Complete Redundancy Detection in Firewalls

Firewalls are safety-critical systems that secure most private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet. This decision is made according to a sequence of rules, where some rules may be redundant. Redundant rules significantly degrade the performance of firewalls. Previous work detects only two special types of redundant rules. In this paper, we solve the problem of how to detect all redundant rules. First, we give a necessary and sufficient condition for identifying all redundant rules. Based on this condition, we categorize redundant rules into upward redundant rules and downward redundant rules. Second, we present methods for detecting the two types of redundant rules respectively. Our methods make use of a tree representation of firewalls, which is called firewall decision trees.

[1]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[2]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[3]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .

[4]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[5]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[6]  Ehab Al-Shaer,et al.  Management and translation of filtering security policies , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[7]  Mark H. Overmars,et al.  Range Searching and Point Location among Fat Objects , 1994, J. Algorithms.

[8]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[9]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[10]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[11]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[12]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[13]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[14]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.