JP2009182574A - Method for analyzing setting of firewall - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system analyzing the setting of a stateful firewall changing an operation by a communication status in the stateful fire wall controlling the communication status according to a state table or the like and determining the operation such as the passage and disuse of a packet according to the communication status at the time of the arrival of the packet. <P>SOLUTION: The system analyzing the setting of the stateful firewall uses a setting conversion function converting the setting of the stateful firewall changing the operation by the communication status into the selection of the stateful firewall consisting of only a filter changing no operation according to the communication status, by using the log of the communication status. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

The present invention relates to a computer network firewall setting analysis method.

In recent years, the number of rules (hereinafter referred to as filters) set in firewalls has increased due to the increase in the number of hosts and servers placed on the network and the increased awareness of network security. In addition, it is necessary to change the firewall settings to match the actual network by changing the network configuration such as adding or deleting servers. In such a situation, it is necessary to understand the settings in detail in order to add or delete filters in the firewall settings.
Nowadays, stateful firewalls that have the function of monitoring the actual communication state and judging whether to pass or block based on it are sometimes used. A stateful firewall is characterized by the fact that the filter involved in determining whether to pass or block communication changes depending on the state of communication, so more detailed access control is possible, but it is difficult to understand their settings.
In order to increase network security, firewalls are sometimes used in multiple stages. In a multistage firewall, it is necessary to set the firewall in consideration of the network configuration.
It has been reported that there are many cases in which the communication that should be passed does not pass due to a misconfiguration of the firewall. In such cases, it is inconvenient for network users, and mistakes in firewall settings, such as settings that allow communications that should not be allowed to pass, can cause unauthorized access and computer viruses. When analyzing firewalls to find the cause, it is necessary to grasp the firewall settings as soon as possible and to find the cause filter.
There are the following firewall setting analysis methods in the prior art to solve such problems.
1. Filter reverse lookup function that detects a stateless filter that performs an action on a packet having the packet header information using the stateless setting when one or more pieces of packet header information are specified. (See Non-Patent Document 1).
“Realization of a reverse filter system for LAN with multiple network access inspection devices”, Multimedia, Distributed, Collaboration and Mobile (DICOMO 2006) Symposium, 2006, Vol. 905-908, July 2006 ” There is a method that analyzes stateless settings and automatically detects redundant and inconsistent filters (see Non-Patent Document 2). “Inferring the Impact of Firewall Policy Changes by Analyzing Spatial Relations between Packet Filters”, Proc. Of 2006 IEEE International Conference on Communication Technology, p.203-208, 27-30 Nov 2006. These technologies can improve the security of computer networks. This section gives an overview of the terminology and stateful firewall operations used in the following description.・ The terms protocol, src, dst, sport, and dport have the following meanings. protocol: Indicates the protocol src: Indicates the source address dst: Indicates the destination address sport: Indicates the source address dport: Indicates the destination address action: Indicates the action To specify the protocol field of the filter f, specify f It is expressed using “.” like .protocol.・ Stateless firewall Here, as an example of a stateless firewall, an overview of the operation of iptables is shown. Figure 1 shows the stateless firewall model. A stateless firewall uses stateless settings to determine whether packets should pass or be discarded. Figure 2 shows an example of stateless setting. A stateless configuration is a set of stateless filters. Here, the following iptables format is used as a stateless filter. Here, a set of -p, -s, -d, --sport, and --dport is called a header condition. The -j field is called the filter action. fi: iptables -A FORWARD -p protocol -s src -d dst -sport sport -dport dport -j action fi: id for identifying the filter. -p: This field specifies the target protocol for this filter. Specify tcp or udp. If not specified, it represents an arbitrary protocol. -s: Specifies the source address targeted by this filter. Here, IP address specification such as 133.68.13.1 and network address specification such as 133.68.13.0/24 are handled. When a network address is specified, it is treated as an area. In the example of 133.68.13.0/24, [133.68.13.0, 133.68.13.255] is the specified area. If not specified, it represents an arbitrary address. -d: Specifies the destination address for this filter. The specification method is the same as for the -s field. --sport: Specifies the source port number that this filter is intended for. Here, specify a single port such as “80”. If not specified, it represents an arbitrary port number. --dport: Specify the destination port number for this filter. The specification method is the same as for the -s field. -j: Specifies the processing of the packet that succeeds in matching with the header condition of this filter. If it is ACCEPT, the packet passes through the firewall, but if it is DROP, the packet is discarded. At this time, given the key k (protocol, src, dst, sport, dport) and the filter fi, k is said to succeed in matching with the filter fi if the following conditions are satisfied. fi.protocol = k.protocol 時 When fi.src is an area min (fi.src) <= k.src <= max (fi.src), when fi.src is an IP address fi.src = k.src ∧ When fi.dst is an area min (fi.dst) <= k.dst <= max (fi.dst), when fi.dst is an IP address fi.dst = k.dst ∧ fi.sport = k. sport ∧ fi.dport = k.dport where min () and max () represent the minimum and maximum values of the region, respectively. However, if the field of fi is not specified by the filter, the truth of the corresponding field is true regardless of the value of the packet header. The behavior of the stateless firewall when a packet arrives at the firewall is as follows. STEP1. The firewall checks the stateless settings f1 to fn using the packet header as a key. Let fm be a successful filter fi. The packet header is defined as follows. Packet p header: protocol src dst sport dport protocol: Indicates the upper layer protocol. Here, tcp or udp. STEP2. If fm is not empty, it decides to pass or discard based on the action shown in fm. If fm is empty, passing or discarding is determined based on the default action of the firewall that is performed when no filter is successfully matched.・ Stateful firewall Here, as an example of a stateful firewall, an overview of the operation of iptables is shown. Figure 3 shows the stateful firewall model. A stateful firewall uses a stateful setting and a state table to decide whether to pass or discard a packet. Figure 4 shows an example of stateful settings. A stateful setting is a set of stateful filters. Here, the following iptables format is used as a stateful filter. fi: iptables -A FORWARD-p protocol -s src -d dst -sport sport -dport dport -m state --state state -j action fi: id for identifying the filter. -p, -s, -d, --sport, --dport: Same as stateless filter. --state: Specifies the state of the connection targeted by this filter. Here, ESTABLISHED specification is handled. Specifying ESTABLISHED indicates that bidirectional packets are being detected. -j: Same as stateless filter. The state table in FIG. 3 is a table used for monitoring packets. The state table is a set of state entries, and the state entries mainly consist of the following items. State entry: protocol timeout src1 dst1 sport1 dport1 flag src2 dst2 sport2 dport2 timeout: Indicates the time in seconds that this state entry can exist in the state table. It decreases every second, and when it reaches 0, this state entry is deleted from the state table. In flag: UNREPLIED, communication from src to dst is detected. If the UNREPLIED flag is not set, a bidirectional packet has been detected. The outline of operation when a packet arrives at the stateful firewall is as follows. STEP1. The state table is rewritten based on the packet header. The packet header p.proto, p.src, p.dst, p.sport, p.dport and the state entry protocol, src1, dst1, sport1, dport1 of the state table are compared, and the matching state entries If exists, increase the timeout value of the entry. Also, compare protocol, src2, dst2, sport2, and dport2, and if there is a matching entry, increase the value of timeout, and if the UNREPLIED flag is set, remove it. If none of them match, a state entry is added to the state table as a new communication pair in the following format. protocol = p.proto timeout = 30 src1 = p.src dst1 = p.dst sport1 = p.sport dport1 = p.dport flag = UNREPLIED src2 = p.dst dst2 = p.src sport2 = p.dport dport2 = p. sport (in this example, 30 seconds as the initial timeout) STEP 2. Filter list Fm is an empty set. STEP 3. Using the packet header as a key, check the stateful filters f1 to fn in the stateful settings in order, and the filter list Fm is the one that succeeds in matching the header conditions. STEP 4. If Fm is an empty set, go to STEP 7. Otherwise, the first filter f of Fm is taken out. STEP 5. If f is a stateless filter, set fm = f and go to STEP 6. If f is a stateful filter, p.proto, p.src, p.dst, p.sport, p.dport in the packet header and e.protocol1, e.src1, e. of each state entry e in the state table If dst1, e.sport1, e.dport1 are compared, and there is a match, if there is no UNREPLIED flag in that entry, set fm = f and go to STEP6. E.protocol, e.src2, e.dst2, e.sport2, e. Of p.proto, p.src, p.dst, p.sport, p.dport of packet header and state entry e of state table Compare dport2 and if there is a matching entry, set fm = f and go to STEP6. If there is no match in the state entry, go to STEP4. STEP6. Executes the filter action specified by fm. When discarding, packet headers p.proto, p.src, p.dst, p.sport, p.dport and e.protocol, e.src1, e.dst1, e.sport1 of each state entry in the state table , E.dport1 are compared, and if there is a match, the state entry is deleted. STEP7. Pass or discard is determined based on the default behavior of the firewall.

