Embed Size (px)
Citation preview
Firewall Query Engine andFirewall Query Engine andFirewall Comparison EngineFirewall Comparison Engine
Mohamed GoudaMohamed Gouda
Alex X. LiuAlex X. Liu
Computer Science DepartmentComputer Science Department
The University of Texas at AustinThe University of Texas at Austin
Problem
Interplay of firewall rules in large enterprises is extremely complex.• Rules for an enterprise can number in the thousands.• Rules written by diff. people at diff. times for diff. reasons.• Enterprise may have hundreds of interconnected
firewalls.
As a result of this complexity:• Unearthing security holes and troubleshooting errors can
be difficult or impossible.• Changes in one rule can cause cascade failures and
severely impact the network.• Large enterprises have extensive, time-consuming
procedures required to implement any changes in rule sets.
Solution 1: Firewall Query Engine
Answer queries regarding firewall behavior Simulates how a rule set will operate Allows rapid and accurate troubleshooting Queries can be auto-generated using
vulnerability databases
Firewall Query Engine
Vulnerability database
Firewall rule set
Business requirements
all malicious traffic passed
all legitimate traffic blocked
Solution 2: Firewall Comparison Engine
Input into engine is 2 different rule sets • Rule set before changes• Rule set after the changes
Output is delta file that shows different results (i.e., impacts and risks of the changes)
Speed up process of change management, version control
Avoid the unintended impacts and risks of changes
FirewallComparison
Engine
Rule set before changes
Rule set after changesComplete list of impacts/risks
Technology overview
Patent applications have been filed on engines.
Algorithms are mathematically proven to provide complete and accurate results.
Both engines will be implemented with a software tool that is compatible with data structures used in the major firewalls (Cisco, Checkpoint, Juniper).
Benefits
Improves and verifies security and effectiveness of enterprise firewalls
Able to efficiently troubleshoot problems
Able to streamline approval and increase certainty when implementing changes in firewall rules
Features
Accurate simulation of operation of rule set Accurate comparison of different rule sets These engines can be used to solve many
other firewall management problems:• Troubleshooting over hundreds of
interconnected firewalls: “Which part of the network can be attacked by slammer worms?” “Who blocked communication between server A and B?”
• Continuous monitoring of firewalls• Security risk assessment: “How secure is my
network?”
Performance of Firewall Query Engine
Performance of Firewall Comparison Engine
Technology differentiation
Engines are first in literature Applies formal methods to known network
security problems
Availability
Prototype software has been developed and tested on over 3,000 rules (in simulation).
Commercial implementation will require user interface and data integration with existing firewall products.
Solution 3: Firewall Generation Engine
Firewall Generation Engine• Automatically generates rules that are error-
free and compact
• Uses decision tree data structure for inputs
• User input only requires answering yes/no questions
• Vastly simplifies updating rule set
Solution 4: Firewall Cleaning Engine
Firewall Cleaning Engine• Eliminates redundant rules• Can improve network latency
FirewallCleaningEngine
Rule setEquivalent rule setwith no redundant rules
Case study
To validate the effectiveness of our design methods:• Took a real-life firewall (of 87 rules) and
redesigned it using the structured firewall design method
• Compared the two firewalls, and found 84 discrepancies
• Discussed these discrepancies with the firewall administrator
• He confirmed: In 82 discrepancies, his decisions were wrong.
Case study (continued)
Out of the 82 discrepancies in his version:• 72 were caused by incorrect ordering of
rules.
• 10 were caused by missing rules.
The two discrepancies where our decisions are wrong were caused by wrong assumption of the requirements.
