Structured firewall design

A firewall is a security guard placed at the point of entry between a private network and the outside Internet such that all incoming and outgoing packets have to pass through it. The function of a firewall is to examine every incoming or outgoing packet and decide whether to accept or discard it. This function is conventionally specified by a sequence of rules, where rules often conflict. To resolve conflicts, the decision for each packet is the decision of the first rule that the packet matches. The current practice of designing a firewall directly as a sequence of rules suffers from three types of major problems: (1) the consistency problem, which means that it is difficult to order the rules correctly; (2) the completeness problem, which means that it is difficult to ensure thorough consideration for all types of traffic; (3) the compactness problem, which means that it is difficult to keep the number of rules small (because some rules may be redundant and some rules may be combined into one rule). To achieve consistency, completeness, and compactness, we propose a new method called structured firewall design, which consists of two steps. First, one designs a firewall using a firewall decision diagram instead of a sequence of often conflicting rules. Second, a program converts the firewall decision diagram into a compact, yet functionally equivalent, sequence of rules. This method addresses the consistency problem because a firewall decision diagram is conflict-free. It addresses the completeness problem because the syntactic requirements of a firewall decision diagram force the designer to consider all types of traffic. It also addresses the compactness problem because in the second step we use two algorithms (namely FDD reduction and FDD marking) to combine rules together, and one algorithm (namely firewall compaction) to remove redundant rules. Moreover, the techniques and algorithms presented in this paper are extensible to other rule-based systems such as IPsec rules.

[1]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[2]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[3]  M. Condell,et al.  Multidimensional security policy management for dynamic coalitions , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .

[5]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[6]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[7]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[8]  Edsger W. Dijkstra,et al.  Go To Statement Considered Harmful , 2022, Software Pioneers.

[9]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[10]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[11]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[12]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[14]  Lothar Thiele,et al.  Interval diagrams for efficient symbolic verification of processnetworks , 2000, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[15]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[16]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[17]  Edsger W. Dijkstra,et al.  Letters to the editor: go to statement considered harmful , 1968, CACM.

[18]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[19]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[20]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[21]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[22]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[23]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[24]  Anne H. H. Ngu,et al.  Firewall Queries , 2004, OPODIS.

[25]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[26]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).