The conventional computer network firewall analysis method has the following problems.
1. In a stateful firewall, packet passage and discard are judged by a state table that holds the communication status and stateful settings. Therefore, only by looking at the stateful setting, it is not possible to determine which filter was used to determine whether a packet addressed to a host in the past was passed or discarded. It is not easy to find a filter that affects packet passing and discarding from among stateful settings by manually analyzing the state table log and grasping the state of communication.
2. The method of Non-Patent Document 1 is intended for stateless settings, and it is impossible to apply them directly to stateful settings. For this reason, to check the stateful settings, you need to look at each firewall setting. In other words, because the settings cannot be analyzed only for the host (IP address) or port number that the network administrator wants to pay attention to, a filter for packets destined for a specific host, etc. It is not possible to confirm by narrowing down the conditions. These also increase the burden of checking and correcting stateful settings in case of network problems.
3. Stateless setting is the target, and redundant filters in the stateful setting cannot be detected (Non-patent Document 2).
4). The effective filter detection method shown in Non-Patent Document 1 is intended for stateless setting, and in a network in which stateful firewalls are installed in multiple stages, a packet having specific header information by which filter of which firewall in the network It is not possible to immediately know whether the passage or disposal of the product has been determined.
5. In a network in which stateful firewalls are installed in multiple stages, specific packets pass through one firewall, but other firewalls cannot detect inconsistencies that are discarded.

