Abstract
Firewalls are the most deployed security devices in computer networks. Nevertheless, designing and configuring distributed firewalls, which include determining access control rules and device placement in the network, is still a significantly complex task as it requires balancing between connectivity requirements and the inherent risk and cost. Formal approaches that allow for investigating distributed firewall configuration space systematically are highly needed to optimize decision support under multiple design constraints. The objective of this chapter is to automatically synthesize the implementation of distributed filtering architecture and configuration that will minimize security risk while considering connectivity requirements, user usability and budget constraints. Our automatic synthesis generates not only the complete rule configuration for each firewall to satisfy risk and connectivity constraints, but also the optimal firewall placement in the networks to minimizes spurious traffic. We define fine-grain risk, usability and cost metrics tunable to match business requirements, and formalize the configuration synthesis as an optimization problem. We then show that distributed firewall synthesis is an NP-hard problem and provide heuristic approximation algorithms. We implemented our approach in a tool called FireBlanket that were rigorously evaluated under different network sizes, topologies and budget requirements. Our evaluation study shows that the results obtained by FireBlanket are close to the theoretical lower bound and the performance is scalable with the network size.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bin Zhang, Ehab Al-Shaer, Radha Jagadeesan, James Riely, and Corin Pitcher. Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of 12th ACM Symposium on Access Control Models And Technologies (SACMAT), June 20–22, 2007.
A. Cincotti, V. Cutello, and F. Pappalardo. An ant-algorithm for the weighted minimum hitting set problem. Swarm Intelligence Symposium, 2003.
Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. Conflict classification and analysis of distributed firewall policies. In IEEE Journal on Selected Areas in Communications (JSAC), 2005.
Ehab Al-shaer, Wilfredo Marrero, Adel El-atawy, and Khalid Elbadawi. Network configuration in a box: Towards end-to-end verification of network reachability and security. In International Conference on Network Protocols, pages 123–132, 2009.
B. Fortz and M. Thorup. Internet traffic engineering by optimizing ospf weights. Proc. IEEE INFOCOM, 2000.
A.K. Ganame and J. Bourgeois. Defining a simple metric for real-time security level evaluation of multi-sites networks. 4th int. Workshop on Security in Systems and Networks (colloaed with IPDPS’08), 2008.
Georgia Tech. Modeling topology of large internetworks. http://www.cc.gatch.edu/fac/Ellen.Zegura/graphs.html.
Hazem Hamed, Ehab Al-Shaer, and Will Marrero. Modeling and verification of ipsec and vpn security policies. in Proceedings of IEEE ICNP’2005, November 2005.
John Homer and Xinming Ou. Sat-solving approaches to context-aware enterprise network security management. In IEEE JSAC Special Issue on Network Infrastructure Configuration, To appear.
Matlab. Mathworks. http://www.mathworks.com/.
Mohamed Salim, Ehab Al-Shaer, and Latifur Khan. Integrated risk evaluation for automated security management. Journal of Network and System Management (JNSM), to appear, 2011.
Nist guidelines on firewalls and firewall policy. http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf.
Rinku Dewri, Nayot Poolsappasit Indrajit Ray, and Darrell Whitley. Optimal security hardening using multi-objective optimization on attack tree models of networks. Proceedings of the 14th ACM conference on Computer and communications security, 2007.
Sanjai Narain, Gary Levin, Vikram Kaul, and Sharad Malik. Declarative infrastructure configuration synthesis and debugging. Journal of Network and Systems Management, 2008.
M. Schiffman. A complete guide to the common vulnerability scoring system (cvss). http://www.first.org/cvss/cvss-guide.html, 2009.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. Proceedings of the IEEE Symposium on Security and Privacy, 2002.
Silvano Martello and Paolo Toth. Knapsack Problems: Algorithms and Computer Implementations. John Wiley & Sons. ISBN 0-471-92420-2., 1990.
Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack graph generation. In 13th ACM Conference on Computer and Communications Security, 2006.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Al-Shaer, E. (2014). Design and Configuration of Firewall Architecture Under Risk, Usability and Cost Constraints. In: Automated Firewall Analytics. Springer, Cham. https://doi.org/10.1007/978-3-319-10371-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-10371-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10370-9
Online ISBN: 978-3-319-10371-6
eBook Packages: Computer ScienceComputer Science (R0)