Presentation on theme: "Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin."— Presentation transcript:
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin
Problem Interplay of firewall rules in large enterprises is extremely complex. Rules for an enterprise can number in the thousands. Rules written by diff. people at diff. times for diff. reasons. Enterprise may have hundreds of interconnected firewalls. As a result of this complexity: Unearthing security holes and troubleshooting errors can be difficult or impossible. Changes in one rule can cause cascade failures and severely impact the network. Large enterprises have extensive, time-consuming procedures required to implement any changes in rule sets.
Solution 1: Firewall Query Engine Answer queries regarding firewall behavior Simulates how a rule set will operate Allows rapid and accurate troubleshooting Queries can be auto-generated using vulnerability databases Firewall Query Engine Vulnerability database Firewall rule set Business requirements all malicious traffic passed all legitimate traffic blocked
Solution 2: Firewall Comparison Engine Input into engine is 2 different rule sets Rule set before changes Rule set after the changes Output is delta file that shows different results (i.e., impacts and risks of the changes) Speed up process of change management, version control Avoid the unintended impacts and risks of changes Firewall Comparison Engine Rule set before changes Rule set after changes Complete list of impacts/risks
Technology overview Patent applications have been filed on engines. Algorithms are mathematically proven to provide complete and accurate results. Both engines will be implemented with a software tool that is compatible with data structures used in the major firewalls (Cisco, Checkpoint, Juniper).
Benefits Improves and verifies security and effectiveness of enterprise firewalls Able to efficiently troubleshoot problems Able to streamline approval and increase certainty when implementing changes in firewall rules
Features Accurate simulation of operation of rule set Accurate comparison of different rule sets These engines can be used to solve many other firewall management problems: Troubleshooting over hundreds of interconnected firewalls: “Which part of the network can be attacked by slammer worms?” “Who blocked communication between server A and B?” Continuous monitoring of firewalls Security risk assessment: “How secure is my network?”
Performance of Firewall Query Engine
Performance of Firewall Comparison Engine
Technology differentiation Engines are first in literature Applies formal methods to known network security problems
Availability Prototype software has been developed and tested on over 3,000 rules (in simulation). Commercial implementation will require user interface and data integration with existing firewall products.
Solution 3: Firewall Generation Engine Firewall Generation Engine Automatically generates rules that are error-free and compact Uses decision tree data structure for inputs User input only requires answering yes/no questions Vastly simplifies updating rule set
Solution 4: Firewall Cleaning Engine Firewall Cleaning Engine Eliminates redundant rules Can improve network latency Firewall Cleaning Engine Rule set Equivalent rule set with no redundant rules
Case study To validate the effectiveness of our design methods: Took a real-life firewall (of 87 rules) and redesigned it using the structured firewall design method Compared the two firewalls, and found 84 discrepancies Discussed these discrepancies with the firewall administrator He confirmed: In 82 discrepancies, his decisions were wrong.
Case study (continued) Out of the 82 discrepancies in his version: 72 were caused by incorrect ordering of rules. 10 were caused by missing rules. The two discrepancies where our decisions are wrong were caused by wrong assumption of the requirements.