The firewall setting analysis method according to the first aspect of the present invention changes the operation according to the communication status in the stateful firewall that manages the communication status by a state table or the like and determines the operation such as packet passing or discarding according to the communication status when the packet arrives. A stateless firewall setting (called a stateful filter) that includes a filter (called a stateful filter) is called a stateless firewall that uses only the communication status at time t, and whose operation does not depend on the communication status (called a stateless filter). It is characterized by having a setting conversion function for converting into settings (referred to as stateless settings at time t).
The firewall setting analysis method according to the second aspect of the present invention changes the operation according to the communication status in the stateful firewall that manages the communication status by a state table or the like and determines the operation such as packet passing or discarding according to the communication status when the packet arrives. A stateless firewall setting (called a stateful filter) that includes a filter (called a stateful filter) is called a stateless firewall that uses only the communication status at time t, and whose operation does not depend on the communication status (called a stateless filter). When a setting conversion function for converting to a setting (referred to as stateless setting at time t) and one or more packet header information and time t are specified, the packet header information is converted using the stateless setting at time t. For packets Stateful filters for performing actions, and having a filter reverse function of detecting from the stateful configuration.
The firewall setting analysis method according to the third aspect of the present invention changes the operation depending on the communication status in the stateful firewall that manages the communication status by a state table and determines the operation such as packet passing or discarding according to the communication status at the time of packet arrival. A stateless firewall setting (called a stateful filter) that includes a filter (called a stateful filter) is called a stateless firewall that uses only the communication status at time t, and whose operation does not depend on the communication status (called a stateless filter). A setting conversion function that converts to a setting (referred to as a stateless setting at time t), and a redundant filter detection function that detects a filter that never takes an action no matter what packets arrive in the stateless setting at time t Characterized in that it has.
The firewall setting analysis method according to the fourth aspect of the present invention changes the operation according to the communication status in the stateful firewall that manages the communication status by a state table or the like and determines the operation such as packet passing or discarding according to the communication status when the packet arrives. A stateless firewall setting (called a stateful filter) that includes a filter (called a stateful filter) is called a stateless firewall that uses only the communication status at time t, and whose operation does not depend on the communication status (called a stateless filter). In a setting conversion function for converting to a setting (referred to as stateless setting at time t) and a network in which a plurality of firewalls are connected in multiple stages, when one or more packet header information and time t are specified, each firewall Wo Using stateless setting Le of time t, characterized in that it has an effective filtering Detection function stateful filter (referred to as an effective filter) for performing actual actions on packets with the packet header information.

The computer network firewall setting analysis method of the present invention is a method that facilitates investigation of the cause of anomalies that occur when a computer network is used. In addition, it is a method that facilitates setting errors of the firewall and improves security.
-When an abnormality occurs that makes it easy to investigate the cause of the abnormality, it is possible to narrow down the filter to be examined based on the IP address of the host or server where the abnormality occurs.
2. It is easy to detect passing and discarding of packets with the same header information in a firewall that exists in a network that reduces firewall setting errors.

An embodiment of the first invention is shown in FIG. The setting conversion function accepts stateful settings, state table logs, and time t as input, and outputs a conversion table that records which filters in the stateless settings and stateful settings at time t are converted to stateless filters.
Here, for any packet at time t, it is judged whether the stateful firewall has passed or discarded using the stateful settings before conversion and the state table log, and the stateless firewall using the stateless settings after conversion is passed or blocked for the same packet. Convert so that the judgments of are the same. Figure 6 shows this model. In the stateful FW at the top of Fig. 6, the contents of the state table at time t are represented as S (t), and the packet that has reached time t is represented as P (t). Here, the stateful FW configuration is expressed as SFC (Stateful Firewall Configuration) because it remains unchanged unless rewritten by the network administrator.
Here, R_1 (t) as a result of the decision to pass or block the packet P (t) and the filter f1 from which the decision is made are determined by SFC, S (t), and P (t). Next, in the stateless FW at the bottom of Fig. 6, the decision to pass or block a packet is made using SLC (Stateless Firewall Configuration). , P (t). Therefore, SLC (t) is determined from SFC and S (t) so that R_1 (t) = R_2 (t). Also, by recording the data representing the pair of f1 and f2, it is possible to obtain the analysis result of the SFC at time t based on the analysis result of SLC (t).

The following explains the setting conversion function. As an input example of FIG. 5, an example of stateful setting using iptables shown in FIG. 4 is used, and an example of a state table log is used in FIG. It is also assumed that 2007/01/10 10:11:00 is input as time t.
Here, the state table log entries are as follows.
State table log entry: id timestamp operation protocol src1 dst1 sport1 dport1 flag src2 dst2 sport2 dport2
id: This is the id that identifies the log, and is appended in the order in which the log entries were recorded.
timestamp: Indicates the time when this entry was recorded.
operation: Indicates the operation that was performed when the log was recorded. ADD, CHANGE, DELETE
There are as follows.
ADD: When an entry is added to the state table.
CHANGE: This is when the entry flag changes.
DELETE: When an entry is deleted from the state table.
In flag: UNREPLIED, communication from src1 to dst1 is detected.
If the UNREPLIED flag is not set, bidirectional packets have been detected.
is there.
This section outlines the overall operation of the setting conversion function.
STEP1. The stateless filter and stateful filter are separated by the filter discrimination function. The stateless filter is used as the output of the setting conversion function, and the stateful filter is passed to the filter search function.
STEP2. The state table restoration function restores the contents of the state table at time t from the state table log.
STEP3. The filter condition candidate output function obtains and outputs a filter condition candidate set from the contents of the state table at time t.
STEP4. The filter search function compares each filter condition candidate set against the packet header condition of the stateful filter, and outputs the pair that succeeds as a filter candidate set.
STEP5. The stateless filter output function outputs a stateless filter using the filter candidate set.

A detailed explanation of each function is given below.
The filter discrimination function separates the stateful filter and the stateless filter in the input stateful setting. The stateless filter in the stateful setting is used as the output of the setting conversion function. The stateful filter is passed to the condition part search function to determine the condition part. The operation procedure is as follows.
STEP 1-1. The following operations are performed for fi (i = 1 to n) of stateful filters f1 to fn.
STEP1-2. If fi does not have a -state field, it is used as the output of the setting conversion function.
If fi has a -state field, pass it to the conditional search function.
As an example of operation, in the stateful setting shown in Fig. 4, filter f1 applies to the stateful filter format, so filter f1 is passed to the conditional part search function. Since f2, f3, f4, f5, and f6 are in the form of stateless filters, they are output as they are.

Next, the state table restoration function restores the contents of the state table at the specified time t from the state table log. The operation procedure to restore is as follows.
STEP 2-1. Get all entries in the state table log before time t, and list them as L1.
STEP2-2. In L1, let L2 be the list of all entries whose operation field is DELETE.
STEP2-3. The following operation is performed for each entry ei (i = 1 to n) of L2.
STEP2-4. For each entry ej (j = 1 to m) in L1, delete the entry ej that satisfies the following conditions from L1.
ei.timestamp> = ej.timestamp
∧ ei.src1 = ej.src1 ∧ ei.dst1 = ej.dst1 ∧ ei.sport1 = ej.sport1 ∧ ei.dport1 = ej.dport1
∧ ei.src2 = ej.src2 ∧ ei.dst2 = ej.dst2 ∧ ei.sport2 = ej.sport2 ∧ ei.dport2 = ej.dport2
However, ei.timestamp> = ej.timestamp indicates whether the ei timestamp is the same as or later than the ej timestamp.
STEP2-5. In L1, all entries whose operation field is CHANGE are listed as L3.
STEP 2-6. The following operation is performed for each entry ek (k = 1 to m) in L3.
STEP2-7. For each entry ej (j = 1 to m) in L1, delete the entry ej that satisfies the following conditions from L1.
ek.timestamp> = ej.timestamp
∧ ek.src1 = ej.src1 ∧ ek.dst1 = ej.dst1 ∧ ek.sport1 = ej.sport1 ∧ ek.dport1 = ej.dport1
∧ ek.src2 = ej.src2 ∧ ek.dst2 = ej.dst2 ∧ ek.sport2 = ej.sport2 ∧ ek.dport2 = ej.dport2
However, ek.timestamp> = ej.timestamp indicates whether the ei timestamp is the same as or later than the ej timestamp.
STEP 2-8. Remove the timestamp and operation fields from each entry e in L1.
This restores the state table contents S (t) at time t to L1.

An example of operation is shown below. Here, the state table log shown in Fig. 7 is used as input. The procedure is shown below, and the results are shown in Fig. 8.
STEP 2-1. Let L1 be the time stamp of each entry before 2007/01/10 10:11:00.
L1 = {e1, e2, e3, e4, e5, e6, e7, e8, e9}
STEP2-2. In L1, let L2 be all entries whose operation field is DELETE.
L2 = {e3, e6}
STEP2-3. The following operations are performed for each entry e3 and e6 of L2.
STEP2-4 (e3). For each entry ej (j = 1 to m) in L1, delete the entry ej that satisfies the following conditions from L1.
e3.timestamp> = ej.timestamp
∧ e3.src1 = ej.src1 ∧ e3.dst1 = ej.dst1 ∧ e3.sport1 = ej.sport1 ∧ e3.dport1 = ej.dport1
∧ e3.src2 = ej.src2 ∧ e3.dst2 = ej.dst2 ∧ e3.sport2 = ej.sport2 ∧ e3.dport2 = ej.dport2
E1, e2, and e3 correspond to this condition, and they are deleted from L1.
L1 = {e4, e5, e6, e7, e8, e9}
STEP2-4 (e6). For each entry ej (j = 1 to m) in L1, delete the entry ej that satisfies the following conditions from L1.
e6.timestamp> = ej.timestamp
∧ e6.src1 = ej.src1 ∧ e6.dst1 = ej.dst1 ∧ e6.sport1 = ej.sport1 ∧ e6.dport1 = ej.dport1
∧ e6.src2 = ej.src2 ∧ e6.dst2 = ej.dst2 ∧ e6.sport2 = ej.sport2 ∧ e6.dport2 = ej.dport2
E4, e5, and e6 correspond to this condition, and they are deleted from L1.
L1 = {e7, e8, e9}
STEP2-5. In L1, all entries whose operation field is CHANGE are listed as L3.
L3 = {e9}
STEP 2-6. The following operation is performed for e9 of L3.
STEP2-7. For each entry ej (j = 1 to m) in L1, delete the entry ej that satisfies the following conditions from L1.
e9.timestamp> = ej.timestamp
∧ e9.src1 = ej.src1 ∧ e9.dst1 = ej.dst1 ∧ e9.sport1 = ej.sport1 ∧ e9.dport1 = ej.dport1
∧ e9.src2 = ej.src2 ∧ e9.dst2 = ej.dst2 ∧ e9.sport2 = ej.sport2 ∧ e9.dport2 = ej.dport2
Here, e7 is applicable, and they are deleted from L1.
L1 = {e8, e9}
STEP 2-8. Remove the timestamp and operation fields from each entry e in L1.

The filter condition candidate output function outputs a set of filter condition candidates based on the contents of the state table at time t. The filter condition candidate c is as follows.
Candidate filter condition c: id protocol src dst sport dport flag
id: The id that identifies the filter condition candidate.
In flag: UNREPLIED, communication from src to dst is detected. UNREPLIED
If the flag is not set, a bidirectional packet has been detected.
The operation procedure is as follows.
STEP 3-1. The following operations are performed for each entry e in the contents of the state table at time t.
STEP3-2. id for a set of e.protocol, e.src1, e.dst1, e.sport1, e.dport1, e.flag
The filter condition candidate c1 is output with "e.id" + "-f".
For the set of e.protocol, e.src2, e.dst2, e.sport2, e.dport2, the id is “e.id” + ”-b”
To output the filter condition candidate c2.


