![Page 1: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/1.jpg)
Firewall Design: Consistency, Completeness, and CompactnessAuthors: Mohamed G. Gouda and Xing-
Yang Alex Liu
Presenters: Jonathan Fomby andMatthew Ginley
![Page 2: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/2.jpg)
Firewall Basics Placed at the entrance (borders) of private
networks Examine all traffic passing through (source
IP, dest IP, etc.) Accept, Discard, Log, Reply, Re-route, etc.
as appropriate Implemented as additional software or stand-
alone hardware (appliance) Functionally the same as packet filter or
packet classifier, yet firewall implies security
![Page 3: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/3.jpg)
Firewall as a Set of Rules
Firewall functionality can be represented as an ordered list of rules
Rule format Traditionally displayed as a table, but this paper
uses individual Boolean formulas <predicate> <decision> authors only consider accept and discard
decisions predicate is Boolean expression over packet fields
![Page 4: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/4.jpg)
Firewalls – As a Table (text p. 627)
![Page 5: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/5.jpg)
Firewall – As a List of Rules
( I=0 ^ S=any ^ D=s ^ P=tcp ^ T=25 a,
I=0 ^ S=any ^ D=s ^ P=any ^ T=any d,
I=0 ^ S=m ^ D=any ^ P=any ^ T=any d,
I=1 ^ S=h ^ D=any ^ P=any ^ T=any a,
I=1 ^ S=any ^ D=any ^ P=any ^ T=any a )
An ordered listing of Boolean expressions
![Page 6: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/6.jpg)
Firewall Operation
Rules are compared individually against a packet
Rules compared according to a specified order (i.e. importance)
The first rule to match is chosen and followed Usually a final catch-all rule (probably
discard)
![Page 7: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/7.jpg)
Firewalls – Stateful Packet Filters
(text p.629) traditional packet filters do not examine higher layer context i.e. matching return packets with outgoing flow
stateful packet filters address this need they examine each IP packet in context
keep track of client-server sessions check each packet validly belongs to one
hence are better able to detect bogus packets out of context
![Page 8: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/8.jpg)
Note of Limitation
The authors do not discuss state considerations
By adding state fields to packet fields, this should be feasible
When filtering packets, check these fields in addition to packet fields
![Page 9: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/9.jpg)
3 C’s
Consistency: correct ordering of rules Completeness: every packet satisfies at least
one rule Compactness: no redundant rules
![Page 10: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/10.jpg)
SIMPLE** Firewall Example
Accept incoming SMTP packets on Int0 destined for Mail Server
Accept all outgoing packets
![Page 11: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/11.jpg)
Packet Fields
I – incoming interface on the firewall S – original source D – final destination P – transport protocol used T – destination port Many others not used by authors: source
port, packet flags (IP, TCP, others), application layer message, etc.
![Page 12: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/12.jpg)
Continuing the Example
Accept incoming SMTP packets on Int0 destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = TCP)
^ (T = 25) Accept Discard incoming non-SMTP packets on Int0
destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = any) ^
(T = any) Discard
![Page 13: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/13.jpg)
Cont. Discard incoming packets whose source is a
Malicious Host (I = 0) ^ (S = MH) ^ (D = any) ^ (P = any) ^ (T = any)
Discard Accept outgoing HTTP packets from any non-
server host h (I = 1) ^ (S = h) ^ (D = any) ^ (P = TCP) ^ (T = 80)
Accept Accept all outgoing packets
(I = 1) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept
![Page 14: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/14.jpg)
Problems with Example Rules Consistency Error
Rules 1 and 3 can be matched to the same packet, yet have conflicting decisions
Rule 1 will always be applied, thus ignoring the discarding of malicious packets intended by Rule 3
Solution: Place Rule 3 first
![Page 15: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/15.jpg)
Problems Cont.
Completeness Error Packets with (I=0 ^ S≠MH ^ D≠MailServer) do not
satisfy any rules Solution: add the following rule (at the end of list):
(I = 0) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept
![Page 16: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/16.jpg)
Problems Cont.
Compactness Error Rule 4 is redundant All packets matching rule 4 will match rule 5 as
well, with both rules accepting Solution: remove Rule 4
![Page 17: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/17.jpg)
Our Focus
“… a method for designing the sequence of rules of a firewall to be consistent, complete, and compact.”
