Segment Generation Approach For Firewall Policy Anomaly .

2y ago
34 Views
2 Downloads
780.54 KB
6 Pages
Last View : 4m ago
Last Download : 2m ago
Upload by : Troy Oden
Transcription

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 6-11Segment Generation Approach for Firewall PolicyAnomaly ResolutionDr.S.Madhavi, G.RaghuDepartment of CSE,PVP Siddhartha Institute of Technology,Vijayawada, Krishna Dist, Andhra Pradesh.Abstract— Firewall Policy Anomalies are situations where predefined and applied policy settings fail to impose during packetfiltrations due to heavy loads experienced by the firewall. Priorapproaches to handle these anomalies suffered from rulemismanagement and inaccurate results issues. So, we have usedthe earlier development of anomaly management framework forfirewalls based on a rule-based segmentation technique thatfacilitates not just accurate anomaly detection but also effectiveanomaly resolution. A grid based visualization technique isintroduced to represent policy anomaly diagnosis information inan intuitive and effective way. As a performance optimizationparameter we would like to extend the anomaly managementframework with access control policies(ACP). This kind of ACPbased approach to the proposed framework turns a securityimplementation device such as a firewall into a bastion host likemachine leading to better management of the host and apractical implementation validates our claim.Keywords—WirelessNetworks, Packet Classification, Denial-ofService, Selective Blocking, Access Control Policies.I. INTRODUCTIONFirewall Policy Management(FPM) is one of intensive andexpensive aspects of managing almost any networkinfrastructure and requires a high level of expertise bynetwork administrators to get right customized configurationsfor each organization unique needs. A single glitch in suchan FPM and network applications lose communications,transactions are not saved, processed, and applicationconsoles quickly goes out of control. A firewall holdsthousands of rules, more complex environments wheresecurity is an issue and customization are regular thesefirewalls may hold rules ten times that many. These firewallmanagement complexities are true across all major systemsregardless of major firewall vendors such as Cisco, Juniper,CheckPoint, Fortinet, IBM/ISS Linux, or Nortel. On averageit takes about three hours of testing and analysis to implementa single rule change which signifies the magnitude of themanagement burden. One rule may get involved in multiplepolicy anomalies. In these situations, this anomaly resolutionin isolation may trigger handling delays or the reason behindother anomalies. It is very difficult to deal with all theseconflicting rules by only reordering these conflicting rules.Hence, it is necessary to detect the dependency relationshipsamong packet space segments for efficiently resolving policyanomalies.www.ijcsit.comEach conflicting segment indicates a policy conflict as wellas a set of conflicting rules involved in the conflict. Onceconflicts are identified the system administrator resolvesthem manually by changing the conflicting rules which is atedious task and even impractical due to the complicatednature of policy conflicts. An effective method to resolve apolicy conflict is to determine which rule should takeprecedence when a network packet is matched by a set ofrules involved in the conflict automatically without humaninvolvement.An automated firewall anomaly management framework[5]for firewalls are based on a rule-based packet segmentationtechnique which is used to facilitate an effective anomalydetection and resolution. Using this technique, a networkpacket space defined by a firewall policy can be divided intoa set of disjoint packet space segments. Each packet segmentassociates with any of the unique set of firewall rules definedfor various protocols accurately indicates the threat packets(either conflicting or redundant) using those rules. It involvesa conflict resolution method with the help of several effectiveresolution strategies for various network protocols withrespect to the risk assessment of protected networks and theintention of policy definition. The technique introduces thatan action constraint is assigned to each of these fracassegment. An action condition for each conflicting segmentdefines a desired action (either Allow or Deny) that thefirewall policy should take when any packet within theconflicting segment comes to the firewall. To resolve aconflict, the action constraint has to be satisfied by the actiontaken for each packet within the conflicting segment.II. RELATED WORKA firewall policy consists of a sequence of rules that definethe actions performed on packets that satisfy certainconditions. The rules are specified in the form of (condition,action). A condition in a rule is composed of a set of fieldsfor identifying the matching packets. Table 1[5] gives anexample of a firewall policy, which includes firewall rulesranging from r1 to r5. Note that the symbol “*” utilized infirewall rules denotes a domain range. For instance, a single“*” appearing in the IP address field represents an IP addressrange from 0.0.0.0 to 255.255.255.255. For demonstrationalfeasibility consider the following Firewall Policy resultstable.6

