Automated Method for Constructing of Network Traffic

Automated Method for Constructing of Network Traffic Filtering Rules Evgeny Abramov

Denis Mordvin

Oleg Makarevich

College of Information Security

College of Information Security

College of Information Security

Taganrog Institute of Technology – Southern Federal University

Taganrog Institute of Technology – Southern Federal University

Taganrog Institute of Technology – Southern Federal University

ul. Chekhova, 2, 347928, Taganrog, Russia Phone: +7 8634 371905

ul. Chekhova, 2, 347928, Taganrog, Russia Phone: +7 8634 371905

ul. Chekhova, 2, 347928, Taganrog, Russia Phone: +7 8634 371905

[email protected]

[email protected]

[email protected]

ABSTRACT This article is devoted to topical issues of constructing and assessing the quality of the network traffic filtering rules. The main problems of constructing rules are considered and automated method for constructing rules proposed. In the presented method the LAN model, the method of developing rules of differentiation of access between nodes in the model, methods and algorithms for calculation and optimization of filtering rules for a given different levels of access are defined.

Categories and Subject Descriptors C.2.0.f [Communication/Networking and Information Technology]: General - Security and protection (e.g., firewalls).

General Terms Algorithms, Security, Verification.

Keywords firewall misconfiguration, filter rules optimization, filtering efficiency, computer simulation.

1. INTRODUCTION Terms of traffic filtering are a key step in access control between network nodes. Features of the network topology and routing rules define the connection in the network and thus impose restrictions on accessibility. But only the rules of firewalls allow access guaranteed to distinguish between the nodes in the network. Construction of the filtering rules for a small segment of the network, with an only one filtering device, is not a difficult task. But for such a simple configuration there may be a contradiction in the rules because of rules complication, leading to errors in the availability or failure of the filtering devices. For large networks with complex topology, which has a big number of filtering

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN’10, Sept. 7–11, 2010, Taganrog, Rostov-on-Don, Russian Federation. Copyright 2010 ACM 978-1-4503-0234-0/10/09...$10.00.

devices and dynamic routing/NAT, the construction of rules becomes a real challenge. In [1] 37 firewalls were researched in local networks of various companies and found configuration errors and vulnerabilities in all firewalls. One firewall reported to have a lot of vulnerabilities. Another authoritative source [2] discusses many real errors configuring firewalls. The widespread distribution of net worms shows that many firewalls are vulnerable due to configuration errors, because "a properly configured firewall could easily block them" [1].

2. THE MAIN PROBLEMS OF FILTER RULES DEVELOPING Fundamental problems of faced by administrators in the process of filtering rules development are listed below:



The number of nodes in the network. Number of filtering rules directly depends on the number of nodes to distinguish access. There is often need to limit access not to the entire node, but to some services, operating on the node. Accordingly, the number of rules will increase.  The number of filtering devices. It must be clearly aware of what rules should be installed for each filter, and take into account rules dependences in a chain of filters between sources and targets.  Matching of routing in the network. Routing allows multiple paths between sources and targets. Thus, the serial and parallel chains of filters between the nodes must be taken into account.  Efficient allocation of rules between filters in the network.  Differences of syntax and principles of formation of filter rules for different filtration devices.  Network access verification according the certain predetermined rules. Thus, there may be contradictions between the rules in constructed set of filtering rules, as well as the possible failure of rules, which reduces the security and network performance in general. Several techniques of automated check of filter rules sets have been developed. These methods involve the manual development

of rules by the administrator, introducing them into the system and checking [3-8]. As a result of processing a set of recommendations will be generated, with which the administrator must make adjustments to the existing rules and repeat all over again. Such methods are labor-intensive and long enough. But most importantly, they do not require verification of availability in the network, given by the rules, for compliance with security policies. Checks in that methods are aimed at common errors. In this article, we developed a method that automates the entire process of building rules, error checking, optimization of rules and its distribution over the network, verification of compliance with accessibility requirements. Traffic filtering rules are closely related to permissions on the network. On one side filtering rules must comply with the required concurrent access to the network, on the other hand, developed filtering rules define the actual access control. In this case the actual access control must match the required, so methods and means for monitoring this requirement are necessary. The main principle of the proposed method is a user-defined access control in a network, that determines the required set of filter rules. To provide the required access control in this paper, we propose to use:



Access rules lists for construction restricting access to the network. Reachability matrix between nodes in a network to display a distinction in the network and for verifying the calculated filter rules (see figure 1).



