Advertisement

Complete Redundancy Detection in Firewalls

  • Alex X. Liu
  • Mohamed G. Gouda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3654)

Abstract

Firewalls are safety-critical systems that secure most private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet. This decision is made according to a sequence of rules, where some rules may be redundant. Redundant rules significantly degrade the performance of firewalls. Previous work detects only two special types of redundant rules. In this paper, we solve the problem of how to detect all redundant rules. First, we give a necessary and sufficient condition for identifying all redundant rules. Based on this condition, we categorize redundant rules into upward redundant rules and downward redundant rules. Second, we present methods for detecting the two types of redundant rules respectively. Our methods make use of a tree representation of firewalls, which is called firewall decision trees.

Keywords

Firewall Redundant Rules Network Security 

References

  1. 1.
  2. 2.
    Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly detection and rule editing. In: IEEE/IFIP Integrated Management IM 2003, March 2003, pp. 17–30 (2003)Google Scholar
  3. 3.
    Al-Shaer, E., Hamed, H.: Management and translation of filtering security policies. In: IEEE International Conference on Communications, May 2003, pp. 256–260 (2003)Google Scholar
  4. 4.
    Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM 2004, March 2004, pp. 2605–2616 (2004)Google Scholar
  5. 5.
    Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: Proceeding of the IEEE Symposium on Security and Privacy, pp. 17–31 (1999)Google Scholar
  6. 6.
    Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. Technical Report EES2003-1, Dept. of Electrical Engineering Systems, Tel Aviv University (2003)Google Scholar
  7. 7.
    Frantzen, M., Kerschbaum, F., Schultz, E., Fahmy, S.: A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Computers and Security 20(3), 263–270 (2001)CrossRefGoogle Scholar
  8. 8.
    Gouda, M.G., Liu, A.X.: Firewall design: consistency, completeness and compactness. In: Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS 2004), pp. 320–327 (2004)Google Scholar
  9. 9.
    Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD thesis, Stanford University (2000)Google Scholar
  10. 10.
    Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of IEEE Symp. on Security and Privacy, pp. 120–129 (1997)Google Scholar
  11. 11.
    Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2000), pp. 576–585 (2000)Google Scholar
  12. 12.
    Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers and Security 22(3), 214–232 (2003)CrossRefGoogle Scholar
  13. 13.
    Liu, A.X., Gouda, M.G.: Diverse firewall design. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2004), June 2004, pp. 595–604 (2004)Google Scholar
  14. 14.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symp. on Security and Privacy, pp. 177–187 (2000)Google Scholar
  15. 15.
    Overmars, M.H., van der Stappen, A.F.: Range searching and point location among fat objects. Journal of Algorithms 21(3), 629–656Google Scholar
  16. 16.
    Wool, A.: Architecting the lumeta firewall analyzer. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85–97 (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2005

Authors and Affiliations

  • Alex X. Liu
    • 1
  • Mohamed G. Gouda
    • 1
  1. 1.Department of Computer SciencesThe University of Texas at AustinAustinUSA

Personalised recommendations