Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying Visualization to the Management of Firewall Rulesets Shaun P. Morrissey 7 October 2009 Thesis Committee: Prof. Grinstein, Advisor Prof. Levkowitz.

Similar presentations


Presentation on theme: "Applying Visualization to the Management of Firewall Rulesets Shaun P. Morrissey 7 October 2009 Thesis Committee: Prof. Grinstein, Advisor Prof. Levkowitz."— Presentation transcript:

1 Applying Visualization to the Management of Firewall Rulesets Shaun P. Morrissey 7 October 2009 Thesis Committee: Prof. Grinstein, Advisor Prof. Levkowitz Prof. Daniels

2 2 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

3 3 Do we care about firewall rulesets? n (Google, 16 June 2005, ~1745 EDT) n Results 1 - 10 of about 55,600 for "firewall setup". (0.39 seconds) n Results 1 - 10 of about 62,100 for "firewall management". (0.04 seconds) n Results 1 - 10 of about 18,100 for "firewall administration". (0.15 seconds) n n (Google, 26 April 2006, ~0935 EDT) n Results 1 - 20 of about 185,000 for "firewall setup". (0.25 seconds) n Results 1 - 20 of about 207,000 for "firewall management". (0.25 seconds) n Results 1 - 20 of about 81,600 for "firewall administration". (0.28 seconds) n n (Google, 12 July 2009, ~1457 EDT n Results 1 - 10 of about 1,710,000 for “firewall setup.” (0.37 seconds) n Results 1 - 10 of about 17,800,000 for “firewall management.” (0.22 seconds) n Results 1 - 10 of about 8,230,000 for “firewall administration.” (0.13 seconds).

4 4 Do they need help? n Network Managers need methods to quickly and efficiently analyze policy environment and impact of proposed changes on operational environment. –Industry analysts Gartner & IDC – 80% of unplanned outages are a result of changes in IT policies or configurations n Policy artifacts, the rulesets, are large, complex, difficult to comprehend –Errors in interpretation, modification, and development –Demand for capable personnel exceed supply –Diagnostic capabilities desperately needed

5 5 What is a firewall? n Implementation tool to achieve security policy goal n Border or Perimeter Device –Generally two or more interfaces –Not limited to a single device n Packet-based decision –Packet decision - pass/deny/drop –Local action - alarm/log/record n Decision basis - Proxy vs firewall distinction –Content awareness - proxy –Packet header plus state –Packet header values (research bound)

6 6 Basic Firewall Concept Exterior Network (Internet connection) Interior Network Hosts* Firewall

7 7 Basic Firewall Concept Implementation Exterior Network (Internet connection) Interior Network Hosts* Router X X Bastion Host

8 8 Screened Subnet (DMZ) Exterior Network (Internet connection) Interior Network Hosts* Perimeter Network Router Bastion Host(s) (exterior /access) (interior /choke)

9 9 Control of HTTP queries Exterior Network (Internet connection) Interior Network Hosts* Perimeter Network Router Bastion Host(s) (exterior /access) (interior /choke) http query http queries X X X

10 10 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

11 11 Firewall Rules: Intended Semantics n Source –Host –Group of hosts –Collection of hosts or groups n Destination –Host –Group of hosts –Collection of hosts or groups n Service –HTTP, SSL, SMTP, etc n Action –Accept/Deny

12 12 Packet Header Decision Fields

13 13 Service n Often listed with the same name as a protocol, –HTTP for web –SSL for secure connections –SSH for secure user connection n Technically defined by protocol and port combinations –HTTP - TCP with destination port 80

14 14 What is a firewall rule? n Firewall rules generally abstracted to a 5-tuple filter and an action –The components n Source address (IPv4, IPv6) n Source port (0 - 65535) n Destination address n Destination port n Protocol n Action: Binary, Accept or Deny –Addresses are often combinations of ranges and individuals –Ports are often ranges –Protocol maps to a single number –Other fields do appear, not considering them at this time. n Packet tests are order-dependent (sequential)

15 15 Example: Al-Shaer & Hamed, 2003 Rule # ProtocolSource Address Source Port Destination Address Destination Port Action 1tcp140.192.37.20any*.*.*.*80deny 2tcp140.192.37.*any*.*.*.*80accept 3tcp*.*.*.*any140.192.37.4080accept 4tcp140.192.37.30any*.*.*.*21deny 5tcp140.192.37.*any*.*.*.*21accept 6tcp*.*.*.*any140.192.37.4021accept 7tcp*.*.*.*any*.*.*.*anydeny 8udp140.192.37.*any*.*.*.*53accept 9udp*.*.*.*any140.192.37.*53accept 10udp*.*.*.*any*.*.*.*anydeny

16 16 So what are the problems? n Size complexity –Rulesets grow over time n Interaction Complexity –Field definition overlap –Deliberate use of order-dependence to achieve compactness n A Rule is not the Result! –List of rules –Total effect of file n Organizational issues lead to comprehension concerns –Administrators change –Policy Changes –Documentation lost

17 17 Pages 1 and 2, of 114.

