Resolution Method Of Firewall Policy Anomalies Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The advent of emerging computing technologies such as service-oriented architecture and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services. Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. In particular, we articulate a grid-based representation technique, providing an intuitive cognitive sense about policy anomaly. We also discuss a proof-of-concept implementation of a visualization-based firewall

policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our approach can discover and resolve anomalies in firewall policies through rigorous experiments.

Key-words-Firewall-policy-anomaly-management, access control, visualization tool.


AS one of essential elements in network and information system security, firewalls have been

system security, firewalls have been widely deployed in defending suspicious traffic and unauthorized access to Internet-based enterprises. Sitting on the border between a private network and the public Internet, a firewall examines all incoming and outgoing packets based on security rules.

To implement a security policy in a firewall, system

administrators define a set of filtering rules that are derived from the organizational network security requirements. Firewall policy management is a challenging task due to the complexity and interdependency of policy rules.

On the other hand, due to the complex nature of policy anomalies, system administrators are often faced with a more challenging problem in resolving anomalies, in particular, resolving policy conflicts. An intuitive means for a system administrator to resolve policy conflicts is to remove all conflicts by modifying the conflicting rules. However, changing the conflicting rules is significantly difficult, even

impossible, in practice from many aspects. First, the number of conflicts in a firewall is potentially large, since a firewall policy may consist of thousands of rules, which are often logically entangled with each other. Second, policy conflicts are often very complicated. One rule may conflict with multiple other rules, and one conflict may be associated with

several rules. Besides, firewall policies deployed on a network are often maintained by more than one administrator, and an enterprise firewall may contain legacy rules that are designed by different administrators.

There exist a number of algorithms and tools designed to assist system administrators in managing and analyzing firewall policies. Lumeta and Fang allow user queries for the purpose of analysis and management of firewall policies. Essentially, they introduced lightweight firewall testing tools but could not provide a comprehensive examination of policy misconfigurations. Gouda et al.devised a firewall decision diagram (FDD) to support consistent, complete, and compact firewall policy generation. Bellovin et al.introduced a distributed firewall model that supports centralized policy specification. Several other approaches presenting policy analysis tools with the goal of detecting policy anomalies are closely related to our work. Al-Shaer and Hamed designed a tool called Firewall Policy Advisor to detectpairwiseanomalies in firewall rules. Yuan et al.presented FIREMAN, a toolkit to check for mis configurations in firewall policies through static analysis. As we discussed previously, our tool, FAME, overcomes the limitations of those tools by conducting a complete anomaly detection and providing more accurate anomaly diagnosis information. In particular, the key distinction of FAME is its capability to perform an effective conflict resolution, which has been ruled out in other firwall policy analysis tools.

Proposed system

A novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, anetwork packet spacedefined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules. We also introduce a flexible conflict resolution method to enable a fine-grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition. Besides, amore effective redundancy elimination mechanism is pro-vided in our framework.

System Description

FAME was implemented in Java. Based on our policy anomaly management framework, it consists of six components: segmentation module, correlation module, risk assessment module, action constraint generation module, rule reordering module, and property assignment module.

Fig 1. Architecture of FAME

Our framework is realized as a proof-of-concept prototype called Firewall Anomaly Management Environment. These above figure shows a high-level architecture of FAME with two levels. The upper level is the visualization layer, which visualizes the results of policy anomaly analysis to system administrators. Two visualization interfaces, policy conflict viewer and policy redundancy viewer, are designed to manage policy conflicts and redundancies, respectively. The lower level of the architecture provides underlying functionalities addressed in our policy anomaly management framework and relevant resources including rule information, strategy repository, network asset information, and vulnerability information.

IV. ModuleS

we represent a novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules. We also introduce a flexible conflict resolution method to enable a fine-grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition Besides a more effective redundancy elimination mechanism is provided in our framework.

Segmentation Module

The segmentation module takes firewall policies as an input and identifies the packet space segments by partitioning the packet space into disjoint subspaces. FAME utilizes Ordered Binary Decision Diagrams5 to represent firewall rules and perform various set operations, such as unions ([), intersections (\), and set differences (n), required by the segmentation algorithm. FAME further identifies different kinds of segments and corresponding correlation groups.

B.Correlation Module

In this module, resolving one anomaly in an isolated manner may cause the unexpected impact on other anomalies. The major benefit of generating correlation groups for the anomaly analysis is that anomalies can be examined within each group independently, because all correlation groups are independent of each other. Especially, the searching space for reordering conflicting rules in conflict resolution can be significantly lessened and the efficiency of resolving conflicts can be greatly improved.

