基于Ryu 防火墙的检测和解决异常入侵的流量
防火墙规则
规则被定义为一组标准和当数据包匹配标准时要执行的操作。Ryu防火墙规则的标准包括:元素 VLAN、优先级、输入交换机端口、以太网源、以太网目标、以太网帧类型、IP 源、IP 目标、IPv6 源、IPv6 目标、IP 协议、源端口和目标端口。这些也是OpenFlow Switch Specification 中定义的匹配字段。
防火墙规则是定义网络流量的安全策略。任何错误的规则都会让不需要的流量通过或阻止所需的流量,从而危及系统安全。
两个规则之间的关系是它们匹配的一组数据包之间的关系。假设一个规则匹配A数据包,另一个匹配B数据包。如下几种形式:
(1)不相交:规则中至少有一个标准具有完全不相交的值
(2)完全匹配:规则中的每个条件都完全匹配
(3)包含匹配:一个规则和另一个规则至少有一个标准是彼此的子集,并且对于属性的其余部分,一个等于另一个
(4)相关:两个规则不相交且不包含彼此匹配
两个规则之间可能存在的异常:
1.阴影异常:一个规则被另一个规则阴影,如果另一个规则在策略中的规则之前,另一个可以匹配规则匹配的所有数据包并且它们有不同的动作
2.相关性异常:两条规则有不同的动作,一个规则匹配一些匹配另一个的数据包,反之亦然
3.冗余异常:冗余规则对相同的数据包执行与另一个规则相同的操作
Algorithm TreeInsert该算法解决异常如下:
阴影异常:当规则完全匹配时,保留拒绝动作的那个。当规则包含匹配时,使用拒绝操作重新排序规则。
相关异常:将规则分解为不相交的部分并将它们插入列表中。在相关规则的共同部分中,保留拒绝操作的部分。
冗余异常:删除冗余规则。
实验仿真环节:
1.下载代码到本地
git clone https://github.com/ernie55ernie/Anomaly-Firewall-Rule-Detection-And-Resolution.git
2.安装相关依赖库
cd Anomaly-Firewall-Rule-Detection-And-Resolution/ pip install -r requirements.txt
3.设置openflow1.3
新开终端:
sudo ovs-vsctl set Bridge protocols=OpenFlow13
4.启动控制器
新开终端:
sudo ryu-manager rest_firewall.py
防火墙规则格式:
优先级<方向、源IP、源端口、目的IP、目的端口、动作> <IN, TCP, 129.110.96.117, ANY, ANY, 80, REJECT> <IN, TCP, 129.110.96.*, ANY, ANY, 80, ACCEPT> <IN, TCP, ANY, ANY, 129.110.96.80, 80, ACCEPT> <IN, TCP, 129.110.96.*, ANY, 129.110.96.80, 80, REJECT> <OUT, TCP, 129.110.96.80, 22, ANY, ANY, REJECT> <IN, TCP, 129.110.96.117, ANY, 129.110.96.80, 22, REJECT> <IN, UDP, 129.110.96.117, ANY, 129.110.96.*, 22, REJECT> <IN, UDP, 129.110.96.117, ANY, 129.110.96.80, 22, REJECT> <IN, UDP, 129.110.96.117, ANY, 129.110.96.117, 22, ACCEPT> <IN, UDP, 129.110.96.117, ANY, 129.110.96.117, 22, REJECT> <OUT, UDP, ANY, ANY, ANY, ANY, REJECT>
运行示例代码:python anomaly_resolver.py
异常检测:
python main.py --path rules/example_rules_1 –detect
伪代码(r s代表了防火墙不同规则):
old rules list ← read rules from config file new rules list ← empty list for all r ∈ old rules list do Insert(r, new rules list) for all r ∈ new rules list **do** for all s ∈ new rules list after r **do** if r ⊂ s **then** if r.action = s.action **then** Remove r from new rules list break
异常解决:
python main.py --path rules/example_rules_1 –resolve
伪代码(r s代表了防火墙不同规则):
if new rules list is empty then insert r into new rules list else inserted ← false for all s ∈ new rules list do if r and s are not disjoint then inserted ← Resolve(r, s) if inserted = true then break if inserted = false then Insert r into new rules list <IN, TCP, 129.110.96.0/24, *, 129.110.96.81-255.255.255.255, 80, ALLOW> <IN, TCP, 129.110.96.0/24, *, 0.0.0.0-129.110.96.79, 80, ALLOW> <IN, TCP, 129.110.96.117, *, 0.0.0.0-129.110.96.79, 80, DENY> <IN, TCP, 129.110.96.0-129.110.96.116, *, 129.110.96.80, 80, ALLOW> <IN, TCP, 0.0.0.0-129.110.95.255, *, 129.110.96.80, 80, ALLOW> <IN, TCP, 129.110.97.0-255.255.255.255, *, 129.110.96.80, 80, ALLOW> <IN, TCP, 129.110.96.118-129.110.96.255, *, 129.110.96.80, 80, ALLOW> <IN, TCP, 129.110.96.0/24, *, 129.110.96.80, 80, DENY> <OUT, TCP, 129.110.96.80, 22, *, *, DENY> <IN, TCP, 129.110.96.117, *, 129.110.96.80, 22, DENY> <IN, UDP, 129.110.96.117, *, 129.110.96.0/24, 22, DENY> <OUT, UDP, *, *, *, *, DENY>
规则合并:
python main.py --path rules/example_rules_2 –merge
伪代码(r s代表了防火墙不同规则):
1. if r = s then 2. if r.action = s.action then 3. set s.action to REJECT and report anomaly 4. else 5. report removal of r 6. return true 7. if r ⊂ s then 8. insert r before s into new rules list and report reordering 9. return true 10. if s ⊂ r then 11. return false 12. Remove s from new rules list 13. Find set of attributes a = {x|r.x = s.x} 14. for all ai ∈ a do 15. Split(r, s, ai) 16. if r.action = s.action then 17. s.action ← REJECT 18. Insert(s, new rules list) 19. return true 20. <IN, TCP, 202.80.169.29-63, 483, 129.110.96.64-127, 100-110, ACCEPT> 21. <IN, TCP, 202.80.169.29-63, 483, 129.110.96.64-127, 111-127, ACCEPT> 22. <IN, TCP, 202.80.169.29-63, 483, 129.110.96.128-164, 100-127, ACCEPT> 23. <IN, TCP, 202.80.169.29-63, 484, 129.110.96.64-99, 100-127, ACCEPT> 24. <IN, TCP, 202.80.169.29-63, 484, 129.110.96.100-164, 100-127, ACCEPT> 25. <IN, TCP, 202.80.169.64-110, 483-484, 129.110.96.64-164, 100-127, ACCEPT>
防火墙规则树:
结论
从防火墙策略规则中解决异常流量对于网络安全至关重要,因为异常可能会引入不必要且难以发现的安全漏洞。因此,本文提出了一个自动化的过程来检测和解决这种异常。
–end–
