Applying Visualization to the Management of Firewall Rulesets Shaun P. Morrissey 7 October 2009 Thesis Committee: Prof. Grinstein, Advisor Prof. Levkowitz Prof. Daniels
2 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
3 Do we care about firewall rulesets? n (Google, 16 June 2005, ~1745 EDT) n Results of about 55,600 for "firewall setup". (0.39 seconds) n Results of about 62,100 for "firewall management". (0.04 seconds) n Results of about 18,100 for "firewall administration". (0.15 seconds) n n (Google, 26 April 2006, ~0935 EDT) n Results of about 185,000 for "firewall setup". (0.25 seconds) n Results of about 207,000 for "firewall management". (0.25 seconds) n Results of about 81,600 for "firewall administration". (0.28 seconds) n n (Google, 12 July 2009, ~1457 EDT n Results of about 1,710,000 for “firewall setup.” (0.37 seconds) n Results of about 17,800,000 for “firewall management.” (0.22 seconds) n Results of about 8,230,000 for “firewall administration.” (0.13 seconds).
4 Do they need help? n Network Managers need methods to quickly and efficiently analyze policy environment and impact of proposed changes on operational environment. –Industry analysts Gartner & IDC – 80% of unplanned outages are a result of changes in IT policies or configurations n Policy artifacts, the rulesets, are large, complex, difficult to comprehend –Errors in interpretation, modification, and development –Demand for capable personnel exceed supply –Diagnostic capabilities desperately needed
5 What is a firewall? n Implementation tool to achieve security policy goal n Border or Perimeter Device –Generally two or more interfaces –Not limited to a single device n Packet-based decision –Packet decision - pass/deny/drop –Local action - alarm/log/record n Decision basis - Proxy vs firewall distinction –Content awareness - proxy –Packet header plus state –Packet header values (research bound)
6 Basic Firewall Concept Exterior Network (Internet connection) Interior Network Hosts* Firewall
7 Basic Firewall Concept Implementation Exterior Network (Internet connection) Interior Network Hosts* Router X X Bastion Host
8 Screened Subnet (DMZ) Exterior Network (Internet connection) Interior Network Hosts* Perimeter Network Router Bastion Host(s) (exterior /access) (interior /choke)
9 Control of HTTP queries Exterior Network (Internet connection) Interior Network Hosts* Perimeter Network Router Bastion Host(s) (exterior /access) (interior /choke) http query http queries X X X
10 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
11 Firewall Rules: Intended Semantics n Source –Host –Group of hosts –Collection of hosts or groups n Destination –Host –Group of hosts –Collection of hosts or groups n Service –HTTP, SSL, SMTP, etc n Action –Accept/Deny
12 Packet Header Decision Fields
13 Service n Often listed with the same name as a protocol, –HTTP for web –SSL for secure connections –SSH for secure user connection n Technically defined by protocol and port combinations –HTTP - TCP with destination port 80
14 What is a firewall rule? n Firewall rules generally abstracted to a 5-tuple filter and an action –The components n Source address (IPv4, IPv6) n Source port ( ) n Destination address n Destination port n Protocol n Action: Binary, Accept or Deny –Addresses are often combinations of ranges and individuals –Ports are often ranges –Protocol often maps to a single number –Other fields do appear, not considering them at this time. n Packet tests are order-dependent (sequential)
15 Example: Al-Shaer & Hamed, 2003 Rule # ProtocolSource Address Source Port Destination Address Destination Port Action 1tcp any*.*.*.*80deny 2tcp *any*.*.*.*80accept 3tcp*.*.*.*any accept 4tcp any*.*.*.*21deny 5tcp *any*.*.*.*21accept 6tcp*.*.*.*any accept 7tcp*.*.*.*any*.*.*.*anydeny 8udp *any*.*.*.*53accept 9udp*.*.*.*any *53accept 10udp*.*.*.*any*.*.*.*anydeny
Acceptance Space and Volume n Acceptance Space –Set of all possible packet values is a non-negative integer lattice in five dimensions –Lattice is large (2^32 for two of the dimensions) but finite n References to tractability herein are responsiveness concerns, not issues of computability n Acceptance Volume –Subset of acceptance space allowed by the ruleset –Product of correct combination of the predicates of the rules –Not equivalent to list of accept rule predicates due to sequential processing and predicate overlap 16
17 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
18 So what are the problems? n Size complexity –Rulesets grow over time n Interaction Complexity –Field definition overlap –Deliberate use of order-dependence to achieve compactness n A Rule is not the Result! –List of rules –Total effect of file n Organizational issues lead to comprehension concerns –Administrators change –Policy Changes –Documentation lost
