International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

Systematic Detection And Resolution Of Firewall Policy Anomalies

1.M.Madhuri 2.Knvssk Rajesh

Dept.of CSE, Kakinada institute of Engineering & Tech., Korangi, kakinada, E.g.dt, AP, India.

Abstract:

In this paper the problem of discovering the set

of troublesome rules in a large firewall policy is
investigated and consequently eliminating or resolving
them. all the rules in the policy are consistent and can be
reordered to make them effectively and optimally
functional In the existing approach they can only detect
the firewall policy and conflict detection time was also
increases. Based on these risk value conflict rule can be
effectively resolve.

Keywords: Anomaly, FIREMAN,

Firewall policy, Segmentation.

1. INTRODUCTION:

Firewall,

Network security is essential to the

development of internet and has attracted much attention
in research and industrial communities. With the
increase of network attack threats, firewalls are
considered effective network barriers and have become
important elements not only in enterprise networks but
also in small-size and home networks. A firewall is a
program or a hardware device to protect a network or a
computer system by filtering out unwanted network
traffic. The filtering decision is based on a set of ordered
filtering rules written based on predefined security
policy requirements. Firewalls can be deployed to secure
one network from another. It is very crucial to have
policy management techniques and tools that users can
use to examine, refine and verify the correctness of
written firewall filtering rules in order to increase the
effectiveness of firewall security. It is true that humans
are well adapted to capture data essences and patterns
when presented in a way that is visually appealing.
The amount of data that can be processed and
analyzed has never been greater, and continues to grow
rapidly. As the number of filtering rules increases largely
and the policy becomes much more complex, firewall
policy visualization is an indispensable solution to policy
management. Firewall policy visualization helps users

www.ijrcct.org

understand their policies easily and grasp complicated

rule patterns and behaviors efficiently.

2. EXISTING SYSTEM:

Firewall is the de facto core technology of

todays network security and defense. However, the
management of firewall rules has been allowto be
complex, error-prone, costly and inefficient for many
large-networked organizations. These firewall rules are
mostly custom-designed and hand-written in this
constant need for tuning and validation, due to the
dynamic nature of the traffic characteristics, everchanging network environment and its market demands.
Firewalls are the most widely deployed security
mechanism to ensure the security of private networks in
most businesses and institutions. Unfortunately,
designing and managing firewall policies are often error
prone due to the complex nature of firewall
configurations as well as the lack of systematic analysis
mechanisms and tools. Therefore, effective mechanisms
and tools for policy management are crucial to the
success of firewalls.
Existing policy analysis tools, such as Firewall
Policy Advisor[4] and FIREMAN[3], with the goal of
detecting policy anomalies have been introduced.
Firewall Policy Advisor only has the capability of
detecting pairwise anomalies in firewall rules.
FIREMAN can detect anomalies among multiple rules
by analyzing the relationships between one rule and the
collections of packet spaces derived from all preceding
rules. However, FIREMAN also has limitations in
detecting anomalies. For each firewall rule, FIREMAN
only examines all preceding rules but ignores all
subsequent rules when performing anomaly analysis. In
addition, each analysis result from FIREMAN can only
show that there is a misconfiguration between one rule
and its preceding rules, but cannot accurately indicate all
rules involved in an anomaly[3].

Page 1387

International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

DISADVANTAGES OF EXISTING SYSTEM:

a) Fireman can detect anomalies among multiple
rules by analyzing the relationships between
one rule and the collections of packet spaces
derived from all preceding rules.
b) For each firewall rule, FIREMAN only
examines all preceding rules but ignores all
subsequent rules when performing anomaly
analysis.

