A flexible and feasible anomaly diagnosis system for Internet firewall rules

Firewall is one of the premier devices of the current Internet, which can protect the entire network against attacks or threats. While configuring the firewalls, rule configuration has to conform to, or say be consistent with, the demands of the network security policies so that the network security would not be flawed. Accordingly, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a large-scale and multi-firewall-equipped network. Nevertheless, network operators are prone to incorrectly configuring the firewalls because there are typically thousands or hundreds of thousands of filtering/admission rules (i.e., rules in the Access Control List file; or ACL for short) which could be setup in a firewall, not mention these rules among firewalls which affect mutually can make the matter worse. Under this situation, the network operators would hardly know their mis-configuration until the network functions beyond the expectations. For this, our work is to build a feasible diagnosis system for checking the anomalies between firewalls´ rules which often give rise to the inconsistency between the demands of network security policies and firewall rule configuration. The system collects the filtering/admission rules (or ACL rules) from all of the firewalls (and routers if they are ACL-configured) in the managed network and then a Rule Anomaly Relation tree (RAR tree) is created on the basis of these collected firewall rules. By utilizing the RAR tree, we can not only do the diagnosis of intra-ACL rule anomalies more efficiently, but make the diagnosis of inter-ACL rule anomalies much easier and more flexible. In addition, to facilitate the understanding of the diagnosis results, a systematic visualization approach is also developed. With the aid of this approach, the anomaly situation can be easily revealed and investigated. As a consequence, our prototype system with discussions is shown at the e- - nd of this paper as a demonstration our system´s performance and, as of now, part of our system design and implementation has been applied to our campus network also.