2015). Policy Anomaly Detection for Distributed IPv6 Firewalls . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 210-219. DOI: 10.5220/0005517402100219


in Bibtex Style

@conference{secrypt15,
author={Claas Lorenz and Bettina Schnor},
title={Policy Anomaly Detection for Distributed IPv6 Firewalls},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={210-219},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005517402100219},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Policy Anomaly Detection for Distributed IPv6 Firewalls
SN - 978-989-758-117-5
AU - Lorenz C.
AU - Schnor B.
PY - 2015
SP - 210
EP - 219
DO - 10.5220/0005517402100219