Start with a firewall decision diagram (defined later) that is processed by a series of algorithms
Resulting FDD is functionally equivalent, yet consistent, complete, and compact
![Page 18: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/18.jpg)
Overall Process - 5 Algorithms
![Page 19: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/19.jpg)
Algorithm Summary
Starting with a user specified FDD f #1 – FDD Reduction
Output: a reduced FDD equivalent to f #2 – FDD Marking
Output: an equivalent, marked version f’ of f
![Page 20: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/20.jpg)
Algorithm Summary
#3 – Firewall Generation A firewall r over the same fields as f’, that is
functionally equivalent to f’ and each rule in r is provided a rank
#4 – Firewall Compaction Output: a compact firewall, equivalent to r
#5 – Firewall Simplification Output: a simple firewall, equivalent to r
![Page 21: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/21.jpg)
Related Work [3] : Existing Design Errors Efficient Data Structures for Rule Checking
[12] : Trie Data Structures [6] : Area Based Quadtrees [8] : Fat Inverted Segment Trees [9] : Survey of such data structures
Specification Languages [3] : Simple Model Definition Language [10] : Lisp-like specification language [4] : Declarative Predicate Language [1] : High level firewall language
![Page 22: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/22.jpg)
More Related Work – Detecting Conflicting Rules [11] : Detecting and Resolving Packet Filter
Conflicts Ambiguity in packet classification deserves more
attention Demonstrates resolving conflicts by prioritization
is ineffective Resolve conflicts by adding filters
![Page 23: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/23.jpg)
More Related Work – Detecting Conflicting Rules [7] : Internet packet filter management and
rectangle geometry Claim that previous best for detecting conflicts
was O(n2 log n) time Their presented approach is O(n3/2) Based on rectangle coverage of a kD-tree and
stripe conflict detection (lots of difficult theory)
![Page 24: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/24.jpg)
More Related Work – Detecting Conflicting Rules [2] : Fast and scalable conflict detection for
packet classifiers Claim the best known algorithm for conflict
detection is naïve comparison, O(n2) Their approach is based on the aggregation of bit
vector data Do not provide theoretical complexity, but state “a
factor of 40 improvement for a 20,000 rule database”
![Page 25: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/25.jpg)
More Related Work – Decision Diagrams [5] : Binary Decision Diagrams [13] : Interval Decision Diagrams Similar to Firewall Decision Diagrams, but the
diagram format is not the focus (nor particularly novel)
![Page 26: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/26.jpg)
Firewall Decision Diagrams
Circles are non-terminal nodes Boxes are terminal nodes (always ‘a’ = Accept or ‘d’ =
Discard for our purposes Arrows are edges Decision Path: directed path from the root to a terminal node
![Page 27: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/27.jpg)
Fields
field Fi: variable whose value is taken from the domain of Fi
Domain of Fi, D(Fi): a predefined interval of nonnegative integers
Packet over fields F0,…, Fn-1: an n-tuple (p0,…, pn-1) where each pi is taken from the corresponding domain and field
![Page 28: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/28.jpg)
Firewall Decision Diagram
An FDD f over the fields F0,…, Fn-1 IS Acyclic and directed graph Satisfies the following 5 properties
f has a root and 2 or more terminal nodes (leaves) each non-terminal node v is labeled with one of
the above fields, F(v); a terminal node v is labeled with ‘a’ or ‘d’
No two nodes on a decision path have the same label
![Page 29: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/29.jpg)
Firewall Decision Diagram
Each edge e leaving node v is labeled with an integer set I(e) (a subset of D(F(v)))
For any non-terminal node v, the set E(v) of all edges leaving v must satisfy: Consistency: any distinct ei and ek in E(v),
I(ei) ∩ I(ek) = empty set
Completeness: Ue є E(v) I(e) = D(F(v))
![Page 30: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/30.jpg)
Firewall Decision Diagrams
This FDD is over fields F0, F1
Domain of all fields is [0, 9] one possible decision path:
F0 є [4,5] ^ F1 є [2,3] U [5,7] a In a decision path, there is 0 or 1 Boolean primitive
for each field of the FDD (0 implies any value for that field).