S 4

S 2

S 5

H 5

H 6

H 7

H 8

S 3

H 9

H1 0

S 1

1

0

0

0

0

0

0

1

1

1

S 8

1

0

0

0

0

0

0

1

1

1

H 1

1

0

0

0

0

0

0

1

1

1

H 2

1

0

0

0

0

0

0

1

1

1

S 7

1

0

0

0

0

0

0

1

1

1

H 3

1

0

0

1

0

0

0

1

0

1

H 4

1

0

1

1

0

0

0

1

0

1

Figure 1 – Reachability matrix

Calculating access and filtering rules by hand using real LAN is a very laborious task. The task of assessing the quality of rules and monitoring of its requirements is even more demanding.

In this paper, we encourage to use computer simulation to solve this problem. Simulation network model presented in this paper can be used for the following tasks:



definition of access control in network



calculation of the filtering rules for a given set of filters in the network  calculation of the optimal number of filters and their distribution. The problem of calculation of the optimum number and distribution of firewalls in the network will be discussed in subsequent articles.

3. CONFIGURING THE MODEL 3.1 Configuring the LAN Model The first step in the method of consideration of distinction rules is the configuration of the required LAN-model. To do this, you must specify subnets, network hosts, switching equipment, firewalls, connectivity between sites, routing rules, address translation rules. Subnets are set on the first stage of network model configuration. They are actually existing on the LAN, and address space and the node through which the default link by a given subnet to other subnets must be specified. At this point subnets can not intersect with each other and be nested into each other, because it does not match actual practice. Such subnets will be further referred to as basic, as opposed to additional subnets, which will be described below. Network hosts in the model imitate the actually existing in the network workstations and servers with one or more network addresses. Each host in the model should belong to a subnet. Host must be linked with one or more nodes in the network, which may include other hosts, switching equipment or filters. For each subnet and host in the model the appropriate internal identifier is given, which will be used in constructing the matrix of rules and access control. The model allows to specify the address range and\or name for subnets and hosts that can facilitate the derived rule distinction, especially if the security policy for the network operates on host names, not their addresses. Switching equipment. For the proposed model is two types of switching equipment: switches and routers. Switches in this model are designed to combine the hosts within a subnet and routers are designed to join subnets. Switches calculated its table of relationships automatically by the network configuration in the model, allowing them to redirect the requests between the nodes properly. Routers are guided by routing rules specified during configuration phase. Thus, the switching equipment determines the distinction of connectivity between nodes in the model. Objects connectivity. In addition to switching equipment connectivity is determined by a given set of connections between objects in the network. The model does not focuses on the number of connections for a single object. To create links between objects it is only need to set a couple of sites that need to be linked. Communication between objects is not carried out directly but through a model of network adapter for which you must specify the network address and internal identifier to uniquely identify an adapter (the ID is set automatically). If a given node has no free

adapter, the adapter will be created automatically when creating a new connection.

3.2 Identification of Additional Subnets Required for Access Control

Firewalls can be installed anywhere in the network model. In developing the access control rules to the network using a given set of firewalls, model can immediately display points between which access cannot be distinguished because of the absence of firewall. If access control is being developed for the network without firewall installed and its necessary location must be equipped with a model, then it is not necessary to set firewalls. A combined calculation is available, when some of the firewalls are hard-coded in the model, and some should be calculated.

Nodes or entire subnets can act as access subjects and objects for access control. At the last stage in the model were established basic subnetworks, described above. The developed model offers the opportunity to define additional subnets within the basic subnetworks, and to combine the basic subnets. For these subnetworks some limitations must be identified.