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 6-11TABLE 1An Example Firewall PolicySeveral related work has categorized different types offirewall policy anomalies [1], [2], [5]. On the basis offollowing classifications, typically encountered firewallpolicy anomalies are:1. Shadowing. A rule can be shadowed by one or a set ofpreceding rules that match all the packets which alsomatch the rule which is shadowed, while they entirelyinitiate a different action. In this situation, all the packetsthat unique rule intends to deny (accept) can be accepted(denied) by the previous one; therefore the shadowedrule will never be effective enough. In Table 1, rule r4 isshadowed by rule r3 because r3 allows every TCP packetcoming from any one port of the nodes at 10.1.1.* to theport 25 of the nodes at 192.168.1.*, and the rule r4denies all the packets if it comes before rule r3.2. Generalization. A rule is a generalization of one or a setof previous rules if a subset of the packets matched bythis rule is also matched by the preceding rule(s) buttaking a different action. For example, in Table 1 rule r5is a generalization of rule r4.The two rules highlight thatall the packets coming from 10.1.1.* are allowed, but theTCP packets coming from 10.1.1.* to the port 25 of192.168.1.* are denied.Generalization might not be anerroneous condition.3. Correlation. One rule is correlated with many other rules,if a rule converges with others but defines a differentaction entirely. In this situation, the packets are matchedby the intersection of those rules may be accepted by onerule, but denied by other rules. In Table 1,rule r2correlates rule r5, and all UDP packets arriving from anyport of node at 10.1.1.* to the port 53 of node at172.32.1.* match these rules at the intersection. Sincerule rule r5 comes after rule r2,the rule r2 denies everypacket within the intersection of these rules. Unless, theirpositions are swapped, the same packets will beaccepted.4. Redundancy. A rule is redundant if there is another sameor more general rule available that has the same effect.For example, in Table 1 rule r1 is redundant with respectto rule r2 specified, since all UDP packets coming fromany nodes of port at 10.1.2.* to the port 53 of node at172.32.1.* matched with r1 can also match r2 as wellresulting with the same action twice.Anomaly detection algorithms and corresponding toolswere introduced previously in [1], [2] as well. However,existing conflict classification and detection approaches onlytreat a policy conflict as an inconsistent relation between onerule and other rules leading to redundant inconsistent resultswww.ijcsit.comand high processing time which are addressed through ourapproaches.Compared to prior approaches specified in [1][2][3] andtheir prototypes like Firewall Policy Advisor [1] andFIREMAN [2], a more effective redundancy eliminationmechanism used in this framework, and through theexperimental results, redundancy discovery mechanismachieved approximately 70 percent improvement compared toprior approaches of [1], [2]. Also the outcomes of prior policyanalysis tools [2], [1] are list of possible anomalies, whichshows a view to the system administrators regarding theorigination of policy anomalies. Using the informationvisualization technique [4] and our rule-based packetsegmentation technique they developed a visualization-basedfirewall anomaly management environment (FAME). Asimulation with respect to the real-life firewall policieshighlights the efficiency of our system with respect toautomated network anomaly conflict resolutions.III. PROPOSED SCHEMEPrior anomaly detection methods could not accurately pointout the anomaly portions caused by a set of overlapping rulescausing redundancy and high processing times making theminadequate for high end dynamic network environments. Inorder to precisely identify policy anomalies and enable amore effective anomaly resolution, an earlier technique whichis based on rule-based segmentation, which adopts a binarydecision diagram (BDD)-based data structure to representrules and perform different operations such as set operationsand transforms a list of rules into a set of disjoint networkpacket spaces to resolve overlapping conflicts arising due tosimilarity of various network protocols and their payloads.The Segment Generation algorithm[5] of network packetwhich is at the core of this framework is specified here in theform of a conflict reordering flowchart.Fig. 1. Strategy-based conflict resolution.7

