Aggregating and Deploying Network Access Control Policies

Aggregatin g and Deploying Network Access Contr ol P olici es Joaqu ´ ın G. Alfaro † , ‡ † Univ ersitat Oberta de Ca talunya Rambla Poble Nou 156, 08018 Barcelona - Spain joaquin.garcia-alfaro@acm.or g Fr ´ ed ´ eric Cuppens ‡ Nora Cuppens-Boulahia ‡ ‡ GET/ENST -Bretagne, 2, rue de la Ch ˆ ataigneraie, 35576 Cesson S ´ evign ´ e - France { frederic.cuppens,nora.cuppens } @enst-bretagne.fr Abstract. The existence of errors or inconsistencies in the configur ation of security compo nents, such as filter ing routers and/or fire walls, may lead to weak acce ss control policies — potentially easy to be ev aded by unauthor ized parties. W e present in this paper a pr oposal to create, man- age, and d eploy consistent policies in tho se componen ts in an efficient way . T o do so, we combine two main ap - proach es. The first appro ach is the use of an agg regation mechanism that yields consistent co nfiguration s or sig nals inconsistencies. Throu gh this mech anism we can fold ex- isting policies of a gi ven system and create a consistent and global set of a ccess control rules — easy to m aintain and manage by u sing a single sy ntax. The second approach is th e use of a refin ement mechanism th at guarantees th e proper deployment of such a global set of rules into the sys- tem, yet free of inconsistencies. 1 Intr oduction In or der to defend the resou rces of an information system against unau thorized actions, a security po licy must be de- fined b y the administrator o f an inform ation system, i.e. a set o f r ules stating what is permitted a nd what is proh ib- ited in a system du ring n ormal operation s. Once specified the complete set of prohib itions and per missions, the ad- ministrator must decide which security mechanisms to use in o rder to enforce the security po licy . This enfor cement consists in distributing th e security rules expressed in this policy over different secu rity co mpon ents, such as filtering routers an d firewalls. This implies cohesion of th e security function s supplied by these compon ents. Indeed , security rules d eployed over different compo nents must be consis- tent, addressing the same decisions under equiv alent condi- tions, and not repeating the same actions more than once. A first solution to ensure these requireme nts is by ap- plying a for mal security mode l to expr ess network secu rity policies. In [11], for example, an access con trol lang uage based on XML syntax and sup ported by th e access contro l model Or -B AC [1] is pro posed for specifying access co ntrol meta-rules and, then, refined into dif ferent fire w all configu- ration r ules th rough XSL T transformations. In [14 ], another top-down prop osal based on th e RB A C model [17] is also suggested f or such a purpo se. Howe v er , and althoug h the use o f f ormal mo dels en sures coh esion, completen ess and optimization as built-in pro perties, in most cases, admin is- trators are usually reluctan t to define a whole security policy from scratch, and they expect to recycle e xisting configura- tions previously d eployed over a given system. A second solution to gu arantee consistent and non- redund ant firew all configu rations consists in analyzin g an d fixing rules already d eployed. In [ 13], for examp le, a tax- onomy o f con flicts in s ecurity p olicies is presented, an d two main categories are p roposed: (1) intr a-firew all anomalies, which refer to those conflicts that might exist within the lo- cal set of ru les of a given fire w all; (2) inter-firew all anoma- lies, which refe r to th ose conflicts that m ight exist be tween the con figuration rule s of different firewalls that match the same traffic. T he autho rs in [13] p ropose, moreover, an a u- dit mechanism in ord er to discover and warn ab out these anomalies. In [2, 3], we poin ted o ut to some existing limi- tations in [13], and presented an alternative set of anomalies and audit algorithms that detect, report, and elim inate those intra- a nd in ter-component in consistencies existing o n dis- tributed security setup s — where b oth firewalls and N IDSs are in charge of the network secu rity policy . The main drawback of th e first so lution, i.e., r efinement processes such as [1 1, 14], relies on th e ne cessity of for- mally writing a global security policy from scra tch, as we ll as a deep knowledge of a given formal mod el. This r ea- son m ight explain why this solution is not y et wide ly used , and most of the times policies are simply deployed based on the expertise and flair of security administrators. The main drawback of the second solution , i.e., aud it pro cesses such as [ 13, 2] for a nalyzing lo cal a nd distributed security setups, relies on the lack of kn owledge about the d eployed policy from a global point of view — which is very helpful for maintenance and troubleshoo ting tasks. In this paper we pr opose to combine b oth solutio ns to better guarantee the requ irements specified for a given net- work