Subnet S1 10.20.1.0/24 Subnet S7 10.20.1.4/31

Subnet S8 10.20.1.0/30

H1 10.20.1.3

H3 10.20.1.4 F3 H4 10.20.1.5

H2 10.20.1.2

R4 F5 R2 F1

R1

Subnet S4 10.10.0.0/22 Subnet S2 10.10.1.0/24

R3

Subnet S3 10.10.2.0/24

Subnet S5 10.10.1.2/31 H6 10.10.1.3

H5 10.10.1.2

F4 H7 10.10.1.5

H8 10.10.1.4

H9 10.10.2.2

H10 10.10.2.3

Figure 2 - The network model for calculation of filter rules without access control Additional subnet is defined either within the basic subnet, or include a few basic subnets. The remaining cases have no practical meaning. Additional subnets are defined by the range of network addresses in the CIDR. Therefore, such a subnet will include all nodes from the associated basic network, whose addresses are within the range of additional CIDR subnet. Conversely, sites with addresses outside the range of additional subnet cannot enter into it. During a visual definition of additional subnets the minimal sufficient subnet addresses will be selected. For all basic and additional specific subnets an internal identifier is created and it is possible to determine the names to display in the model.

3.3 Defining the Access Rules Between the Nodes in the Subnet Network nodes here are hosts and subnets (basic and supplementary). Access control is usually determined in accordance with the network security policy. At this time accessibility is defined between the nodes, not their addresses, opposed to filtering rules. Access control can be done in a transparent manner on a model or simply as recording of rules in a list. The naming of nodes in the network helps to link model with a security policy, which is usually presented informally. The visual way of defining access rules looks preferable. In this way, we need to specify the access subject and access object in the network, and to specify additional parameters for the rules (protocol, port ranges). Also we need to specify the type of rules (allow or deny).

3.4 Access Control Rule Format Rule.s - designation of the access subject (node ID). Rule.D - designation of the access object (node ID). Rule.S.p - marking a port range for the access subject, covered by the rule. Rule.d.p - marking a range of ports to access object covered by the rule. Rule.pr - target network protocol. Rule.Act - reaction of the rule.

3.5 Displaying the Required Accessibility from Sources to Targets It is proposed to use color indication on the model to display access control for clarity and to simplify the process of access control between the nodes in the model. It is impossible to use this technique for the simultaneous display separation between all nodes. There are two options of displaying access:  Display access to a given node from all nodes.  Display access from a given node to all nodes.

4. LIST OF ACCESS CONTROL RULES Order of rules is important for lists of filter rules and of accessibility rules. But during the determining of the rules in this model the order is not important. The rules order is automatically calculated and clearly displayed to the user that will be described below.

4.1 Decomposition of the Total Rule List to Lists of Access Rules for Pairs of Subnets It is further proposed to separate total list of rules on several lists of rules, containing disjoint sets. For this purpose, we define the set of top-level subnetworks. Define the lists of rules for all combinatorially possible placements with repetitions of pairs of elements of the set. The sets of rules in these lists as time and will be disjoint.

4.2 Submission of Lists of Pairs of Subnets as Rules Trees Reachability rules add by user in random order. On the other hand, the order of the rules is important for calculating the reachability between nodes. The most common pattern uses here to calculate the reachability between nodes: the rules are considered in the list order, the first satisfied rule determines access. If any rule in the list does not meet the request, the decision is made in accordance with the default policy. That is in accordance with this policy either positive or negative decision will be made for all requests that are not covered by the rules. To solve the contradiction between the fundamental importance of the order of the rules and assumptions of their arbitrary add the automatic rules ordering in the list is used. That is, a certain order of law supports when you add any new rules or delete existing ones. Principles of sorting rules in the list. Order of the rules is important only for some well-known contradictions of rules. Such contradictions are defined for the filtering rules, but some of them are also suitable for a given list of reachability rules. Filtering rules misconfigurations are errors in the design and construction of filtering rules, leading to inefficiency of the rules,