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 6-11b.Find Local Process(port, processid)// finds which process id uses which port to receive / send packets1. if(length of the port 0){2. args[] {“netstat -aon find \"" port "\""”}3. if(file does not exist)4. Create a new file;5. }c.Algorithm 1[5], shows the pseudo code of generating packetspace segments for a set of firewall rules R. This algorithmworks by adding a network packet space s derived from a ruler to a packet space set S. A pair of network packet spacesshould satisfy one of the following relations: subset (line 5),superset (line 10), partial match (line 13), or disjoint (line17). Therefore [5], one can utilize set operations to separatethe overlapped spaces into disjoint spaces to classify whetherthe packet can be allowed or not. The strategy based conflictresolution[5], which is adapted in FAME is represented bythe event flows.Access control policy signifies a framework that representsauthorizations, actions, and their effect in a networkedsystem. Access control systems can be changed by a policy,which is having a set of objects and the correspondingsubstitutions. We define as a finite set of those objects suchthat each object in that has a type. t is the set ofobjects of that type t. If V is the set of variables that are actedupon an action event, then a substitution σ is a function V that respects types. The set of atomic propositions P isdefined as the set of predicates instantiated with the objects in thusP {w(v) σ w Є Pred, v Є V* and σ is a substitution}The system state is an evaluation of atomic propositionsdefined in in P. A state s can be defined as a function of Pinfluencing the outcome of events. We use s[p m] todenote the state that is like s except that it maps the eventproposition p to value m.A variety of access control policies are implemented :For start and stop updating the packets in the table wewill use “Start”, “Stop” options.a.Lookup(ipAddress, hostname)//Finds the name of the ipAddress that is present in the table1.if(length of ipAddress 0)2.get the host name; //gets the name of ipaddress3.retrieves by finding the suspicious host;www.ijcsit.comService Control(action, service name)//to view /start /stop any service1. if(opt 1 ׀׀ opt 0)2. action (opt 1? “start” : “stop”); // 1/0 - start/stop theservice3. else4. print statement;5. if(length of service name 0){6. Request to create a new file;7. if(file does not exists)8. create new file;9. }d.Block access(hostname, host)Host file is the file to be blocked1. if(host file does not exists)2. create a new host file;3. if(hostname null)4. return;5. temphosts gets path of the temphost;6. if(temphosts exists( )){7. temphosts.delete( );8. create a new temphost file;9. }10. if(file &&hosts exists){11. read the host file;12. boolean done false;13. while(line! null){14. h(“#”)&&!done){15. done true;16. add the hostname to hosts;17. }18. else19. write the line in output;20. }21. enter the hostname to hosts;22. }23. else24. print there is an error;e.Allow access(hostname, temphost, host)//the website has been given access, which is blocked1. get the file of blocked host2. if(file exists){3. read the file ;4. boolean done false;5. while(!line null){6. append this line to web access details;7. }8.}9. if(hostname null)10. return;11. if(host file exists){12. boolean done false;13. while(line! null){14. if(line equals hostname)15. output in new line;16. else17. write in a new line;18. }8

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 4.35.36.37.38.39.40.41.42.43.delete the host file;rename hostfile to thostfile;delete thostfile;}host get path of hosts;temphost get path of temphost;if(temphosts exists){delete the temphost;append newfile to temphost;}if(file and host exists){boolean done false;while(line! null){if(line contains only local hostname)done true;output in new line;elsewrite in the new line;}delete the host;rename temphost to host;}elseprint there is an error in the output;}c. From the below screen, we can see that the website isblocked.d.Now, we unblock the site by using ACP-Allow Access.e.Now, we can see from the following screen that thewebsite blocked is given access.The following are the screens for blocking a websiteand giving access to the blocked website.a. Initially, we take “www.w3schools.com” site and wewill block the site.b.Now, we will block the site by using ACP- Block Accessoption.The class diagram describes the attributes and operationsperformed on the attributes. The system interacts withlogin panel and it consists of anomaly detector, user details,traffic status. Inturn they interacts with alerts.www.ijcsit.com9

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 6-11Fig 4: Activity diagramFig 2: class diagramThe sequence diagram is used to show the interactionsbetween objects in the sequential order.The sequence ofactions performed are identification, implementation,classification and also has visualization tool.IV. PERFORMANCEFirewall Policy rules provides network traffic accesscontrol because they define which packets are permitted andwhich are denied. A firewall access policy(FPA) consists of aset of rules. Each packet is analyzed and its elementscompared against elements in the rules of the policy in asequential order. The rule that matches first, the packet willhave its configured action initiated, and any processingspecified in the rule's configured options will beimplemented. The conflict resolution method thatunderstands several risk assessment strategies deployed inprotected networks and the intention of policy definitions isat the core of our framework. Besides monitoring andresolving anomalies using this optimization parameter thesystem administrators can control the service, user operationsand manage processes. The visual statistics of the operationsare represented here.Fig. 5. FAME Network Statistics.Fig 3: Sequence diagramActivity diagram represents business process and alsographical representation for executed set of system activities.www.ijcsit.comThese results signify the packets denied capability of FAMEframework that effectively identifies and blocks almostimmediately redundant and in cohesive protocol-packet pairsthus justifying 70% duplicate elimination claim. Furthermoreimplementation of user access control policies of a networkhost specified earlier in Firewall rule priority(point 5)transforms a normal host to a bastion host like environments10