19 Pages 1 and 2, of 114.
20 Challenges n Dataset –Two distinct technical issues n Size complexity n Interaction complexity –Confidentiality issue at every front n Examples provided, permission to use denied n Training community structurally unresponsive n Internal ruleset storage/representation –Direct rule visualization n Interval (non-atomic) data field entries n Closure property violation under logical operations n Decomposition proofs provide some answers –Acceptance set visualization n 5-dimensional space: 5-cubes n Embedded subsets not convex n Extension of solid modeling with logical operations effective n Visualization of moderate dimensional data (<10D)
21 Research Objective n Create interactive visual representations of firewall rulesets that: –Enhance the speed & correctness of comprehension of ruleset impact or function –Enhance detection of configuration errors –Support modification without the introduction of unacceptable side effects. n Required –Calculate the acceptance volume –Display it –Enable editing in response
22 Related work? n First, NOTHING directly on point n Point visualizations of 5-tuples –Intrusion Detection –Network traffic –Static and time-dependent, partial and complete –But no range visualizations, not applicable n Data structures for firewall decision-making –Time & space efficient structures –Representations not unique –But none visualized
23 What’s out there? And the research literature on firewall visualization was simply “None” until 2007.
PolicyVis – Tran et al.,
25 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
Calculate the Acceptance Volume n Basic Guttman Algorithm n Implementation Choice: Constructive Solid Geometry –Integer lattice –5 dimensions – Penteracts –Axis-aligned – intervals only n Modifications –Convex solid decomposition –Add provenance –Add created voids 26
Guttman Algorithm n Convert order dependent ruleset to static set n Original formulation was recursive –Replaced by iteration from end n Requires two boolean operations –Union for accept predicates –Set Difference or subtraction for deny-rule predicates 27 Clear List Index = last Deny or Accept? UnionSubtract Index-1 Done Deny Accept
Restricted Constructive Solid Geometry n Treat intervals in five dimensions as a solid –Axis-aligned, intervals only –No rotations –Penteracts specified by 10 values, upper and lower limits n Existing Constructive Solid Geometry packages –Do not appear to go above 3-D –Carry sophistication to manage arbitrary object orientation –Use logic that eliminates single values in a given dimension n In solids with real dimensions, skin overlaps have no volume, and are eliminated n In our case “degenerate” solids, one value as both upper and lower limit, are real conditions that must be retained. n Single values needed for our work (Protocol #) n Do it yourself, don’t adapt packages 28
Boolean operations on solids 29 n Work is done on an integer lattice of all non-negative values n Critical operations are: –Set Union A ∪ B –Set Difference A – B = A ∩ ~B n Goals include: –Always maintaining convex solid decompositions –~(~B) = B –Making use of A – B = A – (A ∩ B) to limit need to handle general case of ~B –Maintaining connection to rules that generated volumes –Creating solution approach that works in each dimension so that it can be extended to 5-D with confidence
Penteract Constructive Solid Geometry (3D analogue) 30 Top face of rule A box (red) has been opened to expose A ∩ B
Use Convex Solid Decomposition n Simple Data Structure –Only penteracts required n Calculation Complexity –371,293 types of penteract overlap –CSD allows one dimension at a time, five pairs of cuts, 13 cases –Cost: longer list n Convex penteract can be visualized easily –Parallel Set Enclosure n Rule A: red volumes n Rule B: green volumes n B ∩ A : blue volume n 1-D cuts
371,293 Cases? (13^5) of course! n Thirteen(13) cases exist for possible overlaps between the intervals in each of five dimensions –Actually, 25 cases can be enumerated, but 10 are aphysical and two do not overlap n In the following discussion, we use T as the target space, and A for the volume being “added”. –T will in fact be only one component of a list of existing blocks –The overall algorithm will need to be executed against each relevant block in the acceptance volume –The overall algorithm will need to account for A intersecting with more than one component of the T’s n The following analysis assumes initially that the dimensions are not degenerate. –The resulting algorithm was checked to see if it is robust to handling degenerate cases. 32
Where does 13, 15 or 25 come from? n Consider an interval in a dimension of T, defined by upper and lower limits TL and TH. n There are five distinct regions where each of the boundaries of A (AL and AH, respectively) can fall –Two exterior regions –One interior region –Coincidence with two boundary values 33 TLTH 12345
Analysis of One Dimension n 25 possible cases, in general n Impose AL ≤ AH, 10 cases removed n Require intersection to exist –AH ∈ 1, A is below T, no intersection –AL ∈ 5, A is above T, no intersection n 25 – 10 – 2 = 13 –Argument provides enumeration of cases to be handled –13 cases times five dimensions is plausibly correct –Yields 1,198-line Java method –Alternative is (13^5) = 371,293 cases 34
Overlap cases for one dimension AH ∈ AL ∈ 1 No intersect action 2 X 3 XX 4 XXX 5 XXXX No intersect 35 Impose AL ≤ AH
Resulting Convex Solid Decomposition(3D) 36 Red volumes – rule A Green volumes – rule B Blue volume – rule A and rule B
Thirteen cases, enumeration of actions 37 1) Create working copies of T, wT, and A, wA. 2) Pick a dimension. 3) Select the case of the thirteen that applies. 4) Create a copy of wT, wTd, and of wA, wAd, (or two of one of them, etc). 5) Shift the boundary of wTd so it is the excess beyond the common volume. 6) Shift the boundary of wT so it is reduced to the common volume. 7) Shift the boundary of wAd so it is the excess beyond the common volume. 8) Shift the boundary of wA so it is reduced to the common volume. 9) Send wTd and wAd to their respective output lists. 10) Repeat starting at step 2 until all five dimensions are done.
Set operations as disposition rules for convex solid decomposition lists OperationA – BA ∩ BB – A UnionKeep IntersectionDiscardKeepDiscard Set DifferenceKeepDiscard Void DifferenceKeepRe-label & KeepDiscard All of the set operations are dispositions for three lists Only one CSD generation method required for intersecting penteract Operations become wrapper around use of that method Class PenteractSliceDice
Created Voids and Provenance n Created Void –Modify Guttman A-B –Normal: discard B ∩ A –Created Void: retain B ∩ A, label with joint provenance –Creates visualizable artifact n Add provenance of rules –List of rules for each penteract –Connected to editor 39 Rule A: red volumes Rule B: green volumes B ∩ A : blue volume 1-D cuts
Handle multiple intersections n Remaining issue: Added penteract intersects with more than one in target list n Add queues for pieces, put penteracts back into queues if further work needed 40
41 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
Visual Approaches n Parallel Coordinates –Inselberg lossless multidimensional visualization for points –Use parallel set enclosures for display of penteracts –Ease of representation was one motivation for use of CSD n Flow Picture –Loose pipe or pipeline metaphor –Extended polyhedral representation in 3-space –Implemented in Java OpenGL for speed, interaction (Keyes) n Discussion will focus on design, not software implementation –Use visual completion for improved capture-anomaly containment visualization 42
PC Screen Shot 43
Flow Picture Mockup 44
Flow Picture endpoints 45
46 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
Data Sources n Requests for operational data sets not favorably received –One permitted use case, port exclusion n Alternative approach - visualize taxonomy of interactions n Al-Shaer & Hamed (2003) –Firewall Policy Adviser – defined full range of interactions and created a complete example n Yuan, et al. (2006) –FIREMAN (A Toolkit for FIREwall Modeling and Analysis) – defined similar structures with one addition and created examples –Some examples only artifacts of CIDR notation n These examples give us a “complete” set of issues to look at. 47
48 Example: Al-Shaer & Hamed, 2003 Rule # ProtocolSource Address Source Port Destination Address Destination Port Action 1tcp any*.*.*.*80deny 2tcp *any*.*.*.*80accept 3tcp*.*.*.*any accept 4tcp any*.*.*.*21deny 5tcp *any*.*.*.*21accept 6tcp*.*.*.*any accept 7tcp*.*.*.*any*.*.*.*anydeny 8udp *any*.*.*.*53accept 9udp*.*.*.*any *53accept 10udp*.*.*.*any*.*.*.*anydeny n Al-Shaer, E.S. and Hamed, H.H. 2003a. Firewall Policy Advisor for anomaly discovery and rule editing, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003, March 2003, pp. 17 – 30.