or its contradictions and vulnerabilities of firewalls. Errors in firewalls rules analyzed in [3]. Groups of errors presented in this paper are presented in the summary table below. There are no contradictions in the chains of reachability rules as they are defined in one list, and has only logical partitions. For configuration errors associated with efficiency, order is not important. But the inter-firewall inconsistencies within a single list of rules are just determined by the order they appear. If rule A is a subset of Rule B and these rules define the opposite values, we will either have shadowing or a generalization errors, depending on the position of these rules in the list. With correlation errors the result of filtering will depend on the order of these rules. It should be noted that generalization, as opposed to shadowing, more often is not a mistake, but a basic principle of the listing rules. Using generalizations often significantly reduces the required number of rules in the filter. Generalization may be a mistake if it is an implicit, that is not been specifically used by the developer of the rules. We can determine the sequencing order of reachability rules as follows:  Using only the obvious generalizations.  Use of generalization instead of shadowing  Avoidance of intersection by ignoring the new-added rules that overlap with those already in the list. Thus, the best structure expressing the specified requirements is a tree. Rules generalization expresses in terms of parents and children in the tree. The root of the tree is a default access control policy rule. Closer to the root of the tree are the rules for larger nodes. Child nodes of the tree are the rules that determine access for a set of objects, which is a subset for a set of objects covered by the parent rule. Now we use only the IDs of nodes rather than their addresses. The relationship of nesting were identified for IDs while constructing the network . That is, for each node in the network, set by ID, we know which nodes are nested and with which it is embedded. Thus, we do not need to calculate CIDR addresses at the stage of constructing of the tree. Figure 3 shows a simplified example of forest trees of the rules. In this example rules are not specified by protocols and ports (as shown in Table 1). Table 1. Sample of access control rules (from subnet S1 (10.20.1.0/24) tosubnet S4 (10.10.1.0/22) ) S1 - 10.20.1.0/24

S2 - 10.10.1.0/24

deny

H3 - 10.20.1.4

S2 - 10.10.1.0/24

deny

H4 - 10.20.1.5

S5 - 10.10.1.2/31

accept

H3 - 10.20.1.4

H5 - 10.10.1.2

accept

H3 - 10.20.1.4

H9 - 10.10.2.2

deny

H4 - 10.20.1.5

H6 - 10.10.1.3

deny

H4 - 10.20.1.5

H9 - 10.10.2.2

deny

A.

Source tree

B. Minimized tree Figure 3 - Presentation of lists of rules in the form of trees

Subnet S1 10.20.1.0/24 Subnet S7 10.20.1.4/31

Subnet S8 10.20.1.0/30

H1 10.20.1.3

F3

H3 10.20.1.4

H4 10.20.1.5

H2 10.20.1.2

R4 F5 R3

R2 F1

R1

Subnet S4 10.10.0.0/22 Subnet S2 10.10.1.0/24

H5 10.10.1.2

Subnet S3 10.10.2.0/24

Subnet S5 10.10.1.2/31

H6 10.10.1.3

F4 H7 10.10.1.5

H8 10.10.1.4

H9 10.10.2.2

Figure 4 - The network model for calculation of filter rules with access control

H10 10.10.2.3

Table 2. Summary of filtering rules misconfigurations Error type Policy Violatios Shadowing

