Firewall modules and modular firewalls

A firewall is a packet filter placed at an entry point of a network in the Internet. Each packet that goes through this entry point is checked by the firewall to determine whether to accept or discard the packet. The firewall makes this determination based on a specified sequence of overlapping rules. The firewall uses the first-match criterion to determine which rule in the sequence should be applied to which packet. Thus, to compute the set of packets to which a rule is applied, the firewall designer needs to consider all the rules that precede this rule in the sequence. This “rule dependency” complicates the task of designing firewalls (especially those with thousands of rules), and makes firewalls hard to understand. In this paper, we present a metric, called the dependency metric, for measuring the complexity of firewalls. This metric, though accurate, does not seem to suggest ways to design firewalls whose dependency metrics are small. Thus, we present another metric, called the inversion metric, and develop methods for designing firewalls with small inversion metrics. We show that the dependency metric and the inversion metric are correlated for some classes of firewalls. So by aiming to design firewalls with small inversion metrics, the designer may end up with firewalls whose dependency metrics are small as well. We present a method for designing modular firewalls whose inversion metrics are very small. Each modular firewall consists of several components, called firewall modules. The inversion metric of each firewall module is very small - in fact, 1 or 2. Thus, we conclude that modular firewalls are easy to design and easy to understand.

[1]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[2]  Mohamed G. Gouda,et al.  Firewall Policy Queries , 2009, IEEE Transactions on Parallel and Distributed Systems.

[3]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[4]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[5]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[6]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[8]  Mohamed G. Gouda,et al.  Verification of Distributed Firewalls , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[9]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[10]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[11]  Hrishikesh B. Acharya,et al.  Linear-time verification of firewalls , 2009, 2009 17th IEEE International Conference on Network Protocols.

[12]  Dean M. Tullsen,et al.  Simultaneous multithreading: Maximizing on-chip parallelism , 1995, Proceedings 22nd Annual International Symposium on Computer Architecture.

[13]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[14]  Mohammad Zubair,et al.  A unified model for multicore architectures , 2008, IFMT '08.

[15]  Ehab Al-Shaer,et al.  Automated pseudo-live testing of firewall configuration enforcement , 2009, IEEE Journal on Selected Areas in Communications.

[16]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[17]  Hrishikesh B. Acharya,et al.  Projection and Division: Linear-Space Verification of Firewalls , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[18]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[19]  Daniel Hoffman,et al.  Blowtorch: a framework for firewall test automation , 2005, ASE.

[20]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[21]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[22]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[23]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .