SECURITY POLICY ANALYZER FINAL MEETING Industrial Project (234313) Fall 2013 Supervisors: Yevgeny Fabrikant Students: Regev Brody, Yuval Adelstein COMPUTER.

Slides:

Advertisements

Similar presentations

Network II.5 simulator ..

Advertisements

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

ISecurity GUI User-Friendly Interface. Features Full support of all green-screen functionality Simultaneous views of multiple iSecurity screens and activities.

An Array-Based Algorithm for Simultaneous Multidimensional Aggregates By Yihong Zhao, Prasad M. Desphande and Jeffrey F. Naughton Presented by Kia Hall.

1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

XP New Perspectives on Microsoft Excel 2003, Second Edition- Tutorial 8 1 Microsoft Office Excel 2003 Tutorial 8 – Developing an Excel Application.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

IP Routing Lookups Scalable High Speed IP Routing Lookups.

An Infant Facial Expression Recognition System Based on Moment Feature Extraction C. Y. Fang, H. W. Lin, S. W. Chen Department of Computer Science and.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Fuel Cell Modeling Team Members: Albert Wong Faculty Advisor: Dr. Blekhman Department of Computer Science and Technology College of Engineering, Computer.

Application of Generalized Representations for Image Compression Application of Generalized Representations for Image Compression using Vector Quantization.

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Accelerated Cascading Advanced Algorithms & Data Structures Lecture Theme 16 Prof. Dr. Th. Ottmann Summer Semester 2006.

ELEC 7250 Term Project Presentation Khushboo Sheth Department of Electrical and Computer Engineering Auburn University, Auburn, AL.

1 Energy Efficient Packet Classification Hardware Accelerator Alan Kennedy, Xiaojun Wang HDL Lab, School of Electronic Engineering, Dublin City University.

Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne, office K115A. –

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

Fundamentals of Python: From First Programs Through Data Structures

Lesson 19: Configuring Windows Firewall

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.

Access Lists Lists of conditions that control access.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Query Processing Presented by Aung S. Win.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Detection and Resolution of Anomalies in Firewall Policy Rules

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

Education Supported by Content Management Systems Milena Stanković, Milan Rajković, Ivan Petković, Petar Rajković Faculty of Electronic Engineering, Niš.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Identifying Reversible Functions From an ROBDD Adam MacDonald.

M ULTIFRAME P OINT C ORRESPONDENCE By Naseem Mahajna & Muhammad Zoabi.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Industrial Project Check Point Security Map Shiri Negrin and Katya Sapozhnikov.

Database Management 9. course. Execution of queries.

Chapter Two Defining Network Objects. Chapter Objectives Describe how a workstation communicates with the network, and list the software components required.

ENHANCED MONITORING TOOL PROJECT Project Presentation By: David Nasi & Amitay Svetlit Supervisor: Oved Itzhak Software Systems Lab Department of Electrical.

An Object-Oriented Approach to Programming Logic and Design Fourth Edition Chapter 5 Arrays.

Prof. Amr Goneid, AUC1 Analysis & Design of Algorithms (CSCE 321) Prof. Amr Goneid Department of Computer Science, AUC Part 8. Greedy Algorithms.

TECHNION – Israel Institute of Technology Department of Electrical Engineering The Computer Network Laboratory Crankback Prediction in ATM According to.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

AMB HW LOW LEVEL SIMULATION VS HW OUTPUT G. Volpi, INFN Pisa.

1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Lecture 15 Jianjun Hu Department of Computer Science and Engineering University of South Carolina CSCE350 Algorithms and Data Structure.

IT System Administration Lesson 3 Dr Jeffrey A Robinson.

Chapter Six Working with NDS Security. Chapter Objectives Describe NDS security and list the object and property rights Identify the NDS security needs.

Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.

Sets and Maps Chapter 9. Chapter Objectives  To understand the Java Map and Set interfaces and how to use them  To learn about hash coding and its use.

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

Virtual Local Area Networks In Security By Mark Reed.

Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)

Automatic Network Protocol Analysis

Designing Software for Ease of Extension and Contraction

Introducing ACL Operation

Sidharth Mishra Dr. T.Y. Lin CS 257 Section 1 MH 222 SJSU - Fall 2016

Segment Trees Basic data structure in computational geometry.

Paper Presentation by Bradley Hanna CSCE 715: Network System Security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

An Infant Facial Expression Recognition System Based on Moment Feature Extraction C. Y. Fang, H. W. Lin, S. W. Chen Department of Computer Science and.

Microsoft Office Excel 2003

OpenSec：Policy-Based Security Using Software-Defined Networking

Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer

Presentation transcript:

SECURITY POLICY ANALYZER FINAL MEETING Industrial Project (234313) Fall 2013 Supervisors: Yevgeny Fabrikant Students: Regev Brody, Yuval Adelstein COMPUTER SCIENCE DEPARTMENT Technion - Israel Institute of Technology 1 22/01/14

BACKGROUND AND MOTIVATION Definitions Security Rule (or Rule) – configuration unit of Check Point firewall which specifies which action should be performed on IP traffic based on IP packet source, destination and port. Security Policy (or Policy) – ordered set of security rules. fwset – Check Point proprietary format for storing configuration on disk. Security Policy can consists of rules which have been added to the Policy over a long time, sometimes by different system administrators. Changes made to a policy, results in changing it’s effectiveness meaning. Security policy may contain redundant rules which can be removed from the policy without changing its overall meaning. Reducing the number of rules of a policy will result in a more coherent policy and will increase the efficiency of the firewall. 2

3 POLICY EXAMPLE

GOALS Gain the ability to optimize policies. Remove redundant rules. Alert user regarding possible intention conflicts. Gain the ability to compare 2 policies by measuring the effective difference between them. Given policy A, what changes need to be made to policy B in order to obtain the same effectiveness meaning as A. 4

METHODOLOGY – THE WORLD 5 The world is the set of all possible packets. We can model a firewall policy as an ordered set of packets filters (rules). Each filter is designed to catch a subset of the world and perform 1 out of 2 actions on it (Accept/Deny). Once a packet is caught in filter i it will not reach any filter j such that j>i.