An example of the operation of the contents of the state table in Fig. 8 is shown below, and the result is shown in Fig. 9.
STEP 3-1. The following operations are performed for e8 and e9 respectively.
STEP3-2 (e8). Paired with e8.protocol, e8.src1, e8.dst1, e8.sport1, e8.dport1, e8.flag
And output filter condition candidate c1 with e8-f.
c1 = (e8-f tcp src = 133.68.13.41 dst = 133.68.21.4 sport = 2210 dport = 8080
UNREPLIED)
Outputs filter condition candidates with id assigned to the set of e8 protocol, src2, dst2, sport2, and dport2.
c2 = (e8-b: tcp src = 133.68.21.4 dst = 133.68.13.41 sport = 8080 dport = 2210)
STEP3-2 (e9). e9.protocol, e9.src1, e9.dst1, e9.sport1, e9.dport1, e9.flag
The filter condition candidate is output with id.
c1 = (e9-f: tcp src = 133.68.13.32 dst = 133.68.13.41 sport = 1474 dport = 3389)
Filter condition by assigning id to the set of protocol, src2, dst2, sport2, and dport2 of e9
The candidate is output.
c2 = (e9-b: tcp src = 133.68.13.41 dst = 133.68.13.32 sport = 3389 dport = 1474)

In the filter search function, the filter condition candidate set and the conditions specified by the stateful filter are matched, and the pair that succeeds in matching is passed to the stateless filter output function. The operation procedure is as follows.
STEP4-1. Let the filter candidate set FC be an empty set.
STEP4-2. STEP4-3 is performed with each of the filter condition candidate sets as c.
STEP4-3. Use c.protocol, c.src, c.dst, c.sport, and c.dport of filter condition candidate c as keys.
And collate with each filter of the stateful filter set.
If the filter is successful, the filter and filter condition candidate pair is designated as the filter candidate set FC.
In addition to STEP 4-3. Exit.
STEP 4-4. Pass the filter candidate set FC to the stateless filter output function.

An example of operation is shown below. The input is f1 in Fig. 4 and the filter candidate set shown in Fig. 9.
STEP4-1. Let the filter candidate set FC be an empty set.
FC = {}
STEP4-2. Do the following for e8-f, e8-b, e9-f, and e9-b.
STEP4-3a. Matching filter condition candidate e8-f with each filter of the stateful filter set
* = tcp ∧ * = 133.68.13.41 ∧ * = 133.68.21.4 ∧ * = 2210 ∧ * = 8080
Since each element is not specified in the filter, each is true and the matching succeeds.
Therefore, the following set is added to FC.
{f1, e8-f}
STEP4-3b. Matching filter condition candidate e8-b with each filter of the stateful filter set
* = tcp ∧ * = 133.68.21.4 ∧ * = 133.68.13.41 ∧ * = 8080 ∧ * = 2210
Since each element is not specified in the filter, each is true and the matching succeeds.
Therefore, the following set is added to FC.
{f1, e8-b}
STEP 4-3c. Although elapse is omitted, e9-f succeeds in matching with f1 and adds the next set to FC.
{f1, e9-f}
STEP 4-3d. Although elapse is omitted, e9-b succeeds in matching with f1, and adds the next set to FC.
{f1, e9-b}
STEP 4-4. Pass the filter candidate set FC to the stateless filter output function.
FC = {{f1, e8-f}, {f1, e8-b}, {f1, e9-f}, {f1, e9-b}}

The stateless filter output function generates a stateless filter based on the filter candidate set. The stateless filter output function outputs the stateful filter and state entry used for conversion and the conversion table of the output stateless filter. The operation procedure is as follows.
STEP 5-1. The following operations are performed for each element c of the filter candidate set.
STEP5-2. Let c be f and c be a candidate filter condition.
If there is no UNREPLIED flag in cc, the following filter is generated.
g.protocol = cc.protocol, g.src = cc.src, g.dst = cc.dst, g.sport = cc.sport, g.dport = cc.dport, g.action = f.action
Also, a new filter id is generated based on the fi of the stateful filter id, and a set of the new filter id, the state entry id used for conversion, and the stateful filter id is added to the conversion table.

An example of operation is shown below. It is assumed that FC = {{f1, e8-f}, {f1, e8-b}, {f1, e9-f}, {f1, e9-b}} are given as inputs.

STEP 5-1. FC = {{f1, e8-f}, {f1, e8-b}, {f1, e9-f}, {f1, e9-b}}
Do.
STEP5-2 {f1, e8-f}. f = f1, cc = e8-f. Because the UNREPLIED flag exists, the filter is
Not done.
STEP5-2 {f1, e8-b}. f = f1, cc = e8-b. Since e8-b does not have UNREPLIED, the next fill
Output.
g.protocol = tcp, g.src = 133.68.21.4, g.dst = 133.68.13.41, g.sport = 8080,
g.dport = 2210, g.action) = ACCEPT
f1-1: iptables -A FORWARD -p tcp -s 133.68.21.4 --sport 8080 -d 133.68.13.41
--dport 2210 -j ACCEPT
Also add f1-1, e8, and f1 entries to the conversion table.
STEP5-2 {f1, e9-f}. Since e9-f does not have UNREPLIED, the following filter is output.
g.protocol = tcp, g.src = 133.68.13.32, g.dst = 133.68.13.41, g.sport = 1474,
g.dport = 3389, g.action = ACCEPT
f1-2: iptables -A FORWARD -p tcp -s 133.68.13.32 --sport 1474 -d 133.68.13.41 --dport 3389 -j ACCEPT
Also add f1-2, e9, and f1 entries to the conversion table.
STEP5-2 {f1, e9-b}. Since e9-b does not have UNREPLIED, the following filter is output.
f1-3: iptables -A FORWARD -p tcp -s 133.68.13.41 -sport 3389 -d 133.68.13.32 --dport 1474 -j ACCEPT
Also add entries f1-3, e9, and f1 to the conversion table.
The output of this function is f1-1, f1-2, f1-3 in Fig. 10, and it becomes the output of the setting conversion function together with the filters f2, f3, f4, f5, f6 output without conversion. Figure 11 shows the conversion table.