Yuan, et al. (2006) Yuan, L., Chen, H., Mai, J., Chuah, C-N, Su, Z., and Mohapatra, P., FIREMAN: a toolkit for firewall modeling and analysis, IEEE Symposium on Security and Privacy, 2006, May 2006, pp
Anomalies versus Predicate Overlaps 50 Note: in this case, there is the additional requirement that there is no correlation or generalization anomaly involving R i and any rule between it and R j
Anomalies, by ruleset 51 Anomaly Pairs from Al-Shaer and Hamed (2003) Yuan 2006 Script 1 Anomalies
52 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
Denial of in Parallel Coordinates 53
Denial of in Flow Picture 54
Selection action in PC view 55
Editor Frame with penteract selection 56
Generalization Anomaly ASH 1) and 2) 57
Generalization Anomaly ASH 1) and 2) 58
Illustration: SA split for Modified ASH 2) 59
Generalization, ASH 2) and 8) 60
Generalization, ASH 2) and 8) 61
Generalization Anomaly, Yuan 4) and 7) 62
Generalization Anomaly, Yuan 4) and 7) 63
Correlation Anomaly, ASH 1) and 3) 64
Correlation Anomaly, ASH 1) and 3) 65
Correlation Anomaly of Yuan 2) and 6) 66
Shadow Anomaly of Yuan 2) and 4) 67
Shadow Anomaly of Yuan 1), 3), and 5) 68
Shadow Anomaly of Yuan 1), 3), and 5) 69
Redundancy Anomaly of ASH 6) and 7) 70
Redundancy Anomaly of ASH 6) and 7) 71
Complete Ruleset, Al-Shaer & Hamed 72
Complete Ruleset, Al-Shaer & Hamed 73
74 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
What Works? n Containment is the issue for many anomalies –Shown better by the polyhedral representation –Effect likely due to assembly of sub-boxes into a single box in the viewer’s mind –Suggests use of predicate for accept rules, and created voids n Created voids produce visual artifacts that –Provide awareness of why packets are denied –Supports editing to address that issue n Application of visualization directly to configuration space shows promise 75
What doesn’t work at present? n Accept rules preceding deny rules, for any anomaly type –Create no object in the calculation –Present no visual artifact –“state change” of denied to accepted is not captured n Deny-Deny overlaps have same problem –Response complicated by use of deny-all rules in subspaces n Scaling to large rulesets unclear –Number of penteracts in CSD depends on order of dimensions in processing –IF analogous to ordered binary decision diagram representation, optimal order issue is likely NP-complete 76
77 Outline n Context –Proxies and firewalls? –What is a firewall rule? n Background n Method –Calculation of the acceptance volume –Visual Approaches n Data – Issues & Solutions n Visual Results n Discussion & Directions –What works –What needs to be done
What needs to be done (local)? n Theoretical Developments –Extend modified-Guttman to encompass deny rules more effectively n Simplest extension, “denied void” complicated by deny all rules for space and subspaces – leads to potentially massive expansion of CSD –Examine display of accept predicates and created voids n Reduces visual complexity by eliminating sliced accepts n Uncertain at this time as to correctness n May require that turning off created voids be disabled n May require careful linked management of voids/accepts –Define “relatedness” measures for support of visual controls 78
What needs to be done (local)? n Software Modifications –Zoom controls n May need to be specialized to two dimensional subspaces n Enterprise defaults for destination space –Rule-based selection lists n Display penteracts touched by rules (reference in provenance) –Consider predicate display in flow picture n Modify color to prevent confusion of displays n Supported by existing OpenGL software package 79
Global Directions n Firewalls –Sub-field needs a few good datasets to extend this work –Models for more sophisticated firewall rules n State-dependence n NAT rules n Security configuration comprehension –The entire computer security domain needs to have visual metaphors created and implemented. –Feasibility for display –Methods of interaction 80
Contributions n Created graphics pipeline for firewall configuration –Not traffic or just the rules n Showed benefit of maintaining provenance n Defined concept to extend compilation process for rulesets –Created voids capture certain historical aspects of acceptance volume calculation n Showed extension of history capture needed (denied void?) n Showed feasibility of configuration visualization n Showed potential for improved comprehension from polyhedral representations using projection to two- dimensional space over lossless representations for interval data n Demonstrated need for addressing occlusion for interval data 81
BACKUPS 82
83 DAG Firewall Representations Hazelhurst 2000, Yuan 2006Oriented Binary Decision Diagrams Gouda 2004, Liu 2004Firewall Decision Diagrams Tarsa 2006, Fulp 2005N-ary Tries Baboescu 2005Aggregate Bit Vectors Singh 2003Hypercuts, k-dimensional decision trees Thorup 2003Dynamic Stabbing Eppstein 2001Multidimensional binary search trees Gupta 2001HiCuts, multidimensional cutting Qiu 2001backtracking search and set pruning tries Srinivasan 1999Tuple space search Suri 1999Combined two-dimensional filters Lakshman 1998Multidimensional range matching Srinivasan 1998Grid of tries and cross-producting
84 All the pieces, unconnected Firewall Analysis -> DAGs - Correctness (e.g., OBDD) - Packet Classification Acceptance space - Compilation - Description Computational Geometry DAG Visualization Lossless High Dimension Visualization