3. PROPOSED SYSTEM:

They can only detect the firewall policy

anomaly and can not resolve these policy anomaly, and
also policy conflict detection time was also increased. A
novel anomaly management framework for firewalls
based on a rule-based segmentation technique to
facilitate not only more accurate anomaly detection but
also effective anomaly resolution. Policy-AnomalyDiscovery Algorithm that takes a policy and utilizes the
dependency data structure to find and eliminate
anomalies returning a list of validated policy. algorithm
has time complexity O(n2 log n), Efficient in detection
of anamoloies. 92 percent of conflicts can be resolved.
The proposed system resolves conflicts in each conflict
correlation group independently.
ADVANTAGES OF PROPOSED SYSTEM:
a) In our framework conflict detection and
resolution, conflicting segments are identified
in the first step.
b) Each conflicting segment associates with a
policy conflict and a set of conflicting rules.
c) Also, the correlation relationships among
conflicting segments are identified and conflict
correlation groups are derived.
d) Policy conflicts belonging to different conflict
correlation groups can be resolved separately,
thus the searching space for resolving conflicts
is reduced by the correlation process.

4. FIREWALL
POLICIES
ANOMALIES :

AND

A firewall policy rule is defined as a set of

criteria and an action to perform when a packet matches
the criteria. The criteria of a rule consist of the elements
direction, protocol, source IP, source port, destination IP
and destination port. Therefore a complete rule may be
defined by the ordered tuple <direction, protocol, source
IP, source port, destination IP destination port, action>.
Each attribute can be defined as a range of values, which

www.ijrcct.org

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

can be represented and analyzed as sets. Firewall policy

anomaly is defined as the existence of two or more
filtering rules that may match the same packet . Till date,
five types of anomalies are discovered ,Shadowing
Anomalies, Correlation Anomalies, Generalization
Anomalies, Redundancy Anomalies, and Irrelevance
Anomalies.

4.1 Shadowing anomaly:

Two rules are said to have shadowing anomaly

,whenever the rule which comes first in rule set matches
all the packets and the second rule which is positioned
after the first rule in rule set does not get chance to
match any packet because the previous rule has matched
all the packets. It is a very critical problem since the rule
coming later to the previous rule will never get activated.
Hence the traffic to be blocked will be allowed or the
traffic to be permitted can be blocked.

4.2 Correlation anomaly:

Two rules are said to have correlation anomaly

if both of them matches some common packets that is
the rule one matches some packets, which are also
matched by the rule second. The problem here is that the
action performed by both the rules is different. Hence in
order to get the proper action such correlated rules must
be detected and should be specified with proper action to
be performed.

4.3 Generalization anomaly:

Two rules which are in order one of them is

said to be in generalization of another if the first rules
matches all the packets which can be also matched by
the second rule but the action performed is different in
both the rules. In this case if the order is reversed then
the corresponding action will also be changed. The rule,
which comes later in the rule list, is shadowed by the
previous rule and also it has no effect on incoming
packets. The super set rule is called General rule and the
subset rule is called Specific rule.

4.4 Redundancy anomaly:

Two rules are said to be redundant if both of

them matches some packets and the action performed is
also the same. So there is no effect on the firewall policy
if one of redundant rules will be removed from the rule
set. It is very necessary to search and remove the
redundant rules from the rule set because they increase
the search time, space required to store the rule set and
thus decrease the efficiency of the firewall. The firewall

Page 1388

International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

administrator should detect and remove such redundant

rules to increase the performance of the firewall.

4.5 Irrelevance anomaly

Any rule is said to be irrelevant if for a given

time interval it does not matches any of the packets
either incoming or outgoing. Thus if any type of the
packets do not match a rule then it is irrelevant i.e. there
is no need to put that rule in the rule set.

5 POLICY ANOMALY DISCOVERY:

In order to precisely identify policy anomalies

we adopts a rule-based segmentation technique[1].
Based on this technique, a network packet space defined
by a firewall policy can be divided into a set of disjoint
packet space segments. Each segment associated with a
unique set of firewall rules accurately indicates an
overlap relation among those rules. To enable an
effective anomaly resolution, complete and accurate
anomaly diagnosis information should be represented in
an intuitive way. Algorithm 1[1] given below is the
segment generation for a network packet space of a set
of rules R

5.1

ANOMALY
FRAMEWORK:

MANAGEMENT

The overall flow of our proposed anomaly

management is depicted in fig 2 and 3.

