On the Safety and Efficiency of Firewall Policy Deployment . Charles C. Zhang, Marianna Winslett, and Carl A. Gunter . IEEE Security and Privacy 2007

Abstract

Firewall policy management is challenging and error-prone. While ample research has led to tools for policy specification, correctness analysis, and optimiza- tion, few researchers have paid attention to firewal l policy deployment: the process where a management tool edits a firewal l’s configuration to make it run the policies specified in the tool. In this paper, we pro- vide the first formal definition and theoretical analysis of safety in firewal l policy deployment. We show that naive deployment approaches can easily create a tem- porary security hole by permitting il legal traffic, or in- terrupt service by rejecting legal traffic during the de- ployment. We define safe and most-efficient deploy- ments, and introduce the shuffling theorem as a formal basis for constructing deployment algorithms and prov- ing their safety. We present efficient algorithms for constructing most-efficient deployments in popular pol- icy editing languages. We show that in certain widely- instal led policy editing languages, a safe deployment is not always possible. We also show how to leverage existing diff algorithms to guarantee a safe, most- efficient, and monotonic deployment in other editing languages.

Annotations

Management tools have four goals when deploying firewall policies:

• correctness
• confidentiality
• safety
• speed

Effective way to speed up deployment of firewalls rules in terms of network communication cost and CLI (command line interface) processing, the number of editing commands need to be reduced. However unsafe deployment can occur in which the new firewall policy takes a couple of seconds to tens of minutes to be uploaded and installed which can leave the holes open.

Two types of deployment:

• Type 1: type 1 editing supports delete and append commands, inefficient if looking to add a rule to the beginning, need to delete then re-append everything.
• Type 2: allows insert, edit, etc...

Author's propose a series of algorithms that determine what is the safe pattern for rule changing/updating on a firewall of both types to avoid opening up security holes during deployment.

Combination of using a diff algorithm that determines the most-efficient deployment followed by an algorithm called SanitizeIt? that makes the deployment safe.

For practical policy changes these algorithms are good, for impractical changes (such as changing a large firewall rule-set completely), becomes rather time consuming due to the O(n) nature of the algorithm.

Related Work

-- AndrewBlaich - 27 Jun 2007