Summary Determine when the filter rules do not comply with security policies Determine when the traffic that one rule is intended to prohibit (allow) allowed (forbidden) the previous rule. Generalization Determine when a subset of the packets satisfying the current rule, was excluded prior rule. Correlation Determine when the current rule intersects with the previous regulations, but defines a different reaction. Intra-firewall Inconsistencies Defined in cases where the rules in the filter chain between a pair of sites contradict each other. Cross-path Defined in the cases of hen for different trajectories in the network reachability between a pair of nodes varies. Inefficiency The effectiveness of the rules determined by their number. The lower the required set of rules, the higher the bandwidth filter. Redundancies Defined in cases where removal from the list of redundant rules do not affect the result of filtering. Verbosity Determine when a set of rules can be replaced by a smaller set. Optimal algorithm for constructing a tree is based on further regulations: General list of rules was splited into some sets of lists of rules. This sets are represented as a set of trees and forms the so-called 1. If you add another rule and shadowing was found, thus forest. To calculate the access between subjects and objects, the generalization could not be found for such a rule, and corresponding tree have to be bypassed in reverse order. That is, vice versa. first, all the nodes of the first subtree visits in reverse order, left to 2. If you add another rule and generalization was found, right, then second subtree and so on. The root has been visited thus the correlation can also be found, and vice versa. last. That is, for the first tree traversal sequence will be: 3. If you add another rule and shadowing was found, thus correlation could not be found for such a rule, and vice (H3H5), (H3S2), (H4S5), (S1S2), (S7H9), Default policy. versa. 4. If you add another rule and shadowing was found, thus Such a bypass will give us a guarantee that any rule will not be another shadowing could not be found the for such a shadowed. But with such a traversal of the tree will have to rule, and vice versa. bypass all the nodes of the tree to find the appropriate rule in the 5. If you add another rule and generalization was found, worst case. thus the other generalization can also be found, and We can significantly reduce the search for the appropriate node in vice versa. the tree using a direct bypass of our ordered tree and the principle We can introduce the following rules that allow to specify an on which the tree is ordered. The only peculiarity of such a search algorithm for constructing a tree, based on these regulations: would be the fact that we need to find the lowest rule in the tree, which satisfies the request.  If correlation of the new rule with the existing one is found while comparing, the rule is discarded. If we introduce the principle of ordering the "brothers" in the tree,  If shadowing is found while comparing the new rule it can reduce the complexity of insertion and retrieval in the tree. with the existing one, further misconfiguration search at We can submit a list of all brothers, children of one parent. Then the current level of the tree is not needed. The new rule we have to enter one comparisons to the more or less between becomes the son of shadowing rule. these nodes for ordering them.  If generalization is found while comparing the new rule with the existing one, you must continue to search for 5. THE ALGORITHM OF CONSTRUCTING misconfiguration at this level of the tree. It is necessary OF REACHABILITY RULES TREE to search only generalizations or correlation. The 1. The default access rule is placed at the root of the tree . shadowing cannot be found on the current level of the 2. New adding rule is added as a new son of the root in the tree. tree, following the above described algorithm. The advantages of tree-like representation of the access control 3. Inserted rule is comparing with the brothers to avoid rules are: errors of correlation, generalizations or shadowing. 4. In the case of correlation rule will be ignored and the  There are no contradictions between the access control developer will be informed on this contradiction. rules. 5. In the case of shadowing the existing rule by new one,  Logarithmic complexity of the operation to insert a new the new rule becomes a descendant of shadowing rule. rule in the tree. Next, the algorithm is recursively applied to insert the  The possibility of constructing an optimized algorithm current rules to a new position in the tree, where for determining the reachability for a given query. shading rule will become a parent node.  The possibility to optimize the algorithm for the 6. In the case of generalization the added rule becomes a reachability matrix. new parent node for the generalized nodes.  The possibility of optimization algorithm to minimize 7. Otherwise, the added rule becomes a direct descendant the number of rules to ensure the assigned access of the current parent node. control.

The advantages of using the set of trees (forest) instead of one larger tree, are the following aspects:

  

We can easily determine the appropriate tree and search in a smaller set of rules for each query. The insert operation will be faster for a smaller size tree. Reachability between different subnets recalculates irrespectively.

6. CONSTRUCTING OF REQUIRED REACHABILITY MATRIX Access control rules determine the desired reachability between network nodes in a form of a table. This table shows the reachability between source nodes (horizontal) and target nodes (vertical). We will call such table the reachability matrix. Reachability matrix is necessary for: 1.

Displaying the current reachability between nodes in the development of access control rules. 2. Verifying the results of calculation of filter rules. For each rule tree we will count its own reachability matrix. Required reachability in the network changes with any change in the set of access control rules. In this case the rule trees and thus the reachability matrixes are independent of each other, and, consequently, for any changes in a single tree only one matrix should be counted. We use inverse bypass of the rule tree to fill in the appropriate reachability matrix. So we will ba able not to rewrite the values of reachability in the table. Also, this order let us see the presence of exceptions in the reachability between the nodes for one pass.

linking the specified nodes, can be placed at the edges of the graph. Some nodes are linked by more than one connection and can have several filters on the path between them. Then the filters between these nodes can be written as a logical predicate. Such predicate will display the principle of filter rules distribution between filters. The principle of distribution of filter rules between multiple filters on the path is:

 

If a rule is "allow", it must be added to each filter. If it is "deny" rule, then:  only one rule is enough for serial chain of filters;  it is sufficient that the rule has been applied to a single filter from each chain for parallel chains. Thus, we need to keep in mind "deny" rules to determine the shape of the filter predicate. We can apply the rule to any of the filters for filters in a serial chain. We write such filters in the predicate by OR (|). For the filters (or set of filters) in parallel chains, we must apply the rule to each of them. We write such filters in the predicate by AND (&). Figure 5 shows an example of the filter distribution graph. Further, we can define filter predicates between all nodes in the network, and provide this information in a table form. Examples of filter predicates between pairs of nodes are: 1.

