Management of stateful firewall misconfiguration

Joaquin Garcia-Alfaro; Frédéric Cuppens; Nora Cuppens-Boulahia; Salvador Martinez; Jordi Cabot

doi:10.1016/j.cose.2013.01.004

Management of stateful firewall misconfiguration

Joaquin Garcia-Alfaro, Frédéric Cuppens, Nora Cuppens-Boulahia, Salvador Martinez, Jordi Cabot

Research output: Contribution to journal › Article › peer-review

Abstract

Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.

Original language	English
Pages (from-to)	64-85
Number of pages	22
Journal	Computers and Security
Volume	39
Issue number	PARTA
DOIs	https://doi.org/10.1016/j.cose.2013.01.004
Publication status	Published - 21 Mar 2013
Externally published	Yes

Keywords

Access control
Anomalies
Firewalls
Iptables
Misconfiguration
Model-driven engineering
Netfilter
Network security
Stateful rules
Stateless rules

Access to Document

10.1016/j.cose.2013.01.004

Cite this

@article{a54719f326074ed78edcc51888d686e8,

title = "Management of stateful firewall misconfiguration",

abstract = "Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.",

keywords = "Access control, Anomalies, Firewalls, Iptables, Misconfiguration, Model-driven engineering, Netfilter, Network security, Stateful rules, Stateless rules",

author = "Joaquin Garcia-Alfaro and Fr{\'e}d{\'e}ric Cuppens and Nora Cuppens-Boulahia and Salvador Martinez and Jordi Cabot",

year = "2013",

month = mar,

day = "21",

doi = "10.1016/j.cose.2013.01.004",

language = "English",

volume = "39",

pages = "64--85",

journal = "Computers and Security",

issn = "0167-4048",

number = "PARTA",

}

TY - JOUR

T1 - Management of stateful firewall misconfiguration

AU - Garcia-Alfaro, Joaquin

AU - Cuppens, Frédéric

AU - Cuppens-Boulahia, Nora

AU - Martinez, Salvador

AU - Cabot, Jordi

PY - 2013/3/21

Y1 - 2013/3/21

N2 - Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.

AB - Firewall configurations are evolving into dynamic policies that depend on protocol states. As a result, stateful configurations tend to be much more error prone. Some errors occur on configurations that only contain stateful rules. Others may affect those holding both stateful and stateless rules. Such situations lead to configurations in which actions on certain packets are conducted by the firewall, while other related actions are not. We address automatic solutions to handle these problems. Permitted states and transitions of connection-oriented protocols (in essence, on any layer) are encoded as automata. Flawed rules are identified and potential modifications are provided in order to get consistent configurations. We validate the feasibility of our proposal based on a proof of concept prototype that automatically parses existing firewall configuration files and handles the discovery of flawed rules according to our approach.

KW - Access control

KW - Anomalies

KW - Firewalls

KW - Iptables

KW - Misconfiguration

KW - Model-driven engineering

KW - Netfilter

KW - Network security

KW - Stateful rules

KW - Stateless rules

U2 - 10.1016/j.cose.2013.01.004

DO - 10.1016/j.cose.2013.01.004

M3 - Article

AN - SCOPUS:84888300449

SN - 0167-4048

VL - 39

SP - 64

EP - 85

JO - Computers and Security

JF - Computers and Security

IS - PARTA

ER -

Management of stateful firewall misconfiguration

Abstract

Keywords

Access to Document

Fingerprint

Cite this