ABSTRACT
Given a network that deploys multiple firewalls and network intrusion detection systems (NIDSs), ensuring that these security components are correctly configured is a challenging problem. Although models have been developed to reason independently about the effectiveness of firewalls and NIDSs, there is no common framework to analyze their interaction. This paper presents an integrated, constraint-based approach for modeling and reasoning about these configurations. Our approach considers the dependencies among the two types of components, and can reason automatically about their combined behavior. We have developed a tool for the specification and verification of networks that include multiple firewalls and NIDSs, based on this approach. This tool can also be used to automatically generate NIDS configurations that are optimal relative to a given cost function.
- 3Com. 3Com Embedded Firewall. Software for the 3CR990 Network Interface Card (NIC) Family, Dec. 2001.Google Scholar
- Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pages 17--31, 1999.Google ScholarCross Ref
- R. E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, C-35(8):677--691, Aug. 1986. Google ScholarDigital Library
- J. Burns, A. Cheng, P. Gurung, S. Rajagopalan, P. Rao, D. Rosenbluth, A. Surendran, and J. D.M. Martin. Automatic management of network security policy. In DARPA Information Survivability Conference and Exposition (DISCEX II) Volume 2, pages 1012--1026, Anaheim, California, June 12--14, 2001.Google ScholarCross Ref
- A. M. Cheadle, W. Harvey, A. J. Sadler, J. Schimpf, K. Shen, and M. G. Wallace. ECLiPSe: An Introduction. Technical Report IC-Parc-03-1, IC--Parc, Imperial College London, 2003.Google Scholar
- S. Cheung, U. Lindqvist, and M. W. Fong. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX III), pages 284--292, Washington, D.C., Apr. 22--24, 2003.Google ScholarCross Ref
- Cisco Systems, Inc. Cisco PIX Firewall and VPN Configuration Guide: Version 6.3, 2003. http://www.cisco.com.Google Scholar
- E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999. Google ScholarDigital Library
- P. Eronen and J. Zitting. An expert system for analyzing firewall rules. In Proc. 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pages 100--107, Nov. 2001.Google Scholar
- Z. J. Fu and S. F. Wu. Automatic generation of IPSec/VPN security policies in an intra-domain environment. In 12th International Workshop on Distributed Systems: Operations and Management (DSOM'2001), France, Oct. 15--17, 2001.Google ScholarCross Ref
- G. R. Ganger, G. Economou, and S. M. Bielski. Finding and containing enemies within the walls with self-securing network interfaces. Technical Report CMU-CS-03-109, School of Computer Science, Carnegie-Mellon University, Jan. 2003.Google Scholar
- J. D. Guttman. Filtering postures: Local enforcement for global policies. In IEEE Symposium on Security and Privacy, pages 120--129, Oakland, California, May 1997. Extended version available as MITRE technical report, 1997. Google ScholarDigital Library
- J. D. Guttman and A. L. Herzog. Rigorous automated network security management. Technical report, MITRE Corp., Aug. 2003. Preliminary version appeared in Proc. VERIFY 2002.Google Scholar
- S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Conf. on Computer and Communications Security, pages 190--199, 2000. Google ScholarDigital Library
- T. Markham and C. Payne. Security at the network edge: A distributed firewall architecture. In DARPA Information Survivability Conference and Exposition (DISCEX II) Volume 1, pages 279--286, Anaheim, California, June 12--14, 2001.Google ScholarCross Ref
- A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. In IEEE Symposium on Security and Privacy, pages 177--187, Oakland, California, May 2000. Google ScholarDigital Library
- P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, Baltimore, MD, Oct. 1997.Google Scholar
- T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Jan. 1998.Google Scholar
- M. Roesch. Snort: Lightweight intrusion detection for networks. In USENIX LISA'99, Nov. 1999. www.snort.org. Google ScholarDigital Library
- T. E. Uribe, S. Cheung, J. Levy, and A. Valdes. Intrusion tolerance and worm spread. In Fast Abstracts, Dependable Systems and Networks. IEEE, June 2003.Google Scholar
- A. Wool. Architecting the Lumeta firewall analyzer. In sProc. of the 10th USENIX Security Symposium, Aug. 2001. Google ScholarDigital Library
Index Terms
- Automatic analysis of firewall and network intrusion detection system configurations
Recommendations
Automatic analysis of firewall and network intrusion detection system configurations
Formal Methods in Security Engineering Workshop (FMSE 04)Firewalls and network intrusion detection systems (NIDSs) are widely used to secure computer networks. Given a network that deploys multiple firewalls and NIDSs, ensuring that these security components are correctly configured is a challenging problem. ...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Network intrusion detection
Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Comments