Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences The University of Texas at Austin Co-author: Mohamed G. Gouda

2Alex X. LiuThe University of Texas at Austin Firewall Basics  A firewall connects a private network and the outside Internet such that all incoming and outgoing packets have to pass through it.  Function: maps every packet to a decision.  This function is specified by a sequence of rules.

3Alex X. LiuThe University of Texas at Austin Firewall Example  Firewall example:  Resolving conflicts: first match  Firewalls often have redundant rules. InterfaceSource IPDest. IPDest. PortProtocolDecision 0malicious hosts any discard 0anymail server25TCPaccept any accept

4Alex X. LiuThe University of Texas at Austin Redundant Rules (Upward)  A rule in a firewall is redundant iff eliminating the rule does not change the function of the firewall.  Example:  Rule r 3 is redundant (upward redundant).  A rule r in a firewall is upward redundant iff there is no packet whose first matching rule is r. r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [40, 90] → discard r 3 : F ∈ [30, 60] → accept r 4 : F ∈ [51,100] → discard accept discard accept

5Alex X. LiuThe University of Texas at Austin Redundant Rules (Downward)  Rule r 2 becomes redundant (downward redundant).  A rule r in a firewall is downward redundant iff for each packet whose first matching rule is r, the first matching rule below r has the same decision as r. r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [40, 90] → discard r 4 : F ∈ [51,100] → discard accept discard

6Alex X. LiuThe University of Texas at Austin Redundant Rules Hurt Firewall Performance  Packet classification algorithms: map a packet to a decision using data structures built from firewall rules  Software based packet classification algorithms need either O(n d ) space and O(log n) time or O(n) space and O(log d-1 n) time (n: #of rules, d: # of fields)  On-chip cache is limited.  Hardware based packet classification algorithms (TCAM: Ternary Content Addressable Memory) need O(n) space and constant time  TCAM consumes too much power as n increases.

7Alex X. LiuThe University of Texas at Austin Matching Set vs. Resolving Set Let f be any firewall that consists of n rules 〈 r 1, r 2,…, r n 〉.  The matching set M(r i ) of rule r i is set of all packets that match r i.  The resolving set R(r i, f) of rule r i in f is set of all packets that match r i, but do not match any rule listed before r i in f. r 1 : F ∈ [1, 50] → accept M(r 1 )=R(r 1, f)=[1,50] r 2 : F ∈ [40, 90] → discard M(r 1 )=[40,90], R(r 1, f)=[40,90]-[1,50]=[51,90] r 3 : F ∈ [30, 60] → accept M(r 1 )=[30,60], R(r 1, f)=[30,60]-[40,90]-[1,50]= Ø r 4 : F ∈ [51,100] → discard M(r 1 )=[51,100], R(r 1, f)=[51,100]-[30,60]-[40,90]-[1,50]= [91,100] accept discard discard accept

8Alex X. LiuThe University of Texas at Austin Redundancy Theorem  A rule r i is redundant in f iff: (1) R(r i, f)=Ø, or (2) R(r i, f)≠Ø, and for any packet p in R(r i, f), 〈 r i+1, r i+2,…, r n 〉 (p) yields the same decision as that of r i.  r i is upward redundant iff (1)  r i is downward redundant iff (2)  We need to calculate R(r i, f) – Firewall Decision Trees

9Alex X. LiuThe University of Texas at Austin Firewall Decision Trees (FDTs) F1F1 F2F2 d [1,19] [1,100] F2F2 da [1,34] [35,65] [20,50] [51,100] [66,100]  Consistency: for any two outgoing edges of a node, their labels are non- overlapping  Completeness: the union of the labels of all the outgoing edges of a node is the domain of the label of that node  A decision path in an FDT defines a rule  Example: F 1 ∈ [1,19] ∪ [51,100] ∧ F 2 ∈ [1,100] → d

10Alex X. LiuThe University of Texas at Austin Calculate Resolving Set  Calculate R(r i, f) for each rule r i while constructing an equivalent FDT.  Definition: A set of rules {e 1, e 2,…, e k } is called an effective rule set of r i if : (1) every e j has the same decision as r, (2). E 1 ={F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a} r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [30, 40] ∧ F 2 ∈ [25, 55] → a r 4 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d F1F1 F2F2 a [35,65] [20,50]