METHODOLOGY - RELATIONS 6 Filter i is masked by a group of filters, all with the same action of i – filter i is redundant. Filter i is masked by a group of filters, all with the opposite action of i – filter i is shadowed by them. Filter j is partly masked by filter i, with the opposite action of j – filter i is generalized by j. Filter i is (partly) masked by a group of filters, some of which, with the same action of i and some with the opposite – filter i is correlated with them.

OPTIMIZATION ALGORITHM  Idea: Iteratively add filters to the filters set. Remove each filter that if removed, policy overall meaning won’t be changed. Raise warnings for possibly intentional conflicts.  Pseudo-Code:  FILTERi – the packets caught by rule i.  ACTIONi – action taken on packets caught by FILTERi. For each tuple Add FILTERi to the end of the filters set. Check for all possible relations: No relation - fully effective filter. Continue. Redundant - non-effective filter. remove filter unless all masking filters can be removed instead without changing the effectiveness of the policy. Shadowing - non-effective filter. Raise warning. Continue. Generalization - raise warning. Continue. Correlation - raise warning. If possible, remove filters with the same action. 7

DIFF ALGORITHM  Idea: Remove from B any filter that does not agree with A’s filter set. Add to B all filters from A that do not fully agree with B.  Pseudo-code: Optimize(A) Optimize(B) For each tuple in B Add FILTERi to the end of the filters set of A. Check for all possible relations: No relation – do not agree with policy A. remove from A and B. Continue. Redundant – fully agree with policy A. Continue. Shadowing - fully agree with policy A except on action. Change FILTERi’s action. Continue. Else – partly agree with policy A. Remove from A and B. Continue. Remove all B’s filters from A’s set. For each tuple in A Add FILTERi to the end of the filters set of B. Check for all possible relations: Redundant – fully agree with policy B. Remove it from B. Else – (partly) don’t agree with policy B. Continue. Optimize(B) 8

DATA STRUCTURE - REPRESENTATION OF A FILTER SET Each packet is a tuple, represented by an 80 bits vector. 32b for source, 32b for destination, 16b for port. A filter is a union of packets. A policy is represented by a binary tree of filters. Each tree node represents 1 bit = 0/1/*. * node only exists by it self. Each sub tree of a 0/1 node will contain the * sub tree (if such exists). Each level of the tree represents the i’th bit of a tuple  tree height is 80 (constant). Each leaf of the tree represents a route from the root. This route is an ordered set of bits, representing a packet tuple as introduced before. Each leaf holds a list of all filters that contain that packet. To understand a relation between a filter to the current set of filters, we check all the leaves that represent packets contained in it and analyze the list of filters listed in them. 9

DATA STRUCTURE – EXAMPLE 10 Assuming 2 bits each for each member of the tuple. └── root └── 1 └── * └── 0 └── 1 └── 1 (1) Adding rule 1:. The tree will look like this: Adding rule 2:. The tree will look like this: └── root └── 1 ├── 1 │ ├── 0 │ │ └── 1 │ │ └── 1 (1 1 ) │ └── 1 │ └── 1 (2) └── 0 └── 1 └── 1 (1 0 ) Adding rule 3:. The tree will look like this: └── root └── 1 ├── 0 │ ├── 0 │ │ └── 1 │ │ └── 1 (1 0 ) │ └── 1 │ └── 1 (3) └── 1 ├── 0 │ └── 1 │ └── 1 (1 1 ) └── 1 └── 1 (2)

DEVELOPMENT Both engine & GUI were written in JAVA/SWING. 11

ACHIEVEMENTS Ability to input and parse security policies (fwset format). GUI environment with Checkpoint Dashboard’s look & feel. Produce an optimized security policy. Output the optimized policy in fwset format. Calculate & graphically visualize the effective difference between two policies. 12

DELIVERABLES A program with Graphical User Interface for Security Policy comparison and optimization (Live example)Live example 13

CONCLUSIONS Optimizing a firewall policy and calculating the effective difference between 2 policies is feasible. Developing a full featured tool for the benefit of Check Point’s customers is not far fetched. 14

FUTURE WORK This project is a POC. Some elements have been neglected. multiple sources/destinations/ports in a rule. dimensions in a rule – time, track, VPN etc. users in the source field of a rule. Adding these elements will not affect the correctness of the presented algorithms. These can be implemented within the provided framework. 15

REFERENCES The optimization algorithm is based on the algorithm introduced at the “FIREMAN” paper by C-N. Chuah, H. Chen and Z. Su from University of California, Davis.FIREMAN The implementation was inspired by the “Conflict Classification and Analysis of Distributed Firewall Policies” paper by Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan.Conflict Classification and Analysis of Distributed Firewall Policies 16

QUESTIONS ? 17