Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences.

Published byMarybeth McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences."— Presentation transcript:

1 Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences The University of Texas at Austin Co-author: Mohamed G. Gouda

2 2Alex X. LiuThe University of Texas at Austin Firewall Basics  A firewall connects a private network and the outside Internet such that all incoming and outgoing packets have to pass through it.  Function: maps every packet to a decision.  This function is specified by a sequence of rules.

3 3Alex X. LiuThe University of Texas at Austin Firewall Example  Firewall example:  Resolving conflicts: first match  Firewalls often have redundant rules. InterfaceSource IPDest. IPDest. PortProtocolDecision 0malicious hosts any discard 0anymail server25TCPaccept any accept

4 4Alex X. LiuThe University of Texas at Austin Redundant Rules (Upward)  A rule in a firewall is redundant iff eliminating the rule does not change the function of the firewall.  Example:  Rule r 3 is redundant (upward redundant).  A rule r in a firewall is upward redundant iff there is no packet whose first matching rule is r. r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [40, 90] → discard r 3 : F ∈ [30, 60] → accept r 4 : F ∈ [51,100] → discard 150 40 90 3060 51 100 accept discard accept

5 5Alex X. LiuThe University of Texas at Austin Redundant Rules (Downward)  Rule r 2 becomes redundant (downward redundant).  A rule r in a firewall is downward redundant iff for each packet whose first matching rule is r, the first matching rule below r has the same decision as r. r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [40, 90] → discard r 4 : F ∈ [51,100] → discard 150 40 90 51 100 accept discard

6 6Alex X. LiuThe University of Texas at Austin Redundant Rules Hurt Firewall Performance  Packet classification algorithms: map a packet to a decision using data structures built from firewall rules  Software based packet classification algorithms need either O(n d ) space and O(log n) time or O(n) space and O(log d-1 n) time (n: #of rules, d: # of fields)  On-chip cache is limited.  Hardware based packet classification algorithms (TCAM: Ternary Content Addressable Memory) need O(n) space and constant time  TCAM consumes too much power as n increases.

7 7Alex X. LiuThe University of Texas at Austin Matching Set vs. Resolving Set Let f be any firewall that consists of n rules 〈 r 1, r 2,…, r n 〉.  The matching set M(r i ) of rule r i is set of all packets that match r i.  The resolving set R(r i, f) of rule r i in f is set of all packets that match r i, but do not match any rule listed before r i in f. r 1 : F ∈ [1, 50] → accept M(r 1 )=R(r 1, f)=[1,50] r 2 : F ∈ [40, 90] → discard M(r 1 )=[40,90], R(r 1, f)=[40,90]-[1,50]=[51,90] r 3 : F ∈ [30, 60] → accept M(r 1 )=[30,60], R(r 1, f)=[30,60]-[40,90]-[1,50]= Ø r 4 : F ∈ [51,100] → discard M(r 1 )=[51,100], R(r 1, f)=[51,100]-[30,60]-[40,90]-[1,50]= [91,100] 150 40 90 accept discard 3060 51 100 discard accept

8 8Alex X. LiuThe University of Texas at Austin Redundancy Theorem  A rule r i is redundant in f iff: (1) R(r i, f)=Ø, or (2) R(r i, f)≠Ø, and for any packet p in R(r i, f), 〈 r i+1, r i+2,…, r n 〉 (p) yields the same decision as that of r i.  r i is upward redundant iff (1)  r i is downward redundant iff (2)  We need to calculate R(r i, f) – Firewall Decision Trees

9 9Alex X. LiuThe University of Texas at Austin Firewall Decision Trees (FDTs) F1F1 F2F2 d [1,19] [1,100] F2F2 da [1,34] [35,65] [20,50] [51,100] [66,100]  Consistency: for any two outgoing edges of a node, their labels are non- overlapping  Completeness: the union of the labels of all the outgoing edges of a node is the domain of the label of that node  A decision path in an FDT defines a rule  Example: F 1 ∈ [1,19] ∪ [51,100] ∧ F 2 ∈ [1,100] → d

10 10Alex X. LiuThe University of Texas at Austin Calculate Resolving Set  Calculate R(r i, f) for each rule r i while constructing an equivalent FDT.  Definition: A set of rules {e 1, e 2,…, e k } is called an effective rule set of r i if : (1) every e j has the same decision as r, (2). E 1 ={F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a} r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [30, 40] ∧ F 2 ∈ [25, 55] → a r 4 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d F1F1 F2F2 a [35,65] [20,50]

11 11Alex X. LiuThe University of Texas at Austin Detecting Upward Redundant Rules E 1 ={F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a}, E 2 ={F 1 ∈ [10, 19] ∪ [51, 60] ∧ F 2 ∈ [15, 45] → d, F 1 ∈ [20, 50] ∧ F 2 ∈ [15, 34] → d}, Similarly, we get E 3 =Ø, E 4 ={F 1 ∈ [1,9] ∪ [61,100] ∧ F 2 ∈ [1,100] → d, F 1 ∈ [20,29] ∪ [41,50] ∧ F 2 ∈ [1,14] ∪ [66,100] → d, F 1 ∈ [30,40] ∧ F 2 ∈ [1,14] ∪ [66,100] → d, F 1 ∈ [10,19] ∪ [51,60] ∧ F 2 ∈ [1,14] ∪ [46,100] → d} r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [30, 40] ∧ F 2 ∈ [25, 55] → a r 4 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d F1F1 F2F2 a [35,65] [20,50] F2F2 d [15,45] d [15,34] [10,19] [51,60]