Fig .1 Administrator aspect in proposed system.

www.ijrcct.org

Page 1389

International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

Fig. 2 End user aspect in proposed system

Proposed system divides the task of detecting
and resolving the conflict firewall policy and firewall log
analysis into framework, which are enumerated as
follows:

1. Rule Generation:

The administrator generates a rule by giving

rule name and various fields .Here we calculate the
threshold value. Depending upon the threshold value, the
action may be allow or deny.

2. Conflicted Rule Updating

There are various types of firewall policy

anomalies. If there is any conflicted rule occurred in that
means it will automatically updated. The conflicts can be
resolved by conflict resolution mechanism depending
upon the value occurred in the risk assessment. It is
shown in fig 3. Once we identify the conflicts in a
firewall policy, the task of risk assessment for conflicts
is performed on firewall policy. When the value of risk
assessment is maximum, then the imagined action should
deny or block the data packets against the consideration
for the security of network perimeters. In contrast when
the value of risk assessment is minimum, then the
imagined action be supposed to permits the data to flow
through the firewall.

3. File Transformation:

The file which should be going to transfer is

chosen. Afterwards, the file is first encrypted and sends
to the rule engine. During the transformation the
encrypted file only selected to broadcast the data. The
file should be encrypted with regard to one of the
firewall policy, and then it is selected for the transferring
process.

Fig .3 Firewall log analysis design

5.3 Experimental Results:

This anomaly management framework provides

a user friendly tool for purifying and protecting the
firewall policy from anomalies. The administrator can
use this framework for firewall policy generation and it
was able to detect and resolve anomalies in rules written
by expert network administrators. The end user can
transfer file based on the risk value using the firewall
rules .This framework can perform firewall log analysis
that can be used to add more security in frequent log.
Our proposing framework resolves the policy conflicts
for firewall in short duration of time and proves to be
useful for the deployment in firewall technology.
We evaluate the conflict resolution rate of our
strategy-based approach, which is reflected by the
number of resolved conflicts (i.e., satisfied action
constraints). We compared the results of applying our
strategy-based approach with the results of directly
applying the existing first-match mechanism for conflict
resolution. As shown in Fig. 6, we could observe that
directly applying the existing first-match mechanism can
only solve an average 63 percent of conflicts. Moreover,
for some small-scale policies, we noticed that FAME
was capable of resolving all policy conflicts.

4. Rule Engine:

Conflict resolution strategy obtains the most

ideal solution only when all the action constraints for
each conflicting segments is fulfilled by reordering the
anomaly rules. In conflict resolution, Reordering of
conflict occurred rules which meet the expectations of all
action constraints then this sort be the best resolution.

2.5
2
1.5
1
0.5
0

Performance
Usage

5. Firewall Log Analysis:

It would generate a set of primitive rules with repeated

and rare outcomes. This is used to add more security in
frequent log. Design of firewall log analysis is shown in
fig 3.

www.ijrcct.org

Fig 4. Network Firewall Perfomance

Page 1390

International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

6
5
4
3

FAME

Traditional

1
0
1

Fig. 5. Evaluation of redundancy removal.

From Fig. 5, we observed that FAME could
identify an average of 6.5 percent redundant rules from the
whole rules. However, traditional redundancy analysis
approach could only detect an average 3.8 percent of total
rules as redundant rules. Therefore, the enhancement for
redundancy elimination was clearly observed by our
redundancy analysis approach compared to traditional
redundancy analysis approach in our experiments.

CONCLUSION:

A novel anomaly management framework that

facilitates systematic detection and resolution of firewall
policy anomalies with low time complexity. Thus, just
having a firewall on the boundary of a network may not
necessarily make the network any secure. One reason for
this is the complexity of managing firewall rules and the
potential network vulnerability due to rule conflicts. Our
proposing anomaly management framework facilitates
systematic detection and resolution of firewall policy
anomalies and firewall log analysis. This Future its
extend our anomaly analysis approach to handle
distributed firewalls.