access c ontrol policy . Our p rocedur e co nsists of two main steps. In the first step, the complete set of local poli- cies — alre ady deployed over each firewall of a given sys- tem — are aggregated, and a glo bal secu rity policy is de- riv ed. It is then po ssible to update, analyze, and redeploy such a g lobal security policy into se veral local p olicies — yet free o f an omalies — in a f urther second step. W e need, moreover , a pr evious step fo r retrieving all tho se d etails of the system’ s topolog y which might be necessary during the aggregation and d eployment proce sses (cf. Section 2). The use of automatic network tools, such as [18], may allow us to au tomatically generate this informatio n, and pro perly manage any change within the system. The rest of this paper has been organized as follows. W e first present in Section 2 the for malism we use to specify filtering rules, an th e network m odel we use to rep resent the to pology o f th e system. W e d escribe in Section 3 our mechanisms to aggregate and d eploy firewall configuratio n rules, and prove the co rrectness o f such mecha nisms. W e present some related w ork in Section 4, and close the paper in Section 5 with some conclusions and future work. 2 Rules, T opology and Anomalies W e r ecall in this section some of the d efinitions previously introdu ced in [2, 3]. W e first define a filtering rule in the form R i : { cnd i } → decision i , where i is the relative posi- tion o f the ru le with in the set of ru les, dec ision i is a boolean expression in { acce pt, deny } , and { cnd i } is a con junctive set of condition a ttributes ( pr otocol , sou r ce , destination , and so o n), such that { c nd i } equals A 1 ∧ A 2 ∧ ... ∧ A p , and p is the numbe r of condition attributes of a given filter - ing rule. W e define now a set of func tions to determine which fire- walls o f th e system are crossed by a given packet k now- ing its sou rce and d estination. Let F be a set of fire- walls a nd let Z be a set of zones. W e assume that each pair of zones in Z a re m utually disjoint, i.e. , if z i ∈ Z and z j ∈ Z then z i ∩ z j = ∅ . W e define the predicates connected ( f 1 , f 2 ) (which become s true whether there ex- ists, at least, one interface connecting fire wall f 1 to firewall f 2 ) and ad j acent ( f , z ) (which b ecomes tr ue whether the zone z is in terfaced to firew all f ). W e then define a set of paths, P , as follows. If f ∈ F then [ f ] ∈ P is an atom ic path. Similarly , if [ p.f 1 ] ∈ P (b e “ . ” a conca tenation func - tor) and f 2 ∈ F , such th at f 2 / ∈ p and connected ( f 1 , f 2 ) , then [ p.f 1 .f 2 ] ∈ P . Let us now de fine function s f irst , l as t , and tail fro m P in F such that if p is a path, then f irs t ( p ) correspo nds to the first firewall in th e path, l ast ( p ) corre- sponds to the last firewall in th e path , and tail ( f , p ) corre- sponds to re st of fire walls in the pa th after fire wall f . W e also define the o rder functor between path s as p 1 ≤ p 2 , such that p ath p 1 is shor ter than p 2 , and where all the firewalls within p 1 are also within p 2 . W e d efine function s route such that p ∈ route ( z 1 , z 2 ) iff path p co nnects z one z 1 to zone z 2 , i.e., p ∈ route ( z 1 , z 2 ) iff ad j acent ( f irst ( p ) , z 1 ) and ad j acent ( l ast ( p ) , z 2 ) ; and min imal route (or M R for sho rt), such that p ∈ M R ( z 1 , z 2 ) if f the following con- ditions ho ld: (1) p ∈ route ( z 1 , z 2 ) ; (2) there does no t exist p ′ ∈ route ( z 1 , z 2 ) such that p ′ < p . Let us fina lly clo se this section by overviewing the complete set of anomalies defined in o ur previous work [2, 3]: Intra-firewall anomalies • Shadowing – A configuratio n rule R i is shadowed in a set of co nfiguratio n rules R whether such a r ule never applies because all the packets that R i may match, are previously match ed by another r ule, or combination of rules, with higher priority . • Redundancy – A con figuration rule R i is redu ndant in a set of configuration r ules R wheth er the follo wing condition s h old: (1) R i is no t shadowed by any oth er rule or set of rules; (2) when removing R i from R , the security policy does not change. Inter -firewall a nomalies • Irrelev ance – A configur ation rule R i is irrelev ant in a set of configura tion ru les R if one of the f ollowing condition s h olds: (1) Both source a nd destination ad- dress ar e within the same zone; (2) The firew all is not within the minimal route th at co nnects the source zone to the destination zone. • Full/Partial-redundancy – A redu ndancy anomaly 1 occurs between two firew alls w hether the firew all clos- est to the destinatio n zone block s (co mpletely or par- tially) traffic that is already b locked by the first fire- wall. • Full/Partial-shadowing – A shadowing anomaly oc- curs be tween two firew alls whe ther the o ne closest to the d estination zon e does n ot b lock traffic that is al- ready blocked by the first fire wall. • Full/Partial-misconnection – A misconnection