Analysis of firewall policy rules using traffic mining techniques

The firewall is usually the first line of defense in ensuring network security for an organization. However, the management of firewalls has proved to be complex, error-prone, and costly for many large-networks. Manually configured firewall rules can easily contain anomalies and mistakes. Even if the rules are anomaly-free, the presence of defects in the firewall implementation, or the firewall device, may prevent the organization from getting the desired effect. To evaluate the effectiveness of firewall policy and to validate that the firewall correctly implements the rules in the policy, a thorough analysis of network traffic data is required. However, due to the magnitude of traffic log data, and the complexity of the analysis, manual evaluation is very challenging and economically infeasible. In this paper, we tackle this problem by presenting a set of algorithms that simplify this process. By analyzing only the firewall log files, we regenerate the effective firewall rules, i.e., what the firewall is really doing. By comparing this with the original manually defined rules, we can easily find if there is any anomaly in the original rule set, and also if there is any defect in the firewall implementation. In our process, we first reduce the data size by generating primitive firewall rules by mining the firewall network traffic log using packet frequencies (MLF). We then regenerate the firewall rules from the primitive rules by applying the Firewall Rule Regeneration (FRR) algorithm which uses aggregation and a set of heuristics. Our analysis also discovers the decaying rules and dominant rules, which provides information that can be used to improve the firewall filtering performance significantly. Our experiments showed that the effective firewall rules can be regenerated to a high degree of accuracy from a small amount of data. Also, since we are using only log files, and not the actual packet data, there is no risk of exposing any sensitive data.