18 18 Challenges n Dataset –Two distinct technical issues n Size complexity n Interaction complexity –Confidentiality issue at every front n Examples provided, permission to use denied n Training community structurally unresponsive n Internal ruleset storage/representation –Direct rule visualization n Interval (non-atomic) data field entries n Closure property violation under logical operations n Decomposition proofs provide some answers –Acceptance set visualization n 5-dimensional space: 5-cubes n Embedded subsets not convex n Extension of solid modeling with logical operations effective n Visualization of moderate dimensional data (<10D)

19 19 Research Objective n Create interactive visual representations of firewall rulesets that: –Enhance the speed & correctness of comprehension of ruleset impact or function –Enhance detection of configuration errors –Support modification without the introduction of unacceptable side effects. n Required –Calculate the acceptance volume –Display it –Enable editing in response

20 20 Related work? n First, NOTHING directly on point n Point visualizations of 5-tuples –Intrusion Detection –Network traffic –Static and time-dependent, partial and complete –But no range visualizations, not applicable n Data structures for firewall decision-making –Time & space efficient structures –Representations not unique –But none visualized

21 21 What’s out there? And the research literature on firewall visualization was simply “None” until 2007.

22 PolicyVis – Tran et al., 2007 22

23 23 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

24 Calculate the Acceptance Volume n Basic Guttman Algorithm n Implementation Choice: Constructive Solid Geometry –Integer lattice –5 dimensions – Penteracts –Axis-aligned – intervals only n Modifications –Add provenance –Add created voids –Convex solid decomposition 24

25 25 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

26 Guttman Algorithm n Convert order dependent ruleset to static set n Original formulation was recursive –Replaced by iteration from end n Requires two boolean operations –Union for accept predicates –Set Difference or subtraction for deny-rule predicates 26 Clear List Index = last Deny or Accept? UnionSubtract Index-1 Done Deny Accept

27 Restricted Constructive Solid Geometry n Treat intervals in five dimensions as a solid –Axis-aligned, intervals only –No rotations –Penteracts specified by 10 values, upper and lower limits n Integer Lattice –CSG packages use “regularized” operations to remove single values –Single values needed for our work (Protocol #) –Do it yourself, don’t adapt packages 27

28 Boolean operations on solids 28 n Work is done on an integer lattice of all non-negative values n Critical operations are: –Set Union A ∪ B –Set Difference A – B = A ∩ ~B n Goals include: –Always maintaining convex solid decompositions –~(~B) = B –Making use of A – B = A – (A ∩ B) to limit need to handle general case of ~B –Maintaining connection to rules that generated volumes –Creating solution approach that works in each dimension so that it can be extended to 5-D with confidence

29 Issue with existing CSG codes n Existing Constructive Solid Geometry packages –Do not appear to go above 3-D –Carry sophistication to manage arbitrary object orientation n Our blocks are simple, axis-aligned –Use logic that eliminates single values in a given dimension n In solids with real dimensions, skin overlaps have no volume, and are eliminated n In our case “degenerate” solids, one value as both upper and lower limit, are real conditions that must be retained. 29

30 Penteract Constructive Solid Geometry (3D analogue) 30 Top face of rule A box (red) has been opened to expose A ∩ B

31 Use Convex Solid Decomposition n Simple Data Structure –Only penteracts required n Calculation Complexity –371,293 types of penteract overlap –CSD allows one dimension at a time, five pairs of cuts, 13 cases –Cost: longer list n Convex penteract can be visualized easily –Parallel Set Enclosure n Rule A: red volumes n Rule B: green volumes n B ∩ A : blue volume n 1-D cuts

32 371,293 Cases? (13^5) of course! n Thirteen(13) cases exist for possible overlaps between the intervals in each of five dimensions –Actually, 25 cases can be enumerated, but 10 are aphysical and two do not overlap n In the following discussion, we use T as the target space, and A for the volume being “added”. –T will in fact be only one component of a list of existing blocks –The overall algorithm will need to be executed against each relevant block in the acceptance volume –The overall algorithm will need to account for A intersecting with more than one component of the T’s n The following analysis assumes initially that the dimensions are not degenerate. –The resulting algorithm will then be checked to see if is robust to handling degenerate cases. 32

33 Where does 13, 15 or 25 come from? n Consider an interval in a dimension of T, defined by upper and lower limits TL and TH. n There are five distinct regions where each of the boundaries of A (AL and AH, respectively) can fall –Two exterior regions –One interior region –Coincidence with two boundary values 33 TLTH 12345