An embodiment of the second invention is shown in FIG. The operation procedure of the stateful reverse lookup function is as follows.
STEP1. Stateless settings and conversion tables are obtained using stateful settings, state table logs, and time t.
STEP2. The stateless reverse lookup function outputs a set of stateless filters (called stateless reverse lookup results) that match the specified packet header information.
STEP3. The reverse conversion function searches the id in the stateless reverse lookup result, reversely converts the stateless setting converted from the stateful setting to the stateful one, and outputs the stateful reverse lookup result at time t.

An example of operation is shown below. Here, each input is as follows.
Time t: 2007/01/10 10:11:00
Stateful setting: Stateful setting shown in Figure 4
Status table log: Status table log shown in FIG.
Packet header information: Protocol: tcp, Source IP address: Not specified
Destination IP address: 133.68.13.41, source port number: not specified,
Destination port number: 3389
STEP1. Stateless settings and conversion tables are obtained using stateful settings, state table logs, and time t. Since it is the same as the input shown in the first embodiment, the stateless setting shown in FIG. 10 and the conversion table shown in FIG. 11 are obtained.
STEP2. The stateless reverse lookup function outputs the filter set related to the input packet header information from the stateless setting. Refer to Non-Patent Document 1 for details of this function.
Figure 13 shows the result of stateless reverse lookup.
STEP3. The reverse conversion function searches the id in the stateless reverse lookup result, reversely converts the stateless setting converted from the stateful setting to the stateful one, and outputs the stateful reverse lookup result at time t. Here, f1-2 exists in the converted id of the conversion table. Get the f1 of the entry's pre-conversion id and replace f1-2 with f1. Figure 14 shows the result.

An embodiment of the third invention is shown in FIG. The procedure for detecting the redundant filter at time t is as follows.
STEP1. The setting conversion function converts to the stateless setting at time t.
STEP2. The system that detects the stateless redundant filter detects the stateless redundant filter that is the result of the conversion. The result is a redundant filter at time t.

Here, the stateful setting shown in FIG. 16 and the state table log shown in FIG. 7 are used as inputs. It is assumed that 2007/01/10 10:11:00 is specified as the time.
STEP1. The setting conversion function converts to the stateless setting at time t.
The stateful filter in the stateful setting of the input of the setting conversion function is the first embodiment.
The state table log and time are the same as those used in Example 1.
Therefore, the result of setting conversion is shown in Fig. 17.
STEP2. A redundant filter at time t is detected using a system that detects a redundant filter with a stateless setting.
Here, f1 and f2-2 specify the same destination IP address, and 133.68.13.41 is
Packets that are destinations are judged to pass or be discarded by f1. As a result, f2-2
Is not concerned with the actual packet passing or discarding decision. Such a filter is redundant
The long filter detection function outputs. Here, it is concluded that f2-2 is a redundant filter.
Get the fruit.

An embodiment of the fourth invention is shown in FIG.
The effective filter detection function uses a subnet connection relation table (hereinafter referred to as “snt”) that is a table representing the connection relation of subnets and an area definition table (hereinafter referred to as “sdt”) that represents the range of each subnet IP address. The explanation of each table is shown below, and examples are shown in Figs. See Non-Patent Document 1 for details of these two.
-Subnet connection table (snt)
id: represents the id of the node. The extranet id is always 1.
name: represents the name of the node. Holds the name of the subnet or the name of the firewall.
type: Indicates whether this node is a subnet or a firewall. The subnet is s, and n for firewalls.
parentid: Indicates the parent node of this node. Here, the parent node is a node close to extranet among the nodes directly connected to itself.
childid: indicates a child node of this node.

-Area definition table (sdt)
subnetname: Indicates the name of the subnet.
address: Indicates the IP address range of this subnet.

The effective filter detection function uses a route filter table. The table is explained below, and an example is shown in Fig. 21.
・ Route filter table
order: Indicates the order of the firewall that passes from the source to the destination.
name: Represents the name of the firewall that passes from the source to the destination
filter: Indicates a filter that successfully matches the packet header in the firewall.
The outline of the operation of the effective filter detection function is as follows. Accepts packet header information as input.
STEP1. A subnetname containing the source IP address of the input packet header information is searched using the area definition table (sdt), and is set as S1. Set S1 = extranet if the source IP address is not specified or does not apply to any area definition table.
STEP2. Search the subnetname containing the destination IP address of the input packet header information using the area definition table (sdt), and set it as S2. If the destination IP address is not specified or does not apply to any of the area definition tables, set S2 = extranet.
STEP3. The route search function finds the route from S1 to S2 using the subnet connection relation table (snt) and creates a route filter table.
STEP4. The FW setting / state table log search function passes the firewall settings and state table log to the stateful reverse lookup function for each firewall in the route filter table. The reverse lookup result writing function acquires the filter related to the packet header information that is the output of the stateful reverse lookup function, and writes it to the route filter table.
STEP5. The effective filter decision function finds an effective filter based on the path filter table.