![Page 31: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/31.jpg)
Firewall Decision Diagrams
FDDs are represented as a sequence of rules, each of the form F0 є S0 ^ … ^ Fn-1 є Sn-1 <decision>
1 to 1 correspondence of decision paths in the FDD to rules
Order does not matter (later changes) Firewall: sequence of rules that represents an
FDD
![Page 32: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/32.jpg)
Acceptance and Discarding
For a packet (p0,…, pn-1) over fields F0,…,Fn-1 received by an FDD f over the same fields Accepted: iff f has an accepting rule such that
p0 є S0 ^ … ^ pn-1 є Sn-1 holds Discarded: iff f has a discarding rule such that ↑
For the set of all packets, Σ f.accept: the subset of Σ that contains all packets
accepted by f f.discard: the subset of Σ that contains all packets
discarded by f
![Page 33: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/33.jpg)
Acceptance and Discarding
FDD Equivalence: FDDs f and g over the same fields are equivalent iff f.accept = g.accept
and f.discard = g.discard
Thm. 1: for any FDD f over fields F0,…,Fn-1
f.accept ∩ f.discard = empty set f.accept U f.discard = Σ
![Page 34: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/34.jpg)
FDD Reductions
Advantageous to reduce # of decision paths without changing accept and discard sets
Auxiliary Def.--Isomorphic Nodes. Two nodes, v0 and v1, are isomorphic iff (1) or (2) is satisfied. (1) v0 and v1 Are terminal nodes with the same
label (2) v0 and v1 are non-terminal nodes with an 1-to-1
correspondence between the outgoing edges of v0 and outgoing edges of v1
![Page 35: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/35.jpg)
Isomorphic Node Example
The above red-highlighted nodes are isomorphic Same label: F1 2 edges: one edge with label [2,3] U [5,7] incoming
on ‘a’, and one edge with label [0,1] U [4,4] U [8,9] incoming on ‘d’
![Page 36: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/36.jpg)
FDD Reductions
An FDD f is called reduced iff it satisfies the following three conditions: 1. f has no node with exactly one outgoing edge. 2. f has no two edges that are outgoing of one
node and are incoming of another node. 3. f has no two distinct isomorphic nodes.
![Page 37: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/37.jpg)
Algorithm 1: FDD Reduction
Input: an FDD f Output: a reduced FDD that is equivalent to f Repeat steps 1-3 until none can be applied
further 1. If f has a node v0 with only one outgoing edge
e and if e is incoming of another node v1, then remove v0 and e from f and make the incoming edges of v0 incoming of v1.
![Page 38: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/38.jpg)
Algorithm 1
2. If f has two edges e0 and e1 that are outgoing of node v0 and incoming of node v1, then remove e0 and make the label of e1 be the integer set I(e0) U I(e1),where I(e0) and I(e1) are the integer sets that labeled edges e0 and e1 respectively.
3. If f has two isomorphic nodes v0 and v1, then remove node v1 and its outgoing edges, and make the incoming edges of v1 incoming of v0.
![Page 39: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/39.jpg)
Before (below)After (right)3 rule/decision pathreduction
![Page 40: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/40.jpg)
Marking of FDDs
A “Marked” FDD is similar to the reduced FDD, with an “ALL” label being added to a single edge from each node
The number of simple rules eventually generated in the firewall depends upon the “degree” of a marked FDD
Nodes and Edges are given degrees in order to find which edges should be marked ALL
![Page 41: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/41.jpg)
Marking of FDDs (cont.)
Many marked versions of reduced FDDs are possible
Number of simple rules generated by a firewall is determined by the degree of the marked FDD Note that this refers to the final “simple” rules, not the number of rules
that will be generated in the intermediate steps
Degree is determined by which edges are marked ALL
Smaller degree -> Fewer final rules -> Simpler firewall -> Good Thing™
![Page 42: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/42.jpg)
Marking of FDDs (cont.)
Degree of a set of integers, denoted deg(S), is the smallest number of non-overlapping integer intervals that covers set S.
Ex: For the set {0,1,3,4,5,7,9}, the degree is 4, composed of the intervals [0,1], [3,5], [7,7], and [9,9]
![Page 43: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/43.jpg)
Marking of FDDs (cont.)
Degree of an edge e is denoted deg(e) If e is marked ALL, then deg(e) = 1 Else, deg(e) = deg(S)
Degree 1
Degree 2
Degree 2
Degree 3
![Page 44: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/44.jpg)
Marking of FDDs (cont.)
Degree of a node v, denoted deg(v), is calculated using a simple formula
If v is a terminal node, then deg(v) = 1 Else, for a non-terminal node v with k
outgoing edges, e0, …, ek-1 that are incoming of nodes v0, …, vk-1 respectively, then
deg(v) = ∑ deg(ei) × deg(vi)
![Page 45: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/45.jpg)
Marking of FDDs (cont.)
To put it in simpler terms: The get the degree of a node, take each outgoing edge and multiply its degree by the degree of the node into which the edge leads. Add these together, and you have the degree of the node.
![Page 46: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/46.jpg)
Marking of FDDs (cont.)
Since the edges marked ALL have such a large impact on the complexity of the firewall, it is critical to pick the ALL-edges carefully and minimize the degree of the FDD
One edge from the collection of edges leaving each node is marked ALL, so pick the edge that would minimize the degree of said node to label ALL
![Page 47: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/47.jpg)
Marking of FDDs – Algorithm 2 Step 1: Compute the degree of each terminal node
v in f as deg(v) = 1 Step 2: For every node v whose degree has not yet
been calculated 1 – Find the outgoing edge e of current node whose
quanity (deg(ej)-1) x deg(vj) is larger than or equal to the corresponding quantity in every other outgoing edge of v
2 – Mark edge ej with ALL Compute the degree of v with the summation formula
![Page 48: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/48.jpg)
Marking of FDDs (cont.)
Two Marked FDDs from the same Reduced FDD
Terminal Nodes: Degree = 1
2
2
12
1
1
12+1 = 3
3 + 2 = 5
2+1=31
3 + 1 = 4
![Page 49: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/49.jpg)
Firewall Generation
Generated Firewall is a sequence of rules such that each rule corresponds to a decision path in the marked FDD
This step produces the rules of the firewall, as well as a ranking for each rule, and two predicates, the exhibited and the original predicate
Rank is used for ordering the rules, predicates for making the firewall “Compact” in the next step
![Page 50: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/50.jpg)
Firewall Generation (cont.)
For our purposes, a Firewall r over the fields F0,…,Fn-1 is a sequence of rules r0,…,rm-1 where each rule is of the form
F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>
where each Si is either the mark ALL or a nonempty set of integers from the domain of field Fi, and the <decision> is either a (accept) or d (discard).
Ex. F0 Є [4,7] Λ F1 Є [2,3] U [5,7] → a
![Page 51: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/51.jpg)
Firewall Generation (cont.)
For the final rule in a firewall, rm-1, each Si is either the mark ALL or the entire domain of field Fi
This acts as a catchall, ensuring that there is no condition in which the firewall will not know what to do
![Page 52: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/52.jpg)
Firewall Generation (cont.)
A packet (p0,…,pn-1) over the fields F0,…,Fn-1 matches a rule ri iff ri is of the aforementioned form and the predicate (p0 Є S0 Λ … Λ pn-1 Є Sn-1) holds
Packet is accepted by the firewall if the firewall has a rule ri such that: the packet matches ri
the packet does not match any rule preceding ri
the <decision> of ri is a (accept)
![Page 53: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/53.jpg)
Firewall Generation (cont.)
The set of all packets accepted by firewall r is denoted r.accept, the set of those discarded is denoted r.discard.
For any firewall r over the fields F0,…,Fn-1, r.accept ∩ r.discard = Ø r.accept U r.discard = ∑
where Ø is the empty set and ∑ is the set of all packets over the fields F0,…,Fn-1
![Page 54: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/54.jpg)
Firewall Generation (cont.)
From a marked FDD f over the fields
F0,…,Fn-1, we generate a corresponding firewall r such thatr.accept = f.accept, andr.discard = f.discard
We also generate a binary number called the rank, denoted b0…bn-1, where each node contributes one bit to the whole number, and the two predicates which are later used to make the firewall compact, the exhibited predicate (epi) and the original predicate (opi)
![Page 55: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/55.jpg)
Firewall Generation (cont.) – Algorithm 3 Each decision path in the FDD f is converted into a
rule in firewall r To make each rule, go down the decision path one
node at a time, with three separate cases to consider at each node Fi: Case 1: The decision path has no nodes labeled Fi
Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no mark
Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL mark
![Page 56: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/56.jpg)
Firewall Generation (cont.) – Algorithm 3 Case 1: The decision path has no nodes labeled Fi
bi = 0Si = the domain [ai, bi] of Fi
Ti = the domain [ai, bi] of Fi In this case, there is no node Fi in the path, but each rule must address each field in
the range 0,…,n-1
Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no markbi = 0Si = the integer set that labels eTi = the integer set that labels e
Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL markbi = 1Si = ALLTi = the integer set that labels e
![Page 57: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/57.jpg)
Firewall Generation (cont.) – Algorithm 3 Sample marked FDD has three different
decision paths, resulting in three different rules
![Page 58: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/58.jpg)
Firewall Generation (cont.) – Algorithm 3 Taking Leftmost path:
Node F0: Falls under case 2, so
rank = 0, Si = [4,7], Ti = [4,7]
Node F1: Falls under case 2, so
rank = 0, Si = [2,3]U[5,7], Ti = [2,3]U[5,7]Overall rank: 00
Rule: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
epi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]
opi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]
![Page 59: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/59.jpg)
Firewall Generation (cont.) – Algorithm 3 Taking Middle path:
Node F0: Falls under case 2, so
rank = 0, Si = [4,7], Ti = [4,7]
Node F1: Falls under case 3, so
rank = 1, Si =ALL, Ti = [0,1]U[4,4]U[8,9]Overall rank: 01
Rule: F0 Є [4,7] Λ F1 Є ALL→d
epi: F0 Є [4,7] Λ F1 Є ALL
opi: F0 Є [4,7] Λ F1 Є [0,1]U[4,4]U[8,9]
![Page 60: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/60.jpg)
Firewall Generation (cont.) – Algorithm 3 Taking Rightmost path:
Node F0: Falls under case 3, so
rank = 1, Si = ALL, Ti = [0,3]U[8,9]
Node F1: Falls under case 1, so
rank = 0, Si =[0,9], Ti =[0,9]Overall rank: 10
Rule: F0 Є ALL Λ F1 Є [0,9]→d
epi: F0 Є ALL Λ F1 Є [0,9]
opi: F0 Є [0,3]U[8,9] Λ F1 Є [0,9]
![Page 61: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/61.jpg)
Firewall Generation (cont.) – Algorithm 3 Rules are put in ascending order in regards
to their rank Generated Firewall:
r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є [4,7] Λ F1 Є ALL→d
F0 Є ALL Λ F1 Є [0,9]→d
)
![Page 62: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/62.jpg)
Firewall Generation (cont.)
The rank works based on the priority system. The more specific the rule is, the higher it needs to be. If there is an ALL in the rule, it is assumed that any case in which the input mattered in that field will be taken care of by a previous rule in the ordering.
![Page 63: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/63.jpg)
Firewall Compactness
The firewall which has been generated at this point may include redundant rules, which can be safely removed from the firewall without changing the accept or discard sets, resulting in a simpler, still complete firewall
A Compact firewall is one in which there are no redundant rules
![Page 64: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/64.jpg)
Firewall Compactness (cont.)
Let (r0,…,rm-1) be a firewall over the fields F0,…,Fn-1 as generated by our algorithm. A rule ri, i < m-1 is considered redundant iff for each j, i < j < m-1, and least one of the following two conditions hold <decision> of rj = <decision> of ri
No packet over the fields F0,…,Fn-1 satisfies the predicate ri.op Λ (¬ri+1.ep Λ … Λ ¬rj-1.ep) Λ rj.ep
![Page 65: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/65.jpg)
Firewall Compactness (cont.)
Explanation: If from rule ri until the end one of these conditions holds for each intermediate rule, that original rule ri is redundant First condition: If rule rj from i to m-1 has the same
decision as ri, then this condition holds. For example, if the last three rules are all d (discard), then the two leading up to the last are redundant, as the last one will take care of those decisions
Second condition: For the rules ri and rj, rj being any rule between ri and the end of the rule listing, the condition holds only if there is a rule between ri and rj which which would satisfy the same packet. If the packet would be satisfied by ri and rj, and no rules in between, then the rule ri is not redundant.
![Page 66: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/66.jpg)
Firewall Compactness (cont.) – Algorithm 4 The algorithm given operates by having an array of
booleans, each slot holding either true or false for redundant or not. The array then starts from the bottom up, with the last rule being ri, and checks every rule after ri one at a time to see if it meets one of the two conditions. If every rule meets one of the conditions, then ri is listed as true. If not, then false. After every rule is checked, those listed as true in the boolean array are removed as they are redundant. The result is a compact array.
![Page 67: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/67.jpg)
Firewall Compactness (cont.)
Firewall before Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є [4,7] Λ F1 Є ALL→d
F0 Є ALL Λ F1 Є [0,9]→d
)
Rule two is found to be redundant, and can safely be removed from the firewall without changing the accept and discard sets
![Page 68: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/68.jpg)
Firewall Compactness (cont.)
Firewall after Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є ALL Λ F1 Є [0,9]→d
)
Since rules two and three both were discards, rule two can be removed since rule three will catch any packets that would have been caught by rule two, and still discard them
![Page 69: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/69.jpg)
Firewall Simplification
A rule of the form
F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>
is called simple iff every Si in the rule is either the ALL marker or a single interval of non-negative integers.
A Firewall is called simple if all of its rules are simple. Even though a simple firewall will have more rules than a non-simple one, the simplicity is preferred to the fewer rules
![Page 70: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/70.jpg)
Firewall Simplification (cont.) – Algorithm 5 To simplify the firewall, break up any complicated
rules by forming two new, simpler rules…simply iterate through the list one rule at a time.
Example: Rule 1 F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F1 Є [2,3]U[5,7] is complex
Can be broken down into two different statements, F1 Є [2,3] and F1 Є [5,7]
New rules: F0 Є [4,7] Λ F1 Є [2,3]→a
F0 Є [4,7] Λ F1 Є [5,7]→a
![Page 71: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/71.jpg)
Firewall Simplification (cont.) Final Simplified Firewall:
r = ( F0 Є [4,7] Λ F1 Є [2,3]→a F0 Є [4,7] Λ F1 Є [5,7]→a
F0 Є ALL Λ F1 Є [0,9]→d
)
Had a firewall been generated directly from the initial FDD, then it would have had 14 simple rules. By reducing the FDD and compacting the rules, we have ended up with a much simpler firewall which has the same accept and discard sets
![Page 72: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/72.jpg)
Summary
This paper details a method of constructing firewalls from supplied FDDs, whose consistency and completeness were hopefully already established. The method takes the FDD through six different stages, from the user specified FDD to the final simple firewall
![Page 73: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/73.jpg)
Summary (cont.)
From the user specified FDD, we apply the reduction algorithm. This simplifies the number of decision paths, resulting in fewer final simple rules in the generated firewall
![Page 74: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/74.jpg)
Summary (cont.)
From the reduced FDD, we apply the Marking algorithm, systematically finding which marked edges would result in the simplest final firewall.
![Page 75: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/75.jpg)
Summary (cont.)
Once marked, the firewall is generated. Each decision path is converted in to a rule, and a ranking system which is included with the rule generation algorithm helps us order the rules properly. Two other predicates are also created to be used to remove redundancy.
![Page 76: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/76.jpg)
Summary (cont.)
Even though the FDD was reduced at an early stage, it is still possibly and even likely that there is still redundancy in the firewall. A carefully applied algorithm removes rules that are found to be redundant, further simplifying the firewall
![Page 77: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/77.jpg)
Summary (cont.)
Once the firewall is known to be compact, a simplification algorithm is applied, which converts all of the complex rules into more, simpler rules. At this point we have our completed firewall
![Page 78: Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f125503460f94c26680/html5/thumbnails/78.jpg)
Conclusion
Despite a plethora of typos which made the paper sometimes confusing, the author’s have shown a systematic, testable way of ensuring a consistent, complete, and simple firewall. They developed a series of algorithms which could be applied to any FDD in order to guarantee a simple, effective firewall, effectively automating what was likely a time-consuming, difficult to prove process