Design of Tool to Detect Anomalies in Firewall Rules

The role of a firewall is to accept or discard packets by examining them through a sequence of rules. Often these rules are conflicting and create anomalies. Managing firewall rules is somewhat complex. Effectiveness of any firewall depends upon the quality of policy configuration and its rule set. This paper describes an algorithm implemented in a tool which identifies the anomalies automatically in rule set by placing the new rule in its appropriate position. The presented approach is helpful in improving the efficiency of firewall and maintaining the appropriate order of firewall rule set to avoid anomalies.


Introduction
Firewall is nothing but the security guard which lies between the system and the internet. It is the most essential tool when a user is connected to the network and making communication on the network with the other remote devices or network devices. In order to implement security policy of network, firewall checks every incoming or outgoing packet and decides whether to accept it or discard, based on the set of rules defined by network administrator. The system security depends highly on these rules because if not configured appropriately, some undesired traffic may enter or may block the desired traffic. Each rule in a firewall is of the form 3 .
<predicate>  <decision> The <predicate> of a rule is a Boolean expression over some packet fields along with the physical network interface on which a packet arrives. The <decision> of a rule is either to accept, or to discard. If rules are defined manually, the probability of anomalies in rule set is more. Managing firewall policy is a challenging task and often leads to conflicting policy rules because defined rules are complex and interdependent. But the complexity of managing firewall policy limits the effectiveness of security provided by firewalls 2 . Situation becomes worse with increasing number of filtering rules. As number of rules are increased, generally in large scale enterprise net-work, the difficulty level of writing new rules, modifying the existing one also increases. A new rule added, may shadow some existing rule that is may hide the effect of some other rule. Thus creating anomalies in the rule set which significantly affect the security of the network.
The rest of the paper is structured as follows. Next section discusses the representation of firewall rules and types of anomalies in rule set. Main emphasis in section 3 is placed on exhibiting the design and implementation details of the incorporation of algorithm for anomaly discovery. Section 4 supports the whole discussion with experimental results to prove the effectiveness of the algorithm used and finally section 5 concludes the paper with future enhancements.

Firewall Rule Representation
Syntax of firewall rule can be represented as an ordered tuple containing certain fixed field as shown below < O rd e r > < P rot o c o l > < S ou rc e _ I P > < S ou rc e _ Port><Destination_IP><Destination_Port><Action> Where Order is the position of the rule where it will be stored in the firewall rule set. Action may be either Accept or Reject for example Rule 1 placed at position 1 accepts packets sent from IP address 140.14.2.* from any port to any destination but at destination port 75 TCP while Rule 2 at position 6 does not allow communication between are completely disjoint and will not lead to any kind of anomaly. Shadowing anomaly comes when one rule matches all the incoming packets and other rule does not get any chance to match the incoming packets. E.g. Rule 1 matches all the packets and does not pass the packets further to Rule 4 it means the rule 1 is shadowing to rule 4. And the rule 4 is never activated. In the presented rule set, shadowing anomaly also occurs between rule 6 and 8. Rule pair 1 and 4 is inclusively matching while the pair 6 and 8 is exact match. Rule 9 and Rule 11 are correlated as both have different actions for same packet. Rule 11 is denying all packets from a particular source to destination at all ports while contradicting to this is Rule 9 which wants this communication to happen at destination port 53. This is correlation anomaly where incoming packet is matched by two different rules and both the rules have different actions. A rule is said to be redundant if a similar rule exists in the rule set that matches the same packet and perform the same action. If Rule 10 is removed, rule set will not be affected as Rule 12 is performing the same action on same packets. Existence of redundant rules takes additional space and degrades the performance of firewall. Apart from these, some other anomalies have also been defined. Generalization anomaly is for rules in order, making different action. But if the order of the rule is reversed, action will change and superset rule will shadow the other rule as in Rule 2 and Rule 5. The superset rule is known as the General rule 7 . If at a desired interval of time the rule does not match any packet then it is known as Irrelevance anomaly. Anomalies generally occurs while rule updating 8 where positions of the rules get distributed.
But manually it is very difficult to detect the anomalies and also to resolve it be-cause a firewall is having thousands of rules. And still the irrelevance anomaly is not detected because of time constraints among the rules 4 . Security policy of any firewall is totally dependent on its defined rule set. Protection level is increased by defining strong rules, hundreds or can say thousands of rules are defined to make an effective firewall system. Appropriate positioning of rules in such a large rule set is the biggest challenge for network administrator and directly affects the security of the network. Generally the rules are custom designed and hand written. If not defined and maintained carefully will allow unwanted traffic to enter into the network or deny passage to required packets. Manual definition and maintenance of rules is complex, error prone, costly and inefficient. Things become complex with the size of rule set. As more rules are added, chances of getting anomalies also increases and rule management becomes difficult. It may leads to create erroneous rules with-in the set of rules and don't allow network to not perform according to the service. If these errors occur then the anomalies are created which are to be detected & removed from the firewall rule set.

Rule Relation
Anomaly detection algorithm requires rules to be compared. For rule comparison set relations are used as each rule is an ordered tuple. As far as this work is concerned, relationship between two rules can be -Disjoint, Exactly Matching, Inclusively Matching or Correlated 1 . Two rules are fully disjoint if they are having at least one parameter in rule representation. Rule 3 and Rule 7 are completely disjoint as both are meant for entirely different destination. A rule r1 is said to be inclusively matching with r2, if r1 is subset or r2 or there is at least one parameter for which value in r1 is subset of value in r2 and rest of the parameters are same. Rules have exact match if an already existing rule is added to rule set as new rule.

Methods/Statistical Analysis
Algorithm has been divided into two modules -Anomaly detection and its resolution. The new rule set is anomaly free.

Anomaly Detection
All anomalies are somehow related with corresponding rule relations. Table 1 defines anomalies in terms of rule relations.

Anomaly Resolution
After detecting anomalies between two rule sets, one rule has to be discarded. The decision is to be made in such a way that it further does not lead to any other anomaly 5 . Table 2 presents the solution to be followed if two rules are having anomalies as classified in previous section.

Rule Insertion
From an existing rule set, a completely new rule set is made by comparing each rule with all other existing rules 6 . If any inconsistency is detected, it is resolved and new or modified rules are added into new rule set. Using the states of diagram in Figure 1 for detection and solutions in Table 2, the rule set presented in section 2.1 can be represented in the form of policy tree (Figure 2(a) and (b)) which places the rules in their appropriate anomaly free position.

Findings
The concept of anomaly detection and resolution has been incorporated in a user friendly tool. Tool has been designed to serve both categories of users -Regular and Admin. It contains options for file encryption/decryption, rule engine design, rule generation and updating of con-flicting rules. It can be used as rule advisor for identifying the conflicted rules, shadowing, redundant and correlation anomalies. As rule editor it provides the facility for rule insertion, modification and deletion. When the new rule is inserted it automatically finds the correct position in the rule set. A snapshot of the designed tool is shown in Figure 3

Conclusion and Future Scope
Tool has been designed to automate the anomaly detection process in firewall rule set which if done manually is time consuming, require expertise and sometimes may lead to some other type of anomaly. It also incorporates the anomaly resolution and gives interface to update conflicting rules. The work can be improved by considering the efficiency of working of tool with large rule set.