34 Analysis of One Dimension n 25 possible cases, in general n Impose AL ≤ AH, 10 cases removed n Require intersection to exist –AH ∈ 1, A is below T, no intersection –AL ∈ 5, A is above T, no intersection n 25 – 10 – 2 = 13 –Argument provides enumeration of cases to be handled –13 cases times five dimensions is plausibly correct –Yields 1,198-line Java method –Alternative is (13^5) = 371,293 cases 34

35 Overlap cases for one dimension AH ∈ 1 2345 AL ∈ 1 No intersect action 2 X 3 XX 4 XXX 5 XXXX No intersect 35 Impose AL ≤ AH

36 Resulting Convex Solid Decomposition(3D) 36 Red volumes – rule A Green volumes – rule B Blue volume – rule A and rule B

37 Set operations as disposition rules for convex solid decomposition lists OperationA – BA ∩ BB – A UnionKeep IntersectionDiscardKeepDiscard Set DifferenceKeepDiscard Void DifferenceKeepRe-label & KeepDiscard All of the operations are dispositions for three lists Only one CSD generation method required for intersecting penteract Operations become wrapper around use of that method Class PenteractSliceDice

38 Created Voids and Provenance n Created Void –Modify Guttman A-B –Normal: discard B ∩ A –Created Void: retain B ∩ A, label with joint provenance –Creates visualizable artifact n Add provenance of rules –List of rules for each penteract –Connected to editor 38  Rule A: red volumes  Rule B: green volumes  B ∩ A : blue volume  1-D cuts

39 Thirteen cases, enumeration of actions 39 1) Create working copies of T, wT, and A, wA. 2) Pick a dimension. 3) Select the case of the thirteen that applies. 4) Create a copy of wT, wTd, and of wA, wAd, (or two of one of them, etc). 5) Shift the boundary of wTd so it is the excess beyond the common volume. 6) Shift the boundary of wT so it is reduced to the common volume. 7) Shift the boundary of wAd so it is the excess beyond the common volume. 8) Shift the boundary of wA so it is reduced to the common volume. 9) Send wTd and wAd to their respective output lists. 10) Repeat starting at step 2 until all five dimensions are done.

40 Handle multiple intersections n Remaining issue: Added penteract intersects with more than one in target list n Add queues for pieces, put penteracts back into queues if further work needed 40

41 41 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

42 Visual Approaches n Parallel Coordinates –Inselberg lossless multidimensional visualization for points –Use parallel set enclosures for display of penteracts –Ease of representation was one motivation for use of CSD n Flow Picture –Loose pipe or pipeline metaphor –Extended polyhedral representation in 3-space –Implemented in Java OpenGL for speed, interaction (Keyes) n Discussion will focus on design, not software implementation –Use visual completion for improved capture-anomaly containment visualization 42

43 PC Screen Shot 43

44 Flow Picture Mockup 44

45 Flow Picture endpoints 45

46 46 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

47 Data Sources n Requests for operational data sets not favorably received –One permitted use case, port 32760 exclusion n Alternative approach - visualize taxonomy of interactions n Al-Shaer & Hamed (2003) –Firewall Policy Adviser – defined full range of interactions and created a complete example n Yuan, et al. (2006) –FIREMAN (A Toolkit for FIREwall Modeling and Analysis) – defined similar structures with one addition and created examples –Some examples only artifacts of CIDR notation n These examples give us a “complete” set of issues to look at. 47

48 48 Example: Al-Shaer & Hamed, 2003 Rule # ProtocolSource Address Source Port Destination Address Destination Port Action 1tcp140.192.37.20any*.*.*.*80deny 2tcp140.192.37.*any*.*.*.*80accept 3tcp*.*.*.*any140.192.37.4080accept 4tcp140.192.37.30any*.*.*.*21deny 5tcp140.192.37.*any*.*.*.*21accept 6tcp*.*.*.*any140.192.37.4021accept 7tcp*.*.*.*any*.*.*.*anydeny 8udp140.192.37.*any*.*.*.*53accept 9udp*.*.*.*any140.192.37.*53accept 10udp*.*.*.*any*.*.*.*anydeny n Al-Shaer, E.S. and Hamed, H.H. 2003a. Firewall Policy Advisor for anomaly discovery and rule editing, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003, 24-28 March 2003, pp. 17 – 30.

