Article

Automatic analysis of firewall and network intrusion detection system configurations

Authors:
Tomás E. Uribe

SRI International, Menlo Park, CA

SRI International, Menlo Park, CA
View Profile

,
Steven Cheung

SRI International, Menlo Park, CA

SRI International, Menlo Park, CA
View Profile

FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineeringOctober 2004Pages 66–74https://doi.org/10.1145/1029133.1029143

Published:29 October 2004Publication History

FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering

Pages 66–74

ABSTRACT

Given a network that deploys multiple firewalls and network intrusion detection systems (NIDSs), ensuring that these security components are correctly configured is a challenging problem. Although models have been developed to reason independently about the effectiveness of firewalls and NIDSs, there is no common framework to analyze their interaction. This paper presents an integrated, constraint-based approach for modeling and reasoning about these configurations. Our approach considers the dependencies among the two types of components, and can reason automatically about their combined behavior. We have developed a tool for the specification and verification of networks that include multiple firewalls and NIDSs, based on this approach. This tool can also be used to automatically generate NIDS configurations that are optimal relative to a given cost function.

References

3Com. 3Com Embedded Firewall. Software for the 3CR990 Network Interface Card (NIC) Family, Dec. 2001.Google Scholar
Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pages 17--31, 1999.Google ScholarCross Ref
R. E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, C-35(8):677--691, Aug. 1986. Google ScholarDigital Library
J. Burns, A. Cheng, P. Gurung, S. Rajagopalan, P. Rao, D. Rosenbluth, A. Surendran, and J. D.M. Martin. Automatic management of network security policy. In DARPA Information Survivability Conference and Exposition (DISCEX II) Volume 2, pages 1012--1026, Anaheim, California, June 12--14, 2001.Google ScholarCross Ref
A. M. Cheadle, W. Harvey, A. J. Sadler, J. Schimpf, K. Shen, and M. G. Wallace. ECLiPSe: An Introduction. Technical Report IC-Parc-03-1, IC--Parc, Imperial College London, 2003.Google Scholar
S. Cheung, U. Lindqvist, and M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX III), pages 284--292, Washington, D.C., Apr. 22--24, 2003.Google ScholarCross Ref
Cisco Systems, Inc. Cisco PIX Firewall and VPN Configuration Guide: Version 6.3, 2003. http://www.cisco.com.Google Scholar
E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999. Google ScholarDigital Library
P. Eronen and J. Zitting. An expert system for analyzing firewall rules. In Proc. 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pages 100--107, Nov. 2001.Google Scholar
Z. J. Fu and S. F. Wu. Automatic generation of IPSec/VPN security policies in an intra-domain environment. In 12th International Workshop on Distributed Systems: Operations and Management (DSOM'2001), France, Oct. 15--17, 2001.Google ScholarCross Ref
G. R. Ganger, G. Economou, and S. M. Bielski. Finding and containing enemies within the walls with self-securing network interfaces. Technical Report CMU-CS-03-109, School of Computer Science, Carnegie-Mellon University, Jan. 2003.Google Scholar
J. D. Guttman. Filtering postures: Local enforcement for global policies. In IEEE Symposium on Security and Privacy, pages 120--129, Oakland, California, May 1997. Extended version available as MITRE technical report, 1997. Google ScholarDigital Library
J. D. Guttman and A. L. Herzog. Rigorous automated network security management. Technical report, MITRE Corp., Aug. 2003. Preliminary version appeared in Proc. VERIFY 2002.Google Scholar
S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Conf. on Computer and Communications Security, pages 190--199, 2000. Google ScholarDigital Library
T. Markham and C. Payne. Security at the network edge: A distributed firewall architecture. In DARPA Information Survivability Conference and Exposition (DISCEX II) Volume 1, pages 279--286, Anaheim, California, June 12--14, 2001.Google ScholarCross Ref
A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. In IEEE Symposium on Security and Privacy, pages 177--187, Oakland, California, May 2000. Google ScholarDigital Library
P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, Baltimore, MD, Oct. 1997.Google Scholar
T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Jan. 1998.Google Scholar
M. Roesch. Snort: Lightweight intrusion detection for networks. In USENIX LISA'99, Nov. 1999. www.snort.org. Google ScholarDigital Library
T. E. Uribe, S. Cheung, J. Levy, and A. Valdes. Intrusion tolerance and worm spread. In Fast Abstracts, Dependable Systems and Networks. IEEE, June 2003.Google Scholar
A. Wool. Architecting the Lumeta firewall analyzer. In sProc. of the 10th USENIX Security Symposium, Aug. 2001. Google ScholarDigital Library

Index Terms

Automatic analysis of firewall and network intrusion detection system configurations
1. Networks
  1. Network services

Recommendations

Automatic analysis of firewall and network intrusion detection system configurations
Formal Methods in Security Engineering Workshop (FMSE 04)

Firewalls and network intrusion detection systems (NIDSs) are widely used to secure computer networks. Given a network that deploys multiple firewalls and NIDSs, ensuring that these security components are correctly configured is a challenging problem. ...
Read More
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Read More
Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering
October 2004
102 pages
ISBN:1581139713
DOI:10.1145/1029133
General Chairs:
Vijay Atluri
George Mason University
,
Michael Backes
IBM Research, Switzerland
,
David Basin
ETH Zurich, Switzerland
,
Michael Waidner
IBM Research, Switzerland
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 29 October 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
firewalls
formal specification and analysis
network configuration and security
network intrusion detection
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 29
  Total Citations
  View Citations
- 2,892
  Total Downloads
- Downloads (Last 12 months)20
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Automatic analysis of firewall and network intrusion detection system configurations

FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automatic analysis of firewall and network intrusion detection system configurations

Enhancing byte-level network intrusion detection signatures with context

Network intrusion detection