The procedure for each function is as follows.
・ Route search function
This function accepts source subnet name S1 and destination subnet name S2 as input,
Outputs a route filter table.
STEP 3-1. Create a route list R1 from S1 to extranet.
STEP3-1-1. The node name is n = S1. The route list R1 is emptied.
STEP 3-1-2. Add n to R1.
STEP3-1-3. If n = extranet, go to STEP 3-2. Otherwise STEP
Go to 3-1-4.
STEP3-1-4. Obtain the parent node id of n from the subnet connection relation table, and
Search for the name, and go to STEP 3-1-2 as n = parent node name.
STEP3-2. Create a route list R2 from S2 to extranet. Detailed steps are as follows
is there.
STEP 3-2-1. The node name is n = S2. The route list R2 is emptied.
STEP 3-2-2. Add n to R2.
STEP 3-2-3. If n = extranet, go to STEP3-3. Otherwise STEP
Go to 3-2-4.
STEP 3-2-4. Obtain the parent node id of n from the subnet connection relation table, and
Search for the name, and go to STEP 3-2-2 as n = parent node name.
STEP3-3. When R1 is seen from the top and the same element exists in R2, let that element be c.
STEP 3-4. The route list R is emptied. The elements from the beginning of R1 up to the previous c are added to the route list R in order.
STEP 3-5. This adds elements from R2 to c2 in order.
STEP 3-6. Scan each element of R from the top, and if the type in the subnet connection relation table is N, add the order from 1 and add it to the route filter table.

Details of each function are as follows. Here, assume that the following is entered as a search condition.
Time: 2007/01/10 10:05:00
protocol: tcp
src: 10.10.10.5
dst: 133.68.13.193
sport: 1050
dport: 22

An example of the route search function will be described with reference to FIGS.
STEP 3-0. Here, since src does not belong to any subnet in the area definition table, S2 with S1 as extranet is searched using the area definition table and set as hostnet.
STEP 3-1. Create a route list R1 from S1 to extranet.
STEP3-1-1. The node name is n = extranet. The route list R1 is emptied.
STEP 3-1-2. Add extranet to R1.
STEP3-1-3. Since n = extranet, go to STEP 3-2.
At this point, R1 = {extranet}.
STEP3-2. Create a route list R2 from S2 to extranet.
STEP 3-2-1. The node name is n = hostnet. The route list R2 is emptied.
STEP 3-2-2 (a). Add hostnet to R2.
STEP 3-2-3 (a). Since n is not extranet, go to STEP 3-2-4.
STEP 3-2-4 (a). If the parent node id of n is obtained from the subnet connection relation table, 3
It is. Search parent node name and get firewall2, STEP3 as n = firewall2
Go to 2-2.
STEP 3-2-2 (b). Add firewall2 to R2.
STEP 3-2-3 (b). Since n is not extranet, go to STEP 3-2-4.
STEP 3-2-4 (b). If the parent node id of n is obtained from the subnet connection relation table, 5
It is. Search for the name of the parent node and obtain subnet1, and set n = subnet1 to STEP 3-2-2.
STEP 3-2-2 (c). Add subnet1 to R2.
STEP 3-2-3 (c). Since n is not extranet, go to STEP 3-2-4.
STEP 3-2-4 (c). If the parent node id of n is obtained from the subnet connection relation table, 2
is there. Search for the name of the parent node to get firewall1, and set n = firewall1 to STEP 3-2-2.
STEP 3-2-2 (d). Add firewall1 to R2.
STEP 3-2-3 (d). Since n is not extranet, go to STEP 3-2-4.
STEP 3-2-4 (d). When the parent node id of n is obtained from the subnet connection relation table, 1
It is. Search for parent node name and get extranet, STEP3 as n = extranet
Go to 2-2.
STEP 3-2-2 (e). Add extranet to R2.
STEP 3-2-3 (e). Since n = extranet, go to STEP3-3.
At this point, R2 = {hostnet, firewall2, subnet1, firewall1, extranet}.
STEP3-3. When R1 is seen from the top and the same element exists in R2, that element is set to c
R Here, since the extranet that is the head of R1 exists in R2, let it be c.
STEP 3-4. The route list R is emptied. The elements from the beginning of R1 up to the previous c are added to the route list R in order. Here, nothing is added because there is no previous element of c.
R = {}
STEP 3-5. This adds elements from R2 to c2 in order.
R = {extranet, firewall1, subnet1, firewall2, hostnet}
STEP 3-6. Scan each element of R from the top, and if the type in the subnet connection relation table is N, add the order from 1 and add it to the route filter table.
Since the type of firewall1 is N and the type of firewall2 is N, these two are
Add to the filter table in order.
The results are shown in Fig. 22.

・ FW setting ・ State table log search function
This function generates the input of the reverse reverse function for finding the filter related to the specified packet header information in each firewall in the route filter table. The operation procedure is as follows.
STEP4-1. For each entry e in the route filter table, do the following with the order of the route filter table in ascending order.
STEP4-2. The firewall settings for entry e are obtained from the firewall settings, and the firewall state table log for entry e is obtained from the state table log.

An example of the FW setting / state table log search function will be described with reference to FIG.
STEP4-1. For each entry e in the route filter table, do the following with the order of the route filter table in ascending order.
STEP4-2. Get the firewall settings for entry e from the firewall settings DB and the firewall state table log for entry e from the state table log DB, and use them as input for the reverse stateful lookup function. Also, the firewall name of each entry e is passed to the reverse lookup result writing function.
STEP4-2 (firewall1) Firewall1 firewall settings (Figure 23 is used here)
The state table log (Fig. 24 is used here)
Pass to function.
Pass firewall1 to the reverse lookup result writing function.
STEP4-2 (firewall2) firewall2 firewall settings (Figure 25), state
The log of the table is empty, and these are passed to the stateful reverse lookup function.
Pass firewall2 to the reverse lookup result writing function.