S1 to S4: F1 & F5 & R2;

2.

H3 to H4: F3 | (F1 & F5) | F4.

7. MINIMIZATION OF ACCESS CONTROL TREE To construct a rules number minimization algorithm we need to switch from the IDs to their CIDR-address. We will split objects "subnets" into smaller subnets and add objects into larger subnets that are not identified in the subnet and have no IDs. The misconfiguration errors associated with inefficiency could have been ignored before the trees of access control rules were built. When access control rules construction process have been completed, the algorithms of minimization of the required number of rules were implemented. This is because the opportunity to correct the occurring inefficiency by subsequent access control modification:

  

Redundancy removal in the rule tree. Verbosity removal in the rules tree. Subtraction and addition operations for rules. The main principle of rule-tree minimization is to apply the operations of redundancy removal and then addition and subtraction sequentially, as long as they give a positive result.

8. BUILDING THE FILTER DISTRIBUTION GRAPH

Figure 5 - Example of the filter distribution graph and predicate calculation

To calculate the required set of filtering rules for each access control rule it is necessary to define filters, for which it should be applied. It is proposed to construct a graph showing the relationship between nodes in a network where hosts are connected to the subnet to which they belong, the additional subnet connected with the basic subnets, and the basic subnets are connected with each other. Filter IDs, that are located on the route

9. SUBMISSION OF RULES DISTRIBUTION OPTIONS With the filter predicate table, we can easily identify the choice of filters for deny rules and a set of filters we want to apply an allow rule. An example of such a table is presented in Table 3.

In the end, we get a choice of different filters for writing deny rules. Filtering rules can be distributed randomly within a given set of options. However, with a chaotic distribution of rules, we can get a situation where one filter will have a small number of rules, and the other one will have a large number. It may not correspond to the load on the filters. Thus, we can get a reduction in network performance. If there is an ability to choose filters when allocating rules between filters, it is need to consider the given capacity of filters. It can be defined as the maximum amount of filtering rules that can be installed for this filter without packet loss. If the load on the filters is not specified in the model, we can try to distribute the rules for the filters evenly.

In the genetic algorithm populations can be represented as a set of non-repeated sets of rules, where decision of each rule location is made. The decision to deploy the rules adopted randomly.

Table 3 Table of predicate for filtration rules distribution

We can distinguish the following main results. You can centrally manage permissions. Implemented method helps to reduce the level of qualification of specialists dealing access control. Access control rules formalize security policies as well as operate on its terms - objects, but not on their addresses. Accounting for a given performance of filters using the filter rules distribution method can reduce their required quantity and improve the network performance. The possibility of monitoring of the calculated reachability for the calculated filter rules appears. The consistency of designed rules is guaranteed and it improves overall network security. Minimizing the number of access rules gives the improved performance of filters and network.

Rules

Predicate

Option 1

A

A ϵ F3 U F1 ∩ F5 U F4

F3

F1 ∩ F5

B

B ϵ F3 U R2

F3

R2

C D E

Option 2 Option 3

C ϵ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F5 ∩ F4 ∩ F4 D ϵ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F5 ∩ F4 ∩ F4 E ϵ F3 U F1 ∩ F5 F3 F1 ∩ F5 U F4

F4

F4

In Table 4 all the many variants for the allocation rules between filters is presented.

10. FURTHER OPPORTUNITIES The task of allocation rules between filters is an exhaustive search task. Suppose we have n deny rules and for each of them there are on average M of accommodation choices. Then, to identify the best placement it is necessary to sort m n options. We are encouraged to use genetic algorithm to solve the problem in the future. Task evaluation function of filter rules placement will be given as:

Further, mating and mutation operations are applied to the initial population to achieve the minimization of the objective function in accordance with the selected genetic algorithm. In the crossover operation the accommodation option for each rule is chosen, corresponding to any of the parent one. In mutation operation the accommodation option is selected randomly from all possible options for the rule.