a- nomaly o ccurs between two firewalls whether the clos- est firewall to the sou rce zone allows a ll the tr affic — or just a part of it — that is denied by the second one. 1 Although this kind of redundanc y is sometimes expressly introduced by network administrat ors (e.g., to guarantee the forbidden traffic will not reach the destinati on), it is important to report it since, if such a rule is applie d, we may conclude that at l east one of th e redundant component s is wrongly workin g. 3 Pr oposed Mechanisms The objective of our pr oposal is the following. From a set F of firewalls initially deployed over a set Z of zon es, and if neither intra- nor inter -firew all anomalies apply over such a setup, we aim to deri ve a single global security po lice setup R , also free o f anomalies. Then , this set of rules R c an be maintained and up dated 2 as a who le, as well as r edeployed over the system th rough a further r efinement pro cess. W e present in the follo wing the main p rocesses o f our proposal. 3.1 Aggregation of P olicies Our aggregation mechan ism works as follows. During an initial step (not covered in t his p aper) it ga thers all those d e- tails of the system’ s topolo gy which m ight b e necessary dur- ing th e r est of stag es. The use of network tools, such as [1 8], allows us to pro perly manag e this in formation , like the set F of firew alls, the set of configuratio ns r ules f [ rul e s ] o f each firew all f ∈ F , th e set Z of zones o f the system, an d some other topolog ical details defined in Section 2. An an aly- sis of intra-firewall anomalies is then perfo rmed within the first stage o f th e aggregation process, in order to discover and fix any possible anomaly within the local configuratio n of each firewall f ∈ F . In the next step, an an alysis of inter-fire wall anom alies is perform ed at the sam e time that the aggregation of police s in to R also does. If an anom aly within the in itial setup is discovered, then an aggr egation error warns the o fficer and the process quits. Conv ersely , if no inter-fire wall an omalies are fou nd, then a global set of rules R is genera ted and so returned as a result of the w hole aggregation process. W e pr esent in Algo rithm 1 our prop osed aggregation process. The in put data is a set F of firewalls who se co n- figuration s we want to fold into a global set of rules R . For reasons of clarity , we assume in ou r algorith m that on e can access the elements of a set a s a linked-list throug h the op - erator el ement i . W e also assume one can add new values to the list as any other norma l variable does ( el ement i ← v al ue ), as well as to bo th remove and initialize elements throug h the addition of an empty set ( el ement i ← ∅ ). Th e internal order o f elements from the linked-list, m oreover , keeps with the relati ve ordering of elem ents. The aggregation p rocess c onsists of two m ain p hases. During the first phase (c f. lines 2 and 3 of Algo rithm 1), an d throug h an iterati ve call to the auxiliar y function pol icy - rew r iting (cf. Algorithm 4), it analyzes th e co mplete set F of fire walls, in order to discover an d r emove any possible intra-firewall anomaly . Thus, after this first stage, no use- less rules in th e local co nfiguration of any firew all f ∈ F might exist. W e r efer to Section 3 .2 for a m ore detailed description of this function. 2 These operat ions are not cov ered in the paper . Algorithm 1 : aggregation ( F ) / * Phase 1 * / 1 foreach f 1 ∈ F do 2 policy-rewri ting ( f 1 [ rul e s ] ); 3 / * Phase 2 * / 4 R ← ∅ ; 5 i ← ∅ ; 6 foreach f 1 ∈ F do 7 foreach r 1 ∈ f 1 [ rul e s ] do 8 Z s ← { z ∈ Z | z ∩ source ( r 1 ) 6 = ∅} ; 9 Z d ← { z ∈ Z | z ∩ destinati on ( r 1 ) 6 = ∅} ; 10 foreach z 1 ∈ Z s do 11 foreach z 2 ∈ Z d do 12 if ( z 1 = z 2 ) or ( f 1 / ∈ M R ( z 1 , z 2 ) ) then 13 aggregationE rror (); 14 return ∅ ; 15 else if ( r 1 [ decision ] = “ accept ”) then 16 foreach f 2 ∈ MR ( z 1 , z 2 ) do 17 f 2 r d ← ∅ ; 18 f 2 r d ← { r 2 ∈ f 2 | r 1 ∽ r 2 ∧ 19 r 2 [ decision ] = “ deny ” } ; 20 if ( ¬ empty ( f 2 rd ) ) then 21 aggregationE rror (); 22 return ∅ ; 23 else 24 f 2 r a ← ∅ ; 25 f 2 r a ← { r 2 ∈ f 2 | r 1 ∽ r 2 ∧ 26 r 2 [ decision ] = “ acc ept ” } ; 27 foreach r 2 ∈ f 2 ra do 28 R i ← R i ∪ r 2 ; 29 R i [ sour ce ] ← z 1 ; 30 R i [ destination ] ← z 2 ; 31 i ← ( i + 1) ; 32 r 2 ← ∅ ; 33 else if ( f 1 = first ( MR ( z 1 , z 2 ))) then 34 f 3 r ← ∅ ; 35 foreach f 3 ∈ tail ( f 1 , MR ( z 1 , z 2 )) do 36 f 3 r ← { r 3 ∈ f 3 | r 1 ∽ r 3 } ∪ f 3 r ; 37 if ( ¬ empty ( f 3 r ) ) then 38 aggregationE rror () ; 39 return ∅ ; 40 else 41 R i ← R i ∪ r 1 ; 42 R i [ sourc e ] ← z 1 ; 43 R i [ destination ] ← z 2 ; 44 i ← ( i + 1) ; 45 r 1 ← ∅ ; 46 else 47 aggregationE rror (); 48 return ∅ ; 49 policy-rewri ting ( R ); 50 return R ; 51 During the second phase ( cf. lines 5–51 of Algorithm 1), the aggr egation o f firewall configuratio ns is perfo rmed as follows. For each p ermission c onfigure d in a firewall f ∈ F , the pro cess fo lds th e wh