49 Yuan, et al. (2006) Yuan, L., Chen, H., Mai, J., Chuah, C-N, Su, Z., and Mohapatra, P., 2006. FIREMAN: a toolkit for firewall modeling and analysis, IEEE Symposium on Security and Privacy, 2006, 21-24 May 2006, pp. 213-227. 49

50 Anomalies versus Predicate Overlaps 50 Note: in this case, there is the additional requirement that there is no correlation or generalization anomaly involving R i and any rule between it and R j

51 Anomalies, by ruleset 51 Anomaly Pairs from Al-Shaer and Hamed (2003) Yuan 2006 Script 1 Anomalies

52 52 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

53 Denial of 32760 in Parallel Coordinates 53

54 Denial of 32760 in Flow Picture 54

55 Selection action in PC view 55

56 Editor Frame with penteract selection 56

57 Generalization Anomaly ASH 1) and 2) 57

58 Generalization Anomaly ASH 1) and 2) 58

59 Illustration: SA split for Modified ASH 2) 59

60 Generalization, ASH 2) and 8) 60

61 Generalization, ASH 2) and 8) 61

62 Generalization Anomaly, Yuan 4) and 7) 62

63 Generalization Anomaly, Yuan 4) and 7) 63

64 Correlation Anomaly, ASH 1) and 3) 64

65 Correlation Anomaly, ASH 1) and 3) 65

66 Correlation Anomaly of Yuan 2) and 6) 66

67 Shadow Anomaly of Yuan 2) and 4) 67

68 Shadow Anomaly of Yuan 1), 3), and 5) 68

69 Shadow Anomaly of Yuan 1), 3), and 5) 69

70 Redundancy Anomaly of ASH 6) and 7) 70

71 Redundancy Anomaly of ASH 6) and 7) 71

72 72

73 Complete Ruleset, Al-Shaer & Hamed 73

74 Complete Ruleset, Al-Shaer & Hamed 74

75 75 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works, and doesn’t –What needs to be done

76 What Works? n Containment is the issue for many anomalies –Shown better by the polyhedral representation –Effect likely due to assembly of sub-boxes into a single box in the viewer’s mind –Suggests use of predicate for accept rules, and created voids n Created voids produce visual artifacts that –Provide awareness of why packets are denied –Supports editing to address that issue n Application of visualization directly to configuration space shows promise 76

77 What doesn’t work at present? n Accept rules preceding deny rules, for any anomaly type –Create no object in the calculation –Present no visual artifact –“state change” of denied to accepted is not captured n Deny-Deny overlaps have same problem –Response complicated by use of deny-all rules in subspaces 77

78 78 Outline n Context –What is a firewall? n Proxy versus firewall –What is a firewall rule? n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done

79 What needs to be done (local)? n Theoretical Developments –Extend modified-Guttman to encompass deny rules more effectively n Simplest extension, “denied void” complicated by deny all rules for space and subspaces – leads to potentially massive expansion of CSD –Examine display of accept predicates and created voids n Reduces visual complexity by eliminating sliced accepts n Uncertain at this time as to correctness n May require that turning off created voids be disabled n May require careful linked management of voids/accepts –Define “relatedness” measures for support of visual controls 79

80 What needs to be done (local)? n Software Modifications –Zoom controls n May need to be specialized to two dimensional subspaces n Enterprise defaults for destination space –Rule-based selection lists n Display penteracts touched by rules –Consider predicate display in flow picture n Modify color to prevent confusion of displays n Supported by existing OpenGL software package 80

81 Global Directions n Firewalls –Sub-field needs a few good datasets to extend this work –Models for more sophisticated firewall rules n State-dependence n NAT rules n Security configuration comprehension –The entire computer security domain needs to have visual metaphors created and implemented. –Feasibility for display –Methods of interaction 81

82 Contributions n Created graphics pipeline for firewall configuration –Not traffic or just the rules n Showed benefit of maintaining provenance n Defined concept to extend compilation process for rulesets –Created voids capture certain historical aspects of acceptance volume calculation n Showed extension of history capture needed (denied void?) n Showed feasibility of configuration visualization n Showed potential for improved comprehension from polyhedral representations using projection to two- dimensional space over lossless representations for interval data 82

83 BACKUPS 83

84 84 DAG Firewall Representations Hazelhurst 2000, Yuan 2006Oriented Binary Decision Diagrams Gouda 2004, Liu 2004Firewall Decision Diagrams Tarsa 2006, Fulp 2005N-ary Tries Baboescu 2005Aggregate Bit Vectors Singh 2003Hypercuts, k-dimensional decision trees Thorup 2003Dynamic Stabbing Eppstein 2001Multidimensional binary search trees Gupta 2001HiCuts, multidimensional cutting Qiu 2001backtracking search and set pruning tries Srinivasan 1999Tuple space search Suri 1999Combined two-dimensional filters Lakshman 1998Multidimensional range matching Srinivasan 1998Grid of tries and cross-producting

85 85 All the pieces, unconnected Firewall Analysis -> DAGs - Correctness (e.g., OBDD) - Packet Classification Acceptance space - Compilation - Description Computational Geometry DAG Visualization Lossless High Dimension Visualization


Download ppt "Applying Visualization to the Management of Firewall Rulesets Shaun P. Morrissey 7 October 2009 Thesis Committee: Prof. Grinstein, Advisor Prof. Levkowitz."

Similar presentations


Ads by Google