C.Risk Assessment Module

In risk assessment module, Nessus is utilized as a vulnerability scanner to identify the vulnerabilities within a conflicting segment. Network address space of each conflicting segment is fed into Nessus to get the vulnerability information of a given address space. Nessus produces the vulnerability information in a "nbe" format A risk calculator retrieves vulnerability information, such as CVSS base score and asset importance value, to calculate the risk level of each conflicting segment.

D.Action Constraint Generation Module

To generate action constraints for conflicting segments, we propose a strategy-based conflict resolution method, which generates action constraints with the help of effective resolution strategies based on the minimal interaction with system administrators. Once conflicts in a firewall policy are discovered and conflict correlation groups are identified, the risk assessment for conflicts is performed. A basic idea of automated strategy selection is that a risk level of a conflicting segment is used to directly determine the expected action taken for the network packets in the conflicting segment. The main processes of this method, which incorporates both automated and manual strategy selections.

D.Rule Reordering Module

The most ideal solution for conflict resolution is that all action constraints for conflicting segments can be satisfied by reordering conflicting rules. In other words, if we can find out conflicting rules in order that satisfies all action constraints, this order must be the optimal solution for the conflict resolution.In this scenario, four rules intersect with each other in different conflicting segments

E.Property Assignment Module

There are three processes to perform the property assignments to all of rule subspaces within the segments of a firewall policy, considering different categories of policy segments.

Property assignment for the rule subspace covered by a nonoverlapping segment.

Property assignment for rule subspaces covered by a conflicting segment.

Property assignment for rule subspaces covered by a nonconflicting overlapping segment.

The result of applying our property assignment approach, which performs three property assignment processes in sequence,to a firewall policy with eight rules.


To facilitate the correct interpretation of analysis results, a concise and intuitive representation method is necessary. For the purposes of brevity and understandability, we employ a two-dimensional geometric representation for each packet space derived from firewall rules. Note that a firewall rule typically utilizes five fields to define the rule condition; thus, a complete representation of packet space should be multidimensional. It gives the two-dimensional geometric representation of packet spaces derived from the example policy shown in Table 1. We utilize colored rectangles to denote two kinds of packet spaces: allowed space (white color) and denied space (gray color), respectively. In this example, there are two allowed spaces representing rules r3 and r5, and three denied spaces depicting rules r1, r2, and r4. Two spaces overlap when the packets matching two corresponding rules intersect. For example, r5 overlaps with r2, r3, and r4, respectively.. An overlapping relation may involve multiple rules. In order to clearly represent all identical packet spaces derived from a set of overlapping rules, we adopt the rule-based segmentation technique addressed in Algorithm to divide an entire packet space into a set of pair wise disjoint segments.

Fig 2Php My Admin Database

Fig 2 Main Page

Fig 3 Rule Engine Design

Fig 4 Login Form

Fig Login Form Generation

Fig 6 XML Code Geneation

Fig 7 Encryption

Fig 8 Data Transferred to Rule Engine

Fig 9 Rule Engine Design

Fig 10 Filter Design

F. Result

Our experimental results show that around 92 percent of conflicts can be resolved by using our FAME tool. There may still exist requirements for a complete conflict resolution, especially for some firewalls in protecting crucial networks. We believe our FAME tool can help achieve this challenging

goal. First, FAME provides a grid-based visualization technique to accurately represent conflict diagnostic information and the detailed information for unresolved conflicts, that are very useful, even for manual conflict resolution. Second, FAME resolves conflicts in each conflict correlation group independently. That means a system administrator can focus on analysing and resolving conflicts belonging to a conflict correlation group individually.


we have proposed a novel anomaly management framework that facilitates systematic detection and resolution of firewall policy anomalies. A rule-based segmentation mechanism and a grid-based representation technique were introduced to achieve the goal of effective and efficient anomaly analysis. In addition, we have described a proof-of-concept implementation of our anomaly management environment called FAME and demonstrated that our proposed anomaly analysis methodology is practical and helpful for system administrators to enable a assumable network management.


It is my immense pleasure to express my deep sense of gratitude and indebtedness to my highly respected and esteemed guide Mr.P.KrishnaKumar M.E.,M.B.A (Ph.D) Assistant Professor.Their invaluable guidance, inspiration, constant encouragement sincere criticism and sympathetic attitude could make this paper possible.