ole chain 3 of permissions within the comp onents on the minimal ro ute from the source zo ne to the destination zone ; and for each prohib ition, it dir ectly keeps suc h a rule, a ssuming it becom es to th e clo sest fire- wall to th e sou rce, an d n o more proh ibitions should be placed on the minimal ro ute fr om the source zone to the destination z one. Moreover , and while the a ggregation of policies is bein g perf ormed, an analysis of inter-firewall anomalies is a lso applied in parallel. Th en, if any inter- firew all anomaly is detected during the ag gregation o f rules R ← a g g reg ation ( F ) , a message of error i s raised and th e process quits. Let us for example assume that during the aggregation process, a filtering rule r i ∈ f i [ rul e s ] presen ts an in ter- firew all irrelevance, i.e., r i is a rule th at app lies to a sou rce zone z 1 and a destination zone z 2 (such that s = z 1 ∩ sourc e ( r i ) 6 = ∅ , d = z 2 ∩ desti nation ( r i ) 6 = ∅ ) and either z 1 and z 2 are the same zone, or fire wall f i is not in the path [ f 1 , f 2 , ..., f k ] ∈ M R ( z 1 , z 2 ) . In this case, we can observe that during the folding process specified by Algor ithm 1, the statement of lin e 13, i. e., ( z 1 = z 2 ) or ( f i / ∈ M R ( z 1 , z 2 )) , becomes tr ue an d, then, the aggregation process finishes with an er ror an d r eturns an empty set of rules (cf. state- ments of lines 1 4 and 15). Similarly , let us assume that r i ∈ f i [ rul e s ] pr esents an inter-firew all redunda ncy , i.e. , r i is a prohib ition that applies to a sou rce zo ne z 1 and a destination z one z 2 (such that s = z 1 ∩ sour ce ( r i ) 6 = ∅ , d = z 2 ∩ de stination ( r i ) 6 = ∅ , and [ f 1 , f 2 , ..., f k ] ∈ M R ( z 1 , z 2 ) ) and firew all f i is not the first compone nt in M R ( z 1 , z 2 ) . In this case, we can observe that du ring the folding p rocess specified b y Algo rithm 1, the statement of line 34, i.e., f i = f i rst ( M R ( z 1 , z 2 )) , beco mes f al se and, then, the aggregatin g process fin ishes w ith an error and re- turns an empty set of rules. Let us n ow as sume that r i ∈ f i [ rul e s ] presents an inter- firew all shadowing, i.e., r i is a permission that app lies to a so urce zone z 1 and a destinatio n zon e z 2 such that there exists an eq uiv alent pro hibition r j that belon gs to a fire- wall f j which, in turn , is closer to th e sour ce zo ne z 1 in M R ( z 1 , z 2 ) . In this case, we can observe that du ring the folding p rocess specified b y Algo rithm 1, the statement of line 3 8 d etects that, after a prohibition in the first fire wall of M R ( z 1 , z 2 ) , i.e., f j = f ir st ( M R ( z 1 , z 2 )) , ther e is, at least, a permission r i that correlates the sam e attrib utes. Then, the aggregating pro cess finishes with an erro r and returns an empty set of rules. Le t us finally assume that r i ∈ f i [ rul e s ] p resents an inter -fire wall m isconnection , i.e., 3 The operator “ ∽ ” is used within Algorithm 1 to denote that two rules r i and r j are correl ated if eve ry a ttrib ute i n r i has a non empty inte rsecti on with the correspo nding attribute in r j . r i is a p rohibitio n that applies to a so urce zo ne z 1 and a des- tination zone z 2 such that there exists, at least, a permission r j that b elongs to a firewall f j closer to the source zone z 1 in M R ( z 1 , z 2 ) . In this case, we can observe that during the folding p rocess specified b y Algorithm 1 , the statement of line 21 detects this anomaly and, then, th e process finishes with an error and returns an empty set of rules. It is straightf orward then to conc lude that whether no inter-fire wall ano malies apply to any fire wall f ∈ F , o ur aggregation process returns a g lobal set of filtering rules R with the unio n of all the filterin g ru les previously deployed over F . It is yet necessary to p erform a post-process of R , in orde r to av oid the r edunda ncy o f all p ermissions, i.e., accept rules, gathered during the aggregatin g pro cess. In order to do so, the aggr egation pr ocess calls at the e nd of the second phase (cf. line 50 of Algo rithm 1) to the au xil- iary function pol icy - r ew r iting ( cf. Algorithm 4 ). W e offer in the following a m ore detailed de scription of this function . 3.2 P olicy Rewriting W e recall in this section our au dit pro cess to discover and remove ru les that ne ver app ly or are redund ant in local fire- wall p olicies [9, 1 0]. The pr ocess is based o n the analysis of re lationships between the set of co nfiguratio n ru les o f a local po licy . Thro ugh a rewriting of rules, it de riv es from an initial set R to an equ iv alent one T r ( R ) completely free of depend encies between attributes, i.e., without e ither r edun- dant or shadowed rule s. The whole process is split in three main function s (c f. algorithms 2, 3 and 4). The first fun ction, excl usion (cf. Algor ithm 2), is an auxiliary pr ocess which performs the e xclusion of attributes between two rules. It receives as input two rules, A and B , and