Security Analysis of Firewall Rule Sets in Computer Networks

Abstract

Firewalls are the screening gates for the internet/intranet traffic in computer networks. However, deploying a firewall is simply not enough since it needs to be configured by the system administrator according to the needs of the organization. There are many reasons due to which it is hard for the administrator to configure the firewall properly. Specifying firewall rule set is complicated and error prone. Once the firewall rules are defined, then firewall should be tested, whether it actually implements firewall policy. In this paper, one of the approaches of the firewall rule set analysis, i.e., the problems with the structure of the firewall rule set is being addressed. The structure of a sample firewall rule set is analyzed to detect and resolve conflicts using two structural analysis methodologies, i.e., Policy Tree and Relational Algebra. Then the results obtained from the test by using an automated tool PolicyVisor, based on the policy tree methodology, are analyzed. It is found from the analysis that even a set of only six rules has number of anomalies. Moreover, it is hard for the human to find such anomalies manually in a larger rule set and failure to find such anomalies leads to change the firewall policy.