Tuesday, March 2, 2021

Crosscheck Firewall logs and Firewall configs

I was wondering what kind of firewall config anomalies I can detect crosschecking these two datasets.

From a papers I got the following six:

1) Shadowing anomaly: A rule is shadowed when a previous rule matches all the packets that match this rule, such that the shadowed rule will never be activated.

2) Correlation anomaly: Two rules are correlated if they have different filtering actions and first rule matches some packets that match the second rule and the second rule matches some packets that match the first rule.

3) Generalization anomaly: A rule is a generalization of a preceding rule if they have different actions, and if the first rule can match all the packets that match the second rule.

4) Redundancy anomaly: A redundant rule performs the same action on the same packets as another rule, such that if the redundant rule is removed, the security policy will not be affected. In addition, our log based mining approach can discover the following non-systematic misconfiguration anomalies.

5) Blocking existing service anomaly: A common misconfiguration case is blocking a legitimate traffic from a trusted network to an “existing” service. This for example might happen as a result of misconfiguring the port number or deleting by mistake the exception rule that allows the traffic from the trusted network. This type of anomaly can be simply detected when mining the log file as the analyst would know that there is a traffic from a trusted network is being denied to access an existing (legitimate) service/port.

6) Allowing traffic to non-existing services anomaly Another case of the misconfiguration is to permit a traffic destined to non-exiting service. For example, the administer configures rules to pass traffic at port 79; however, there is no “finger’ service available with port 79. In that case this passed traffic with port 79 will be useless. In that case, one option is we need to block traffic with port 79. This anomaly can be detected after mining log files of both the firewall and the remote hosts.

My question, are there any config anomalies besides these 6?



No comments:

Post a Comment