returns a thir d ru le, C , whose set o f con- dition attributes is the exclusion of the s et of conditions from A over B . W e r epresent the attributes of each rule in the form of Rul e [ cnd ] 4 as a boolean expression over p p ossible attr ibutes (such as source, destin ation, proto- col, po rts, and so on). Similarly , we re present the deci- sion o f th e ru le in the form Rul e [ decis ion ] as a bo olean variable whose values a re in { accept, deny } . M oreover , we use two extra elements fo r each ru le, in the form Rul e [ sh adowing ] and Rul e [ r edundancy ] , as tw o boolean variables in { tru e, f al se } to store the reason for why a rule may disappear during the process. The second f unction, testRedu ndancy (c f. Algo- rithm 3) , is a boolean fu nction in { true , f al se } which , in turn , applies the transformation excl usion (cf . Algo- rithm 2) over a set of co nfiguration ru les to ch eck whether the first ru le is redund ant, i.e., ap plies the same policy , re- garding the rest of rules. 4 W e use the notation A i and B i as an abbre viat ion of both A [ cnd ][ i ] and B [ cnd ][ i ] during the statements of lines 6–12. Finally , the third function , pol icy - re wr iting (cf. Algo- rithm 4), p erforms the w hole process of detecting and re- moving the complete set of intra-fir ew all anomalies. It re- ceiv es as input a set R of rules, and per forms the audit pro- cess in two dif ferent phases. Algorithm 2 : exclusion ( B , A ) C [ cnd ] ← ∅ ; 1 C [ decision ] ← B [ decision ] ; 2 C [ shadowi ng ] ← f al se ; 3 C [ re dundancy ] ← f a l se ; 4 forall the elements of A [ cnd ] and B [ cnd ] do 5 if (( A 1 ∩ B 1 ) 6 = ∅ a nd ( A 2 ∩ B 2 ) 6 = ∅ a nd ... a nd 6 ( A p ∩ B p ) 6 = ∅ ) then C [ cnd ] ← C [ cnd ] ∪ 7 { ( B 1 − A 1 ) ∧ B 2 ∧ ... ∧ B p , 8 ( A 1 ∩ B 1 ) ∧ ( B 2 − A 2 ) ∧ ... ∧ B p , 9 ( A 1 ∩ B 1 ) ∧ ( A 2 ∩ B 2 ) ∧ ( B 3 − A 3 ) ∧ ... ∧ B p , 10 ... 11 ( A 1 ∩ B 1 ) ∧ ... ∧ ( A p − 1 ∩ B p − 1 ) ∧ ( B p − A p ) } ; 12 else 13 C [ cnd ] ← ( C [ cnd ] ∪ B [ cnd ] ); 14 return C ; 15 Algorithm 3 : testRedunda ncy ( R , r ) i ← 1 ; 1 temp ← r ; 2 while ¬ test and ( i ≤ count ( R ) ) do 3 temp ← exclusion ( temp, R i ) ; 4 if temp [ cnd ] = ∅ then 5 return tr ue ; 6 i ← ( i + 1 ) ; 7 return f a l se ; 8 During the fir st phase, any po ssible shadowing betwe en rules with different decision values is m arked and rem oved by iteratively ap plying fu nction excl usi on (cf. Algo- rithm 2). Th e resulting set of rules ob tained after the ex- ecution of the first p hase is again ana lyzed wh en applyin g the second phase. Each rule is fi rst analyzed, throu gh a call to function testRedu ndancy (cf. Algorith m 3) , to those rules wr itten after the checked rule but that can ap ply th e same dec ision to the same traffic. If such a test of redund ancy becomes tru e , th e rule is marked as redundant and then removed. Otherwise, its attr ibutes are th en exclud ed f rom th e rest of equiv alent rules but with less priority in the or der . In this way , if any shadowing betwe en r ules with the sam e deci- sion remained undetected during the first phase, it is then marked and removed. Algorithm 4 : policy-rewr iting ( R ) n ← count ( R ) ; 1 / * Phase 1 * / 2 for i ← 1 to ( n − 1) do 3 for j ← ( i + 1) to n do 4 if R i [ decision ] 6 = R j [ decision ] then 5 R j ← excl usion ( R j , R i ); 6 if R j [ cnd ] = ∅ then 7 R j [ shadowi ng ] ← tr ue ; 8 / * Phase 2 * / 9 for i ← 1 to ( n − 1) do 10 R a ← { r k ∈ R | n ≥ k > i and 11 r k [ decision ] = r i [ decision ] } ; 12 if testRedun dancy ( R a , R i ) then 13 R i [ cnd ] ← ∅ ; 14 R i [ redu ndancy ] ← tr ue ; 15 else 16 for j ← ( i + 1) to n do 17 if R i [decision]= R j [decision] then 18 R j ← exclusion ( R j , R i ); 19 if ( ¬ R j [ redu ndancy ] a nd 20 R j [ cnd ] = ∅ ) then 21 R j [ shadowi ng ] ← tr ue ; 22 Based on th e processes define d in algorithms 2, 3, and 4, we can prove 5 the following theorem: Theorem 1 Let R b e a set of filtering rules and let T r ( R ) be th e resulting filtering rules o btained by applyin g Algorithm 4 to R . Th en the following statements hold : (1) R an d T r ( R ) ar e equivale nt; (2 ) Or dering the rules in T r ( R ) is no lo nger rele vant; ( 3) T r ( R ) is fr ee fr om b oth shadowing and r edundanc y . 3.3 Deplo ymen t of Rule s W e fin ally p resent in Algorithm 5 our prop osed refinem ent mechanism fo r the d eployment of an up dated global set of rules. The dep loyment strategy defined in the algorithm is the following. L et F be the set of firewalls th at p artitions the system into the set Z of zo nes. L et R be the set o f con- figuration rules resu lting f rom th e maintenance of a giv en global set o f rules o btained from the aggregation pro cess presented in Section 3.1 (cf. Algorithm 1 ). Let r ∈ R be a configu ration rule that applies to a sour ce zo ne z 1 and a 5 A set of proo fs to valid ate Theorem 1, as well as a complexity anal ysis of function pol icy - r ew r iting (cf. Algorithm 4) and its performance in a research prototype , is