S.Madhavi et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (1) , 2014, 6-11which can be used in high end systems like servers. Thistransformation yields benefits like batch user manipulations,custom remote host blockages of outbound traffic etc. Alsothe grid based visual representation further aids networkadministrators by providing information in an intuitive way,enabling an efficient automated firewall policy anomalymanagement.As a performance optimization, we are integrating the accesscontrol policies(ACP) to the existing firewall. By observingthe following screens we can see the difference between theexisting one to the enhancement to it.V. CONCLUSIONIn this paper, an automated firewall policy anomalymanagement environment(FAME) framework is used, thatcan perform systematic detection and resolution of firewallpolicy anomalies arised and experienced during high networktraffic scenarios. FAME's Rule-based segmentationmechanism and a visual grid-based representation techniqueachieves the goal of effective and efficient anomaly analysisand the results validates our claim. We implemented useraccess control policies of a network host which transforms anormal host to a bastion host like environments which can beused in high end systems such as servers. FAME resultssuggest that it is a practical and helpful system for systemadministrators to ensure a secured network environment.Although it can also be integrated into Intrusion DetectionSystems, Centralized rule management schemes[6] can beregarded as a future research that has the potential to aid highend systems like Servers.REFERENCESFrom the following screen, we can see the ACP are integratedin the left side of the screen.By comparing these twooutputs,our enhancement can give the administrator a bettercontrol over the user actions and also controls the serviceoperations.www.ijcsit.com[1]“Discovery of Policy Anomalies in Distributed Firewalls,” IEEEINFOCOM, E. Al-Shaer and H. Hamed,’04, vol. 4, pp. 26052616, 2004.[2] “Fireman: A Toolkit for Firewall Modeling and Analysis,” L.Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C.Davis, Proc. IEEE Symp. Security and Privacy, p. 15,2006.[3] E. Lupu and M. Sloman, “Conflicts in Policy-Based DistributedSystems Management,” IEEE Transactions. Software Eng., vol.25, no. 6, pp. 852-869, Nov./Dec. 1999.[4]“Graph Visualization and Navigation in InformationVisualization: A Survey,” I. Herman, G. Melanc on, and M.Marshall , IEEE Trans. Visualization and Computer Graphics,vol. 6, no. 1, pp. 24-43, Jan.-Mar. 2000.[5] Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni, “Detectingand Resolving Firewall Policy Anomalies” IEEETRANSACTIONS ON DEPENDABLE AND SECURECOMPUTING, VOL. 9, NO. 3, MAY/JUNE le/119407/#11

PVP Siddhartha Institute of Technology, Vijayawada, Krishna Dist, Andhra Pradesh. Abstract— Firewall Policy Anomalies are situations where pre-defined and applied policy settings fail to impose during packet filtrations due to heavy loads experienced by the firewall. Prior approaches to handle these anomalies suffered from rule

Related Documents:

Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original

Internal Segmentation Firewall VPN Gateway The FortiGate-VM on OCI delivers next generation firewall capabilities for organizations of all sizes, with the flexibility to be deployed as next generation firewall, internal segmentation firewall and/or VPN gateway. It protects against cyber threats with high performance, security efficacy and deep .

This Next Generation Firewall Guide will define the mandatory capabilities of the next-generation enterprise firewall . You can use the capabilities defined in this document to select your next Enterprise Firewall solution. Given the term "Next Generation Firewall" (NGFW) is still used by a majority of the industry we will

Sep 01, 2011 · segment bisector bisect In the Geo-Activity, M is called the midpoint of AB&*. The of a segment is the point on the segment that divides it into two congruent segments. A is a segment, ray, line, or plane that intersects a segment at its midpoint. To a segment means to divide the segment into two congruent segments. M is the midpoint of AB&*.

The FortiGate 800D delivers next generation firewall capabilities for mid-sized to large enterprises, with the flexibility to be deployed at the campus or data center edge. Protects against cyber threats with security processor powered high performance, security efficacy and deep visibility. Next Generation Firewall Internal Segmentation Firewall

10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan

service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största

Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid