Firewall Design: Consistency, Completeness, Compactness

Firewall Design:

Consistency, Completeness, Compactness

Alex X. Liu

[email protected]

Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-1188, U.S.A.

Firewall Basics

CISCOSYSTEMS

Rest of

Internet _NetworkPrivate

Firewall

Firewall is a sequence of rules that allow packets that go through it to be accepted (and so proceed) or discarded.

Firewall Example

CISCOSYSTEMS

0 1 Internet

Mail Server

(IP: s) (IP: h)Host Malicious Host

(IP: m)

r0 : I = 0 ∧ S = any ∧ D = s ∧ P = tcp ∧ T = 25 → a

r1 : I = 0 ∧ S = any ∧ D = s ∧ P = any ∧ T = any → d

r2 : I = 0 ∧ S = m ∧ D = any ∧ P = any ∧ T = any → d

Three Firewall Design Problems

Inconsistency Incompleteness Incompactness

Inconsistency Problem

r0 : I = 0 ∧ S = any ∧ D = s ∧ P = tcp ∧ T = 25 → a

r1 : I = 0 ∧ S = any ∧ D = s ∧ P = any ∧ T = any → d

r2 : I = 0 ∧ S = m ∧ D = any ∧ P = any ∧ T = any → d

r3 : I = 1 ∧ S = h ∧ D = any ∧ P = any ∧ T = any → a

r4 : I = 1 ∧ S = any ∧ D = any ∧ P = any ∧ T = any → a

This firewall accepts all incoming SMTP packets even those originated at the malicious host m

Solution: placing rule r2 at the beginning of the

Incompleteness Problem

r0 : I = 0 ∧ S = m ∧ D = any ∧ P = any ∧ T = any → d

r1 : I = 0 ∧ S = any ∧ D = s ∧ P = tcp ∧ T = 25 → a

r2 : I = 0 ∧ S = any ∧ D = s ∧ P = any ∧ T = any → d

r3 : I = 1 ∧ S = h ∧ D = any ∧ P = any ∧ T = any → a

r4 : I = 1 ∧ S = any ∧ D = any ∧ P = any ∧ T = any → a

Any packet where I = 0, S 6= m, and D 6= s does not satisfy the predicate of any of the five rules r0 through r4.

Solution: add the following rule immediately before rule r3

Incompactness Problem

r0 : I = 0 ∧ S = m ∧ D = any ∧ P = any ∧ T = any → d

r1 : I = 0 ∧ S = any ∧ D = s ∧ P = tcp ∧ T = 25 → a

r2 : I = 0 ∧ S = any ∧ D = s ∧ P = any ∧ T = any → d

r3 : I = 0 ∧ S = any ∧ D = any ∧ P = any ∧ T = any → a

r4 : I = 1 ∧ S = h ∧ D = any ∧ P = any ∧ T = any → a

r5 : I = 1 ∧ S = any ∧ D = any ∧ P = any ∧ T = any → a

Rule r4 can be removed without affecting the set

of packets accepted by the firewall and the set of packets discarded by the firewall.

How to design a consistent, complete, and

compact firewall?

Start with a Firewall Decision Diagram (FDD) Apply 5 algorithms to the FDD

reduction marking generation compaction simplification

Firewall Decision Diagram

a [6,7] d [2,3] [0,3] [4,5] _[8,9] [5,7] [0,1][4,4] [8,9] [8,9] d a [2,3] [0,1] [4,4] [5,7] d d [0,4] [5,9] PSfrag replacements F0 F1 F1 F1

Consistency: for any two outgoing edges of a node, their labels are non-overlapping

Completeness: the union of the labels of all the outgoing edges of a node is the domain of the label of the node

Rules from FDD

Each complete path in FDD can be represented by one rule For example: [0,3] [4,5] _[8,9] [5,7] [0,1][4,4] [8,9] [8,9] d a [2,3] [0,1] [4,4] [5,7] d d [0,4] [5,9] [2,3] a [6,7] d PSfrag replacements F0 F1 F1 F1 F₀ ∈ [4, 7] ∧ F₁ ∈ [2, 3] ∪ [5, 7] → a

FDD Reduction

Collapse “parallel edges” into one edge

Collapse “isomorphic nodes” into one node

a [6,7] d [2,3] [0,3] [4,5] _[8,9] [5,7] [0,1][4,4] [8,9] [8,9] d a [2,3] [0,1] [4,4] [5,7] d d [0,4] [5,9] PSfrag replacements F0 F1 F1 F1 [0,3] [4,7] F0

FDD Marking

F [4,7] [0,3] [8,9] _[4,7] F [0,3][8,9] ALL

Choose one outgoing edge to mark ALL

FDD Marking Algorithm

For each node in FDD, choose one outgoing edge to mark ALL a d [2,3] [5,7] [0,3] [4,7] [8,9] [0,1] [8,9] [4,4] PSfrag replacements F0 F1 [0,1] [8,9] [4,7] F0 _[0,3]

Firewall Generation

Generate one rule for each complete path

Use the mark “ALL”, instead of the specified set Order the rules properly

ALL ALL [4,4] [8,9] [0,1] [8,9] [4,7] _[0,3] [5,7][2,3] d a PSfrag replacements F0 F1 r = ( F0 ∈ [4, 7] ∧ F1 ∈ [2, 3] ∪ [5, 7] → a, F0 ∈ [4, 7] ∧ F1 ∈ ALL → d, d,

Firewall Compaction

A rule is redundant in a firewall iff the rule can be removed without affecting the semantics of the firewall.

Theorem: A rule ri in firewall (r0, · · · , rm−1) is redundant

iff for each j, i < j ≤ m − 1, at least one of the following two conditions holds:

1. hdecisioni of rj = hdecisioni of ri.

2. No packet over the fields F0, · · · , Fn−1 satisfies the

predicate ri.op ∧ (¬ri+1.ep ∧ · · · ∧ ¬rj−1.ep) ∧ rj.ep

where ri.op denotes the original predicate of ri and

Firewall Compaction Example

r = ( F0 ∈ [4, 7] ∧ F1 ∈ [2, 3] ∪ [5, 7] → a,

F0 ∈ [4, 7] ∧ F1 ∈ ALL → d,

F0 ∈ ALL ∧ F1 ∈ [0, 9] → d,

)

The second rule is redundant.

r0 = ( F0 ∈ [4, 7] ∧ F1 ∈ [2, 3] ∪ [5, 7] → a,

F0 ∈ ALL ∧ F1 ∈ [0, 9] → d,

Firewall Simplification

A firewall rule of the form

F0 ∈ S0 ∧ · · · ∧ Fn₋₁ ∈ Sn₋₁ → hdecisioni

is called simple iff every Si in the rule is either

the ALL mark or a single interval.

r0 = ( F0 ∈ [4, 7] ∧ F1 ∈ [2, 3] ∪ [5, 7] → a,

F0 ∈ ALL ∧ F1 ∈ [0, 9] → d,

Summary of Firewall Design

PSfrag replacements A user specified FDD f Algorithm 1 A reduced FDD f0 Algorithm 2 A marked FDD f00 Algorithm 3 A generated firewall r Algorithm 4 A compact firewall r0 Algorithm 5 A simple firewall r00 Algorithm 6