6. Future work:

It was includes extending our anomaly analysis

approach to handle distributed firewalls.

7. REFERENCES:

1 E. Al-Shaer and H. Hamed, Discovery of

Policy Anomalies in Distributed Firewalls,
IEEE INFOCOM 04, vol. 4, pp. 2605-2616,
2004.
2 A. Wool, Trends in Firewall Configuration
Errors: Measuring the Holes in Swiss

www.ijrcct.org

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

Cheese, IEEE Internet Computing, vol. 14,

no. 4, pp. 58-65, July/Aug. 2010.
3 J. Alfaro, N. Boulahia-Cuppens, and F.
Cuppens,
Complete
Analysis
of
Configuration Rules to Guarantee Reliable
Network Security Policies, Intl J.
Information Security, vol. 7, no. 2, pp. 103122, 2008.
4 F. Baboescu and G. Varghese, Fast and
Scalable Conflict Detection for Packet
Classifiers, Computer Networks, vol. 42, no.
6, pp. 717-735, 2003.
5 L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P.
Mohapatra, and C. Davis, Fireman: A
Toolkit for Firewall Modeling and Analysis,
Proc. IEEE Symp. Security and Privacy, p.
15, 2006.
6 E. Lupu and M. Sloman, Conflicts in PolicyBased Distributed Systems Management,
IEEE Trans. Software Eng., vol. 25, no. 6, pp.
852-869, Nov./Dec. 1999.
7 I. Herman, G. Melancon, and M. Marshall,
Graph Visualization and Navigation in
Information Visualization: A Survey, IEEE
Trans. Visualization and Computer Graphics,
vol. 6, no. 1, pp. 24-43, Jan.-Mar. 2000.
8 H. Hu, G. Ahn, and K. Kulkarni, Anomaly
Discovery and Resolution in Web Access
Control Policies, Proc. 16th ACM Symp.
Access Control Models and Technologies,
pp. 165-174, 2011.
9 L. Yuan, C. Chuah, and P. Mohapatra,
ProgME: Towards Programmable Network
Measurement, ACM SIGCOMM Computer
Comm. Rev., vol. 37, no. 4, p. 108, 2007.
10 A. El-Atawy, K. Ibrahim, H. Hamed, and E.
Al-Shaer,
Policy
Segmentation
for
Intelligent Firewall Testing, Proc. First
Workshop Secure Network Protocols (NPSec
05), 2005.
11 G. Misherghi, L. Yuan, Z. Su, C.-N. Chuah,
and H. Chen, A General Framework for
Benchmarking
Firewall
Optimization
Techniques, IEEE Trans. Network and
Service Management, vol. 5, no. 4, pp. 227238, Dec. 2008.
12 M. Frigault, L. Wang, A. Singhal, and S.
Jajodia, Measuring Network Security Using
Dynamic Bayesian Network, Proc. Fourth
ACM Workshop Quality of Protection, 2008.

Page 1391

International Journal of Research in Computer and

Communication Technology, Vol 2, Issue 12, December- 2013

Mrs.Madhuri mandavilli is a student of

Kakinada institute of Engineering &
Technology, korangi. Presently she is pursuing
her M.Tech [Computer Science Engineering]
from this college and she received her B-tech
from kiet college, affiliated to JNTUK
University, Kakinada in the year 2009. Her
area of interest includes Computer Networks
and Object oriented Programming languages,
all current trends and techniques in Computer
Science

www.ijrcct.org

ISSN (Online) 2278- 5841

ISSN (Print) 2320- 5156

Mr.KNVSSK Rajesh, well

known and excellent teacher received M.Tech
(CSE) from JNTUK, Kakinada. He has 4 years
of teaching experience in Engineering College
and 1year of experience as corporate trainer.
Currently working as Asst. Professor in KIET.
His Area of interest includes data mining,
information security and embedded systems.

Page 1392