11. CONCLUSIONS

12. REFERENCES [1] A. Wool, "A quantitative study of firewall configuration errors", IEEE Computer Society, 2004. [2] Firewall wizards security mailing list. [Electronic resource] / Access Regime: http://honor.icsalabs.com/mailman/listinfo/firewall-wizards free. - Zaghlah. the screen. [3] L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra, "FIREMAN: a toolkit for firewall modeling and analysis," in Proc. IEEE Symposium on Security and Privacy, pp.199-213, 2006. [4] R. Oliveira, S. Lee, H. Kim, "Automatic detection of firewall misconfigurations using firewall and network routing policies", Carnegie Mellon University, 2009 [5] Scott Hazelhurst, "Algorithms for Analysing Firewall and Router Access Lists", University of the Witwatersrand, 1999

w i - filter's weighting coefficient, which depends on the load on the filter, C i - actual number of rules in the i-th filter, D i - planned number of rules on the i-th filter,

- the threshold method.

[6] Al-Shaer, E.S. Hamed, H.H., "Design and Implementation of Firewall Policy Advisor Tools", DePaul University, Chicago, 2002 [7] Alain Mayer, Avishai Wool, Elisha Ziskind, "Fang: A Firewall Analysis Engine", Bell Laboratories, Lucent Technologies, Murray Hill, New Jersey, 2000 [8] Al-Shaer, E.S. Hamed, H.H., "Firewall Policy Advisor for anomaly discovery and rule editing", DePaul University, Chicago, 2003

Table 4 Variants for a set of filter rules Rules

Option 1

Option 2

Option 3

Option 4

Option 5

Option 6

Option 7

Option 8

Option 9

A

F4

F1 ∩ F5

F3

F4

F1 ∩ F5

F3

F4

F1 ∩ F5

F3

B

R2

R2

R2

R2

R2

R2

R2

R2

R2

C

F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ ∩ F4 F5 ∩ F4 ∩ F4 F5 ∩ F4

F3 ∩ F1 ∩ F5 ∩ F4

F3 ∩ F1 ∩ F5 ∩ F4

F3 ∩ F1 ∩ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F5 ∩ F4 ∩ F4 F5 ∩ F4

D

F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ ∩ F4 F5 ∩ F4 ∩ F4 F5 ∩ F4

F3 ∩ F1 ∩ F5 ∩ F4

F3 ∩ F1 ∩ F5 ∩ F4

F3 ∩ F1 ∩ F3 ∩ F1 ∩ F5 F3 ∩ F1 ∩ F5 ∩ F4 ∩ F4 F5 ∩ F4

F1 ∩ F5

F1 ∩ F5

E

F4

F4

F4

F1 ∩ F5

F3

F3

F3

Rules distribution

F1 : 2 (18%) F1 : 3 (25%) F1 : 2 (18%) F1 : 2 (18%) F1 : 4 (31%) F1 : 3 (25%) F1 : 2 (18%) F1 : 2 (17%) F1 : 2 (18%) F3 : 2 (18%) F3 : 2 (17%) F3 : 3 (27%) F3 : 4 (36%) F3 : 2 (15%) F3 : 3 (25%) F3 : 3 (27%) F3 : 4 (34%) F3 : 4 (36%) F4 : 4 (36%) F4 : 3 (25%) F4 : 3 (27%) F4 : 2 (18%) F4 : 2 (15%) F4 : 2 (17%) F4 : 3 (27%) F4 : 2 (17%) F4 : 2 (18%) F5 : 2 (18%) F5 : 3 (25%) F5 : 2 (18%) F5 : 2 (18%) F5 : 4 (31%) F5 : 3 (25%) F5 : 2 (18%) F5 : 2 (17%) F5 : 2 (18%) R2 : 1

R2 : 1

R2 : 1

R2 : 1

R2 : 1

R2 : 1

R2 : 1

R2 : 1

R2 : 1

(9%)

(8%)

(9%)

(9%)

(8%)

(8%)

(9%)

(8%)

(9%)

Total :11

Total :12

Total :11

Total :11

Total :13

Total :12

Total :11

Total :12

Total :11