12 12Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules  Consider a rule r and a non-overlapping firewall 〈 r 1, r 2,…, r n 〉. If r does not conflict with any rule r i, then 〈 r, r 1, r 2,…, r n 〉 ≡ 〈 r 1, r 2,…, r n 〉.  Example: r : F ∈ [20, 40] → accept r 1 : F ∈ [1, 50] → accept r 2 : F ∈ [51,100] → discard 150 51 100 accept discard 2040 accept

13 13Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules (cont.)  To test whether r i is downward redundant: (1) calculate effective rule set {e 1, e 2,…, e k }, (2) convert firewall 〈 r i+1, r i+2,…, r n 〉 to non-overlapping firewall, (3) r i is downward redundant iff e j and r m do not conflict for any 1 ≤ j ≤ k and i+1 ≤ m ≤ n.  To convert firewall 〈 r i+1, r i+2,…, r n 〉 to non-overlapping firewall, we construct an equivalent FDT.

14 14Alex X. LiuThe University of Texas at Austin Detecting Downward Redundant Rules (cont.)  Rule r 2 is downward redundant. r 1 : F 1 ∈ [20, 50] ∧ F 2 ∈ [35, 65] → a r 2 : F 1 ∈ [10, 60] ∧ F 2 ∈ [15, 45] → d r 3 : F 1 ∈ [1, 100] ∧ F 2 ∈ [1, 100] → d E 2 ={ F 1 ∈ [10, 19] ∪ [51, 60] ∧ F 2 ∈ [15, 45] → d, F 1 ∈ [20, 50] ∧ F 2 ∈ [15, 34] → d}, F1F1 F2F2 d [1,100]

15 15Alex X. LiuThe University of Texas at Austin Summarize  Detect upward redundant rules (1) Calculate effective rule set for every rule while constructing FDT top down, (2) Rule whose effective rule set is empty is upward redundant.  Detect downward redundant rules (1) Construct FDT bottom up, (2) Check whether a rule is downward redundant by comparing the rule’s effective rule set and the FDT.

16 16Alex X. LiuThe University of Texas at Austin Previous Work  [Gupta 2000] identified two special types of redundant rules: backward redundant rules and forward redundant rules  Backward redundant rules: A rule r in a firewall is backward redundant iff there exists another rule r’ list above r such that all packets that match r also match r’.  Backward redundant rules ⊆ Upward redundant rules r 1 : F 1 ∈ [1, 50] → accept r 2 : F 1 ∈ [40, 90] → discard r 3 : F 1 ∈ [30, 60] → accept r 4 : F 1 ∈ [51,100] → discard 150 40 90 3060 51 100 accept discard accept

17 17Alex X. LiuThe University of Texas at Austin Previous Work (cont.)  Forward redundant rules: A rule r in a firewall is forward redundant iff there exists another rule r’ listed below r such that the following three conditions hold: (1) all packets that match r also match r’, (2) r and r’ have the same decision, (3) for each rule r’’ listed between r and r’, either r and r’’ have the same decision or no packet matches both r and r’’.  Forward redundant rules ⊆ Downward redundant rules r 1 : F 1 ∈ [1, 50] → accept r 2 : F 1 ∈ [40, 90] → discard r 4 : F 1 ∈ [51,100] → discard 150 40 90 51 100 accept discard

18 18Alex X. LiuThe University of Texas at Austin Our Contribution  Solve the problem of detecting all redundant rules ─We give a necessary and sufficient condition for identifying all redundant rules. ─We present algorithms for detecting all redundant rules.

Download ppt "Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences."

Similar presentations

Basic Communication on the Internet:

Basic Communication on the Internet:
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
An Array-Based Algorithm for Simultaneous Multidimensional Aggregates By Yihong Zhao, Prasad M. Desphande and Jeffrey F. Naughton Presented by Kia Hall.

An Array-Based Algorithm for Simultaneous Multidimensional Aggregates By Yihong Zhao, Prasad M. Desphande and Jeffrey F. Naughton Presented by Kia Hall.
1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.
Λ14 Διαδικτυακά Κοινωνικά Δίκτυα και Μέσα Positive and Negative Relationships Chapter 5, from D. Easley and J. Kleinberg book.

Λ14 Διαδικτυακά Κοινωνικά Δίκτυα και Μέσα Positive and Negative Relationships Chapter 5, from D. Easley and J. Kleinberg book.
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
CSE 534 Fundamentals of Computer Networks Lecture 4: Bridging (From Hub to Switch by Way of Tree) Based on slides from D. Choffnes Northeastern U. Revised.

CSE 534 Fundamentals of Computer Networks Lecture 4: Bridging (From Hub to Switch by Way of Tree) Based on slides from D. Choffnes Northeastern U. Revised.
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.
Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.

Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.
-------------------------------------------------------- university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.

university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.
Detection and Resolution of Anomalies in Firewall Policy Rules

Detection and Resolution of Anomalies in Firewall Policy Rules

Similar presentations

Ads by Google