・ Reverse lookup result writing function
This function writes the output of the stateful reverse lookup function to the route filter table. The firewall name is obtained from the filter / state table log search function, and the stateful reverse lookup result is obtained from the stateful reverse lookup function. Write stateful reverse lookup result to filter column of entry with matching firewall name
firewall1
The reverse lookup result in the firewall1 setting is shown in FIG.
Write {firewall1, {f1, f2, f3}}.
firewall2
The reverse lookup results for firewall2 settings are shown in Fig. 27.
Write {firewall1, {f2, f4}}.
Figure 28 shows the result.

・ Effective filter judgment function
This function obtains the effective filter based on the route filter table. The operation procedure is as follows.
However, this function works correctly when all of protocol, src, dst, sport, and dport are specified as packet header information.
STEP 5-1. Empty the effective filter list E.
STEP5-2. In the filter column of each entry e in the route filter table, leave the first filter and delete others.
STEP5-3. For each entry e in the route filter table, perform the following procedure with order in ascending order.
STEP 5-4. If f.action of the filter f of e is ACCEPT, it is added to the effective filter list E. If f.action is DROP, go to STEP 5-5 in addition to effective filter list E.
STEP 5-5. Outputs the effective filter list E.

An example of operation is shown below. Here, FIG. 28 is used as the route filter table.
STEP 5-1. Empty the effective filter list E.
E = {}
STEP5-2. In the filter column of each entry e in the route filter table, leave the first filter and delete others. The route filter table is shown in FIG.
STEP5-3. For each entry e in the route filter table, perform the following procedure with order in ascending order.
STEP 5-4. If f.action of the filter f of e is ACCEPT, the effective filter list E
Add. If f.action is DROP, in addition to effective filter list E, STEP5-5
What.
STEP 5-4 (order = 1). Since f.action is ACCEPT, add it to the effective filter list.
E = {{firewall1, f1}}
STEP 5-4 (order = 2). Since f.action is ACCEPT, add it to the effective filter list.
E = {{firewall1, f1}, {firewall2, f2}}
STEP 5-5. The effective filter list E is output.

This kind of computer network firewall setting analysis method is very useful in the management and operation of computer networks such as local area networks.

This is an overview of stateless firewall operation. This is an example of stateless setting. This is an overview of stateful firewall operation. This is an example of stateful setting. It is a data flow figure which changes stateful setting into stateless setting by invention 1. This is a model of conversion between stateless setting and stateful setting. This is an example of a state table log that is input to the setting conversion function. This is the contents of the stateful table as of 2007/01/10 10:11:00 restored from the state table log in Fig. 7. This is a filter condition candidate set generated from Fig. 7. This is an example of the stateless setting that combines the stateless filter and the stateless filter that is output by the setting conversion function. It is an example of the conversion table of the stateful setting of FIG. 4 and the stateless setting at the time t of FIG. FIG. 10 is a data flow diagram for detecting only those related to specific packet header information from among stateful settings according to the second aspect of the present invention. This is an example of detecting a filter related to a specific packet header after converting a stateful setting to a stateless setting. FIG. 13 shows the result of reverse conversion to the stateful setting using the conversion table. It is a data flow figure which detects the redundant filter in the time t from the stateful setting by the invention 3. FIG. It is an example of the stateful setting of the input example of FIG. This is an example of converting Fig. 16 to stateless setting at time 2007/01/10 10:11:00. It is a structural example of the effective filter detection function by the invention 4. It is an example of the subnet connection relation table in FIG. This is an example of the area definition table in FIG. This is an example of the path filter table in FIG. FIG. 18 shows an output example of the route search function. This is a setting example of firewall1 in the operation example of FIG. It is a log of the state table of firewall1 in the operation example of FIG. This is a setting example of firewall2 in the operation example of FIG. This is the result of stateful reverse lookup of firewall1 in the operation example of FIG. This is a result of stateful reverse lookup of firewall2 in the operation example of FIG. This is a result of adding effective filter candidates in the operation example of FIG. This is a result of deleting redundant effective filter candidates in the operation example of FIG.

Claims (4)

A stateful firewall that includes a filter (called a stateful filter) that changes the operation according to the communication status in a stateful firewall that manages the communication status using a status table, etc., and determines the operation such as packet passing or discarding according to the communication status when the packet arrives (Referred to as stateless setting) is used as a stateless firewall setting (referred to as stateless setting at time t) consisting only of a filter whose operation does not depend on the communication status (referred to as stateless filter) using the communication status at time t. Firewall setting analysis method characterized by having a setting conversion function to convert. When one or more packet header information and time t are specified, a stateful filter that performs an action on a packet having the packet header information is detected from the stateful setting using the stateless setting at time t. 2. The firewall setting analysis method according to claim 1, further comprising a filter reverse lookup function (referred to as a stateful reverse lookup function). 2. The firewall setting analysis method according to claim 1, further comprising a redundant filter detection function for detecting a filter that never takes an action no matter what packet arrives in the stateless setting at time t. When one or more packet header information and time t are specified in a network in which a plurality of firewalls are connected in multiple stages, the stateless setting at time t of each firewall is used for packets having the packet header information. The firewall setting analysis method according to claim 1, further comprising an effective filter detection function for detecting a stateful filter (referred to as an effective filter) that actually performs an action.