Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls

A firewall's complexity is known to increase with the size of its rule set. Empirical studies show that as the rule set grows larger, the number of configuration errors on a firewall increases sharply, while the performance of the firewall degrades. When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. This paper studies the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation such that the maximum firewall rule set can be minimized. These problems have not been studied adequately despite their importance. We have two major contributions. First, we prove that the problems are NP-complete. Second, we propose a heuristic solution and demonstrate the effectiveness of the algorithm by simulations. The results show that the proposed algorithm reduces the maximum firewall rule set by 2-5 times when comparing with other algorithms.

[1]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[2]  Mohamed G. Gouda,et al.  Removing Redundancy from Packet Classifiers , 2004 .

[3]  Alex X. Liu,et al.  Change-Impact Analysis of Firewall Policies , 2007, ESORICS.

[4]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[5]  Eric Torng,et al.  Firewall Compressor: An Algorithm for Minimizing Firewall Policies , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[6]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Shigang Chen,et al.  Network management based on policies , 2000 .

[8]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[9]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[10]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[11]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[12]  Ehab Al-Shaer,et al.  On Dynamic Optimization of Packet Matching in High-Speed Firewalls , 2006, IEEE Journal on Selected Areas in Communications.

[13]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[14]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[15]  Ehab Al-Shaer,et al.  Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[16]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.

[17]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[18]  John Wack,et al.  Guidelines on Firewalls and Firewall Policy , 2002 .

[19]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[20]  Eric Torng,et al.  TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs , 2007, 2007 IEEE International Conference on Network Protocols.

[21]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[22]  Chad R. Meiners,et al.  All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[23]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[24]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[25]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[26]  Yu Chen,et al.  Cascade of Distributed and Cooperating Firewalls in a Secure Data Network , 2003, IEEE Trans. Knowl. Data Eng..

[27]  Robert N. Smith,et al.  Firewall placement in a large network topology , 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.