provided in [9]. destination zone z 2 , such that s = z 1 ∩ sour ce ( r ) 6 = ∅ and d = z 2 ∩ destinati on ( r ) 6 = ∅ . Let r ′ be a r ule identical to r except tha t sour ce ( r ′ ) = s an d destinati on ( r ′ ) = d . Let us fin ally assume tha t [ f 1 , f 2 , . . . , f k ] ∈ M R ( z 1 , z 2 ) . Then , any rule r ∈ R is de ployed o ver t he system as follows: • If r [ decision ] = acce pt th en deploy a perm ission r ′ on every firewall on the minimal rou te f rom source s to destination d . • If r [ decisi on ] = deny then d eploy a single 6 prohib i- tion r ′ on th e m ost-upstream fir ew all (i.e., th e clo sest firew all to the source) of the m inimal ro ute fr om sou rce s to d estination d . I f such a firew all does n ot exist, then generate a deployment error message. Algorithm 5 : deployment ( R , Z ) policy-rewri ting ( R ); 1 foreach r 1 ∈ R do 2 Z s ← { z ∈ Z | z ∩ sour ce ( r 1 ) 6 = ∅} ; 3 Z d ← { z ∈ Z | z ∩ destinatio n ( r 1 ) 6 = ∅} ; 4 foreach z 1 ∈ Z s do 5 foreach z 2 ∈ Z d do 6 if r 1 [ decision ] = “ accept ” then 7 foreach f 1 ∈ MR ( z 1 , z 2 ) do 8 r ′ 1 ← r ; 9 r ′ 1 [ sourc e ] ← Z 1 ; 10 r ′ 1 [ destination ] ← Z 2 ; 11 f 1 [ rul e s ] ← f 1 [ rul e s ] ∪ r ′ ; 12 else if r 1 [ decision ] = “ deny ” then 13 f 1 ← fir st ( MR ( z 1 , z 2 )) ; 14 if ( ¬ empty ( f 1 )) then 15 r ′ 1 ← r ; 16 r ′ 1 [ sourc e ] ← Z 1 ; 17 r ′ 1 [ destination ] ← Z 2 ; 18 f 1 [ rul e s ] ← f 1 [ rul e s ] ∪ r ′ ; 19 else 20 deploymentEr ror (); 21 exit (); 22 It is straig htforward now to prove that the deployment of a given set of rules R throu gh Algorith m 5 is free of either intra- an d/or inter-fire wall anomalies (cf. Section 2). On the one h and, during the earliest stage of Algo rithm 5 , th e com- plete set of rules in R is an alyzed an d, if necessary , fixed with ou r pol icy - rew r iting process (cf. Section 3.2, Algo- rithm 4 ). Then, by Theo rem 1, we can guarantee th at n ei- ther shadowed nor redund ant rules migh t exist in R . More- over , it also allows us to guara ntee that th e order between 6 This decision is a choice for avoid ing inter -fire wa ll redundanc y in the resultin g s etup. rules in R is not relev ant. On the other h and, th e use of the deployment strategy defined abov e allo ws us to guaran- tee tha t the resulting setup is free of inter-firewall an oma- lies. First, since each permission r a in R op ens a flo w of permissions over all th e fire walls within the minimal routes from the source to the destination poin ted b y r a , and since any other rule r ′ in R can not match the same traffic that r a matches, we can g uarantee th at n either in ter-fire wall shad - owing nor inter -firew all misconnectio n can appear in the resulting setup. Seco nd, since each proh ibition r d in R is d eployed just once in the closest firew all to the source pointed b y r d , an d since an y other rule r ′ in R can not ma tch the same tr affic that r d matches, we can g uarantee that any inter-fire wall red undan cy can appear in the resulting setup. 4 Related W ork A first solution to deploy access control p olicies free of errors is by applying a refinement m echanism. H ence, following such a top-down mechanism , one can deploy a global secu rity po licy into se veral co mpone nt’ s config ura- tions [11, 6, 14]. In [11], for example, a for mal approa ch based on th e Or - B A C model [ 1] is presented for this purpose. Ther e, a set o f filtering r ules, whose syntax is specific to a given firewall, may b e gen erated using a transform ation process. The au- thors in [ 6], o n the o ther h and, u se th e c oncept of roles to de- fine network ca pabilities and refinem ent of p olicies. Indee d, they prop ose the use of an in heritance mech anism throu gh a hierarchy of entities to automatically generate permissions. Howe ver , th eir work do es not fix , fro m our p oint of view , clear semantics, and their concept of r ole becomes ambigu- ous as w e p ointed out in [ 11]. Ano ther work based on policy refinement is th e RBNS m odel [14]. Howev er , and although the authors claim that their work is based o n the RB A C model [17], it seems th at they o nly keep from this mod el only the co ncept of r ole. Indeed, the specification of net- work entities and r ole and p ermission assignments a re not rigoro us an d does not fit any reality [11]. The use of these refinemen t pro posals [11, 6, 14] ensur es cohesion, completeness an d optimization a s built-in prop er- ties. However , it is not a lw ays en ough to ensure that the firew all config uration is completely f ree of errors an d, of- ten, adm inistrators are reluctan t to follow such a prop osal. For this reason, we extended in th is paper the approach pr e- sented in [11], offering to ad ministrators the possibility of aggregating existing con figuration s befo re moving to such a refinement approach . Suppor t tools, on the other hand, are in tended to di- rectly assist administrators in their task of co nfigurin g fro m scratch firewall configur ations. Firewall Builder [15], f or example, provides a user interface to be used to spe cify a network acc ess con trol p olicy a nd then this p olicy is auto- matically translated into various firew all configu ration lan- guages such as NetFilter [ 19], IpFilter [16] or Cisco PIX [8]. It also provides hig her po rtability . For instance, if in a giv en network infrastructure, I pFilter is replaced by NetFil- ter , it will no t be ne cessary to completely reco nfigure Net- Filter . Firew all Builder will automatically gene rate the ru les necessary to configure this fire wall. Howe ver , we observed some prob lems when u sing Fi- werall Builder . First, we notice d that it might gen erate in- correct rules. I n the case of NetFilter, for example, w e ex- perienced the gene ration of ru les associated to FOR W ARD when they shou ld be associated to OUTPUT and INPUT chains. Second, we noticed the generation of redunda nt rules, altho ugh such redun dancy was not specified within the policy . Third , it includ es a mechanism called shadowing to detec t red undan cy in the policy . Howe ver , this shadow- ing m echanism on ly detects simple redund ancy that corre - sponds to tri vial equality or inclusion between zones. Mo re complex red undan cies (as the anom alies defin ed in Sec- tion 2) are unfor tunately not detected. Some other prop osals, such as [13, 20, 2, 3], provide means to directly manage the discovery of a nomalies fro m a botto m-up appro ach. For instanc e, the authors in [13] pro- pose a set of algorithm s to detect policy an omalies in both single- and m ulti-firewall configu ration setup s. In addition to the d iscovery process, their app roach also attemp ts an optimal insertion o f arb itrary rules into an existing config- uration, throu gh a tree based representatio n o f the filtering criteria. No netheless, we consider their approa ch as incom- plete. Their discovery ap proach is not co mplete since , given a single- o r m ultiple-com ponent security policy , their de- tection algorithms are based on the an alysis of relation ships between r ules two by two. T his way , error s due to th e u nion of r ules are n ot explicitly co nsidered ( as our app roach p re- sented in [2, 3] does). Although in [ 4] the author s poin ted out to this pro blem- atic, claim ing that th ey bre ak d own the initial set of rules into an e quiv alent set of ru les free of overlaps betwee n rules, no specific algorithm s have been provided for solv- ing it. From ou r point of v ie w , the p roposal presented in [20] be st addresses su ch a problem , althou gh it also pr esents some l imitations. For instance, we can easily find si tuations where the propo sal p resented in [20] r eports p artial red un- dancies instead of a single full r edund ancy . More over , nei- ther [13] no r [20] address, a s we d o in th is paper by e xtend- ing the ap proach pre sented in [2, 11], a fo lding p rocess f or combinin g both analysis and refinement strategies. 5 Conclusions The existence o f errors or anomalies in the configuration of network security co mponen ts, such as filtering ro uters or firewalls, is very likely to degrade th e secu rity po licy of a system [12]. This is a serious p roblem wh ich mu st be solved since, if n ot h andled corr ectly , it can lead to unau thorized parties to get the control of such a system. W e introduced in Section 1 tw o main s trategies to set firew all con figurations fre e of errors. T he fi rst approach is to ap ply a form al secu rity m odel — such as the formal model we presen ted in [11] — to express th e security pol- icy of the a ccess con trol f or the netw ork, and to generate the specific syntax for e ach giv en firew all from th is formal pol- icy — for instance, b y u sing XSL T transform ations from the formal policy to generate sp ecific Netfilter configura- tion rules [19]. A second app roach is to ap ply an analysis process of existing configur ations, in order to detect con - figuration e rrors a nd to pr operly elim inate them . In [2, 3], for instan ce, we presented an a udit pro cess based on this second strategy to set a distributed security scenario free of misconfigur ation. W e presented in Sectio n 3 how to combine b oth ap- proach es in order to better gua rantee the requiremen ts spec- ified for a g i ven network access control p olicy . Thu s, fro m an initial bottom-up appro ach, we can an alyze e xisting con- figuration s already deployed into a given sy stem, in order to d etect and corr ect p otential ano malies or config uration errors. On ce verified tho se setups, we o ffer to the admin is- trator a folding mechan ism to aggr egate the d ifferent con - figuration s into a glo bal secur ity p olicy to, finally , express by using a sole for mal model, the secu rity p olicy as a wh ole. The security officer can then perform maintenance tasks over such a single point, and then , unf old the changes into the existing s ecurity comp onents of the s ystem. As work in prog ress, we are actu ally ev aluating the im- plementation of the strategy pr