Tuple Based Approach for Anomalies Detection within Firewall Filtering Rules

Firewalls implement packet filtering and thereby provide security functions that are used to manage data flow to, from and through routers based on a set of predefined filtering rules. Hence, filtering rules have to be well defined and coherent in order to guarantee the desired responses of the firewall. In this paper, we propose a new approach for detecting anomalies in the firewall filtering rules. An anomaly occurs when the domains of two given filtering rules are not disjoint. Filtering rules relationships have a structure of an algebraic semi group (R, Lambda), and via a morphism, we transform the problem from the formal writing and resolution to an analytic treatment. Our approach is more general than related works, since it treats any protocol header, any number of fields and different IP address writing, and, as a result, we define new anomalies such as Contradiction Anomaly and other types of the Redundancy Anomaly. We have implemented our technique and the first experimental tests show its efficiency and simplicity.