Yuichiro Tateiwa

A topological approach to detect conflicts in firewall policies

Packet filtering provides initial layer of security based upon set of ordered filters called firewall policies. It examines the network packets and decides whether to accept or deny them. But when a packet matches two or more filters conflicts arise. Due to the conflicts, some filters are never executed and some filters are occasionally executed. It may results into unintended traffic and it is a tedious job for administrator to detect conflicts. Detection of conflicts through geometrical approach provides a systematic and powerful error classification, but as the filters and key fields of header increase, it demands high memory and computation time. To solve this problem, we propose a topological approach called BISCAL (Bit-vector based spatial calculus) to detect the conflicts in the firewall policies. As because of our approach preserves only the topology of the filters, it can reduce memory usage and computation time to a great extend

Simultaneous Analysis of Time and Space for Conflict Detection in Time-Based Firewall Policies

Firewalls are one of the most deployed mechanisms to protect the network from unauthorized access and security threats. However, maintenance of firewall policy is an error-prone and complicated task for a dynamic network environment. Conflict is a misconfiguration that happens when a packet matches two or more filters resulting in shadowing and redundancy of the filters. Network administrators reconfigure the filters to minimize the effect of conflicts, as the filters do not reflect for what it was intended. Nowadays, time-based filters are used in CISCO firewalls and LINUX Iptables to control network traffic in time. Conflict occurs when a packet matches two or more time-based filters active in the same timing. Detection of conflicts in time-based filters is necessary, because the existing conflict detection techniques turns ineffective, as analysis of filters in time is not considered. This problem is not been addressed in research regardless of its significance. To resolve it, in this paper, we propose an n+1 dimensional approach (n refers the number of key fields in a packet header) to detect conflicts by analyzing time and space simultaneously. We compute characterization vectors to detect the conflicting filters which discards the non-conflicting filters in the initial stage of computation and remove the unnecessary steps. Further, we implemented a prototype system and conducted experiments on time-based filters with and without considering time. We found that approximately 50% of conflicting filters becomes non-conflicting when time is considered. Hence, our conflict detection system for time-based filters reduces the workload of the administrator as the filters for reconfiguration is considerably reduced.

A Topology-Based Conflict Detection System for Firewall Policies Using Bit-Vector-Based Spatial Calculus

Firewalls use packet filtering to either accept or deny packets on the basis of a set of predefined rules called filters. The firewall forms the initial layer of defense and protects the network from unauthorized access. However, maintaining firewall policies is always an error prone task, because the policies are highly complex. Conflict is a misconfiguration that occurs when a packet matches two or more filters. The occurrence of conflicts in a firewall policy makes the filters either redundant or shadowed, and as a result, the network does not reflect the actual configuration of the firewall policy. Hence, it is necessary to detect conflicts to keep the filters meaningful. Even though geometry-based conflict detection provides an exhaustive method for error classification, when the number of filters and headers increases, the demands on memory and computation time increase. To solve these two issues, we make two main contributions. First, we propose a topology-based conflict detection system that computes the topological relationship of the filters to detect the conflicts. Second, we propose a systematic implementation method called BISCAL (a bit-vector-based spatial calculus) to implement the proposed system and remove irrelevant data from the conflict detection computation. We perform a mathematical analysis as well as experimental evaluations and find that the amount of data needed for topology is only one-fourth of that needed for geometry.

Multiuser Network Administration Training in LiNeS: Connection Function between Virtual Networks

Fostering network administrators for networks including Linux servers is essential. We developed a system to provide a Linux network administration training environment by exploiting User-mode Linux virtual machine software and called it the Linux Network Simulator (LiNeS). LiNeS works on a Linux PC and provides virtual networks consisting of virtual Linux servers, routers, switching hubs, and clients. LiNeS are designed to provide training environments where students administer virtual networks alone. However, the virtual networks in each student’s PC are isolated: meaning they cannot telecommunicate with each other. This study developed a function that students practice by performing Linux network administration tasks with considering networks administrated by other students. In this paper, we describe how to interconnect each isolated network and discuss performance by preliminary evaluation experiences.

Remotely Accessible Exercise Environment for Intrusion Detection/Defense Exercises Based on Virtual Machine Networks

Network security exercises carried out in laboratories have limitations of time and place. Students cannot exercise during their free time and outside the campus. Furthermore, teaching attack skills to students raises the issue of maintaining ethical standards. We have developed LiNeS (Linux Network Simulator) that generates networks for network administration exercises by using virtual machines; such a network is called a virtual machine network. In this study, we realize a virtual machine network in which attacks are generated automatically in a remotely accessible exercise environment by using LiNeS. Our system can resolve the abovementioned problems because students can completely focus on intrusion detection/defense via PCs connected to the Internet.

Evaluation of network construction exercise system LiNeS on the basis of heterogeneous and distributed virtual machine network composition function

We have developed a system called LiNeS to facilitate exercises with virtual machines in the existing computer laboratories of universities. We achieved this by establishing a method for constructing a virtual network consisting of heterogeneous virtual machines, and another method for constructing overlay networks consisting of virtual networks on each PC; in addition, we developed several functions for supporting exercises. In this study, we evaluated LiNeS in experiments that students performed with actual machines and with LiNeS, with the help and supervision of assistants.

Inconsistency Analysis of Time-Based Security Policy and Firewall Policy

Packet filtering in firewall either accepts or denies packets based upon a set of predefined rules called firewall policy. In recent years, time-based firewall policies are widely used in many firewalls such as CISCO ACLs. Firewall policy is always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. It is difficult to maintain the consistency of normal firewall policy and security policy, not to mention time-based firewall policy and security policy. Even though there are many analysis methods for security policy and firewall policy, they cannot deal with time constraint. To resolve this problem, we firstly represent time-based security policy and firewall policy as logical formulas, and then use satisfiability modulo theories (SMT) solver Z3 to verify them and analyze inconsistency. We have implemented a prototype system to verify our proposed method, experimental results showed the effectiveness.

An Inconsistency Detection Method for Security Policy and Firewall Policy Based on CSP Solver

Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined rules called firewall policy. Firewall policy always designed under the instruction of security policy, which is a generic document that outlines the needs for network access permissions. The design of firewall policy should be consistent with security policy.

Communication Simulator with Network Behavior Logging Function for Supporting Network Construction Exercise for Beginners

Interconnecting virtual machines realizes computer networks on ordinary personal computers. Such a technique enables each student instead of a group to construct networks in network exercises for beginners. In the exercises, students may ask teachers to judge the correctness/incorrectness of their networks and to support the debugging for their networks. The waiting time of students can be long because the number of teachers is less than the number of students. An effective solution to this problem is to develop a system that can judge whether students’ networks are correct and visualize the behavior of students’ networks as hints. Detail logs of network behavior are necessary for realizing such a system. Here, we propose a communication simulator to record network behavior in detail during request/response communications, which are the transmissions of request data (e.g., icmp echo request) and the corresponding response data (e.g., icmp echo reply).

A Remotely Accessible Exercise System for Network Security Based on an Automatic Cracking Function in a Virtual Machine Network

Recently, computer networks, including the Internet, have emerged as one of the most important networks of society. Therefore, network security problems must be taken seriously. To improve the knowledge of security, there are various forms of security education. Exercises for network security provide the advantage of hands-on experiences of attacks. However, there is an ethical problem, that is, students learn not only the method of defense against cracking but also the method of attacking. In this research, to eliminate these problems, we developed a remotely accessible exercise system with a virtual cracker function for generating automatic cracking. On realizing this system, learners will be able to experience and learn only the practical methods of defending networks against cracking.