esented in this paper by com- bining bo th the refinement pro cess presented in [11] and the audit m echanism presented in [2, 3 ] (both of them im- plemented throu gh a scripting lan guage as a web service [7]). Altho ugh this first research p rototyp e demonstrates the effecti veness of o ur app roach, more ev aluations should b e done to study th e rea l im pact o f o ur proposal f or the ma in- tenance and deployment of comp lex prod uction scenarios. W e plan to address these e v aluations a nd discuss the results in a forthco ming p aper . On the o ther hand, and as future work, we are cur rently studying how to extend our appro ach in th e case wher e the security ar chitecture in cludes no t only firew alls but also IDS/IPS, and IPSec devices. Thou gh there is a real similar - ity between the parameters of those devices’ rules (as we partially show in [2, 3] for the analysis of anomalies), more in vestigation has to be done in order to extend th e approach presented in this paper . In par allel to this w ork, we are also considering to extend our a pproach to the managing of stateful policies. Acknowledgeme nts This work was supp orted by fu nding fr om the French ministry o f research , under the A CI DESI RS pr oject; the Spanish Government (CICYT) projects TIC2003 -0204 1 and SEG20 04-04 352-C04 -04 ; and the Catalan Governmen t (DURSI) grants 2006FIC00 229 and 2 006BE0 0569 . Refer ences [1] Abou el Kalam, A., Baida, R. E., Balbiani, P ., B enfer- hat, S., Cuppen s, F ., Deswarte, Y ., Mi ` ege, A., Sau rel, C., and T rouessin, G . Organiza tion Based Access Control. In IEEE 4th Intl. W orkshop on P olicies for Distrib uted Systems a nd Networks , pa ges 120 –131, Lake Come, Italy , 2003. [2] Alfaro, J. G., Cup pens, F ., and Cuppens-Bou lahia, N. Analysis of Policy Anomalies on Distrib uted Netw ork Security Setups. In 11th Eu r o pean Symposium On Resear ch In Computer S ecurity (Esorics 200 6) , pages 496–5 11, Hamb urg, Germa ny , 2006. [3] Alfaro, J. G., Cuppens, F ., an d Cuppen s-Boulahia, N. T owards Filtering and Alerting Rule Rewriting on Single-Compon ent Policies. In Intl. C onfer ence on Computer Safety , Reliability , a nd S ecurity (S afecomp 2006) , pages 182–1 94, Gdansk, Poland, 2006. [4] Al-Shaer, E. S., Hamed, H. H., and Masum, H. Con- flict Classification and Analysis of Distributed Fire- wall Policies. In I EEE J ournal on Selected Areas in Communicatio ns , 23(10):206 9–20 84, 2005. [5] Al-Shaer, E. S., Ham ed, H. H., and Masum , H. Model- ing and V erificatio n of IPSec and VPN Security Poli- cies. In 13TH IEEE Internatio nal Confer ence on Net- work Pr otocols (ICNP’05) , pages 259–278, 2005. [6] Bartal, Y ., Mayer, A., Nissim, K., an d W oo l, A. Fir- mato: A n ovel firew all manag ement toolkit. In IE EE Symposium on Secu rity and Privacy , p ages 17–31 , Oakland, California, 1999. [7] Castagnetto, J. et al. (19 99). Pr ofessional PHP Pr o- gramming . Wrox Press Inc, ISBN 1-86100 -296- 3. [8] Chapman, D. and Fox, A. (200 1). Cisco S ecur e PI X F ir ewalls . Cisco Press. [9] Cuppens, F ., Cuppen s-Boulahia, N. , and Alfaro, J. G. Detection and Removal of Firew all Misconfiguratio n. In Intl. Confer ence on Communication , Network and Information Security (CNIS05) , pages 15 4–162 , 2 005. [10] Cuppen s, F ., Cupp ens-Boulahia, N., an d Alfaro, J. G. Misconfigur ation Management of Network Security Compone nts. In 7th Intl. S ymposium on System and Information Security , Sao Paulo, B razil, 200 5. [11] Cuppen s, F ., Cup pens-Boulah ia, N., Sans, T . and Miege, A. A form al approach to specify and deploy a network security policy . In 2n d W orkshop on F ormal Aspects in Security and T rust , pa ges 203–21 8, 20 04. [12] D. Geer . Just How Secure Are Sec urity Products? IEEE Computer , 37(6):1 4–16, Ju ne 2004. [13] Hamed, H. H. and Al-Shaer, E. S. T axono my of con- flicts in network secu rity policies. In IEEE Communi- cations Magazine , 44(3):134- 141, 20 06. [14] Hassan, A. an d Hudec, L. Role Based Network Secu- rity Mo del: A Forward Step tow ards Firewall Manage- ment. In W o rkshop On Secu rity o f Informa tion T ech- nologies , Algiers, 2003. [15] Kurland, V . (20 04). Firew all Builder . In 11th DFN- CERT W orkshop , Hamburg, Ge rmany , 2004. [16] Reed, D. IP Filter . [Onlin e]. A vailable from: http://www.j a.net/CERT/S oftware/ip- filter/ip-fi lter.html [17] Sandhu , R., Coyne, E. J., Feinstein, H. L., and Y ouman, C. E. Role-Based Access Control Models. IEEE Computer , 29(2):3 8–47, 1 996. [18] Skybox Security , Inc. Secur ity Risk Managemen t and Network Chan ge M anagemen t Solution f rom Skybox Security . [19] W elte, H., Kadlecsik, J., Josefsson, M., M cHardy , P ., and et al. The netfilter p roject: firew alling, nat and packet m angling fo r lin ux 2.4x and 2.6.x. [ Online]. A vailable from: http://www.netfil ter.org/ [20] Y uan, L., Mai, J ., Su, Z ., Chen, H., Chuah, C., and Mohapatr a, P . FIREMAN: a too lkit f or FIREwall Modeling a nd ANalysis. In IEEE Sympo sium on S e- curity and Privacy , pages 199–2 13, 2 006.