11Alex X. LiuThe University of Texas at Austin Detecting Upward Redundant Rules E 1 ={F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a}, E 2 ={F 1 ∈ [10, 19] ∪ [51, 60] ∧ F 2 ∈ [15, 45] → d, F 1 ∈ [20, 50] ∧ F 2 ∈ [15, 34] → d}, Similarly, we get E 3 =Ø, E 4 ={F 1 ∈ [1,9] ∪ [61,100] ∧ F 2 ∈ [1,100] → d, F 1 ∈ [20,29] ∪ [41,50] ∧ F 2 ∈ [1,14] ∪ [66,100] → d, F 1 ∈ [30,40] ∧ F 2 ∈ [1,14] ∪ [66,100] → d, F 1 ∈ [10,19] ∪ [51,60] ∧ F 2 ∈ [1,14] ∪ [46,100] → d} r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [30, 40] ∧ F 2 ∈ [25, 55] → a r 4 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d F1F1 F2F2 a [35,65] [20,50] F2F2 d [15,45] d [15,34] [10,19] [51,60]

12Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules  Consider a rule r and a non-overlapping firewall 〈 r 1, r 2,…, r n 〉. If r does not conflict with any rule r i, then 〈 r, r 1, r 2,…, r n 〉 ≡ 〈 r 1, r 2,…, r n 〉.  Example: r : F ∈ [20, 40] → accept r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [51,100] → discard accept discard 2040 accept

13Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules (cont.)  To test whether r i is downward redundant: (1) calculate effective rule set {e 1, e 2,…, e k }, (2) convert firewall 〈 r i+1, r i+2,…, r n 〉 to non-overlapping firewall, (3) r i is downward redundant iff e j and r m do not conflict for any 1 ≤ j ≤ k and i+1 ≤ m ≤ n.  To convert firewall 〈 r i+1, r i+2,…, r n 〉 to non-overlapping firewall, we construct an equivalent FDT.

14Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules (cont.)  Rule r 2 is downward redundant. r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d E 2 ={ F 1 ∈ [10, 19] ∪ [51, 60] ∧ F 2 ∈ [15, 45] → d, F 1 ∈ [20, 50] ∧ F 2 ∈ [15, 34] → d}, F1F1 F2F2 d [1,100]

15Alex X. LiuThe University of Texas at Austin Summarize  Detect upward redundant rules (1) Calculate effective rule set for every rule while constructing FDT top down, (2) Rule whose effective rule set is empty is upward redundant.  Detect downward redundant rules (1) Construct FDT bottom up, (2) Check whether a rule is downward redundant by comparing the rule’s effective rule set and the FDT.

16Alex X. LiuThe University of Texas at Austin Previous Work  [Gupta 2000] identified two special types of redundant rules: backward redundant rules and forward redundant rules  Backward redundant rules: A rule r in a firewall is backward redundant iff there exists another rule r’ list above r such that all packets that match r also match r’.  Backward redundant rules ⊆ Upward redundant rules r 1 : F 1 ∈ [1, 50] → accept r 2 : F 1 ∈ [40, 90] → discard r 3 : F 1 ∈ [30, 60] → accept r 4 : F 1 ∈ [51,100] → discard accept discard accept

17Alex X. LiuThe University of Texas at Austin Previous Work (cont.)  Forward redundant rules: A rule r in a firewall is forward redundant iff there exists another rule r’ listed below r such that the following three conditions hold: (1) all packets that match r also match r’, (2) r and r’ have the same decision, (3) for each rule r’’ listed between r and r’, either r and r’’ have the same decision or no packet matches both r and r’’.  Forward redundant rules ⊆ Downward redundant rules r 1 : F 1 ∈ [1, 50] → accept r 2 : F 1 ∈ [40, 90] → discard r 4 : F 1 ∈ [51,100] → discard accept discard

18Alex X. LiuThe University of Texas at Austin Our Contribution  Solve the problem of detecting all redundant rules ─We give a necessary and sufficient condition for identifying all redundant rules. ─We present algorithms for detecting all redundant rules.