16
1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda
1
Diverse Firewall DesignAlex X. Liu
The University of Texas at Austin, U.S.A.
July 1, 2004
Co-author: Mohamed G. Gouda
Alex X. Liu The University of Texas at Austin
2
Firewall It is a sequence of rules to decide to
accept or discard any packet.
discardFFacceptFFdiscardFFacceptFF
]100,1[]100,1[]40,1[]100,1[]100,1[]30,1[]20,1[]30,1[
21
21
21
21
Example: packet(F1, F2)
Firewall Design is error-prone.
Alex X. Liu The University of Texas at Austin
3
How to reduce firewall design errors? Solution: Diverse Firewall Design
Motived by N-version programming (Avizienis 1977) and back-to-back testing (Vouk 1988)
Differ from N-version programming: only one version deployed
Differ from back-to-back testing: all discrepancies discovered
Alex X. Liu The University of Texas at Austin
4
Diverse Firewall Design
Design phase:Same specification given to multiple teams to design
firewalls
Comparison phase:Compare multiple firewalls to discover all discrepancies
Alex X. Liu The University of Texas at Austin
5
How to compare two firewalls?
Step 1: construct an equivalent ordered FDD for each
firewall
Step 2: make two ordered FDDs semi-isomorphic
Step 3: compare two semi-isomorphic FDDs for discrepancies
Alex X. Liu The University of Texas at Austin
6
Firewall Decision Diagram (FDD)
Consistency: labels of any two siblings are non-overlapping
Completeness: union of labels of all siblings is the domain of the field
F1
F2 F2
a d a d
[31,100][1,30]
[41,100][1,40][21,100][1,20]
Alex X. Liu The University of Texas at Austin
7
Step 1
Construct an equivalent ordered FDD for each firewall
(An FDD is ordered if the labels along every path in the FDD are consistent with the same total order.)
Alex X. Liu The University of Texas at Austin
8
Applying Step 1
dFF
aFF
dFF
aFF
]100,1[2]100,1[1
]40,1[2]100,1[1
]100,1[2]30,1[1
]20,1[2]30,1[1
F1
F2 F2
a d a d
[31,100][1,30]
[1,40][21,100][1,20]
F1
F2
a
[1,30]
[1,20]
F1
F2
a d
[1,30]
[21,100][1,20]
aFF ]20,1[2]30,1[1
F1
F2 F2
a d a
[31,100][1,30]
[1,40][21,100][1,20]
dFF
aFF
]100,1[2]30,1[1
]20,1[2]30,1[1
aFF
dFF
aFF
]40,1[2]100,1[1
]100,1[2]30,1[1
]20,1[2]30,1[1
[41,100]
(1) (2)
(4)(3)
Alex X. Liu The University of Texas at Austin
9
Step 2 Make two ordered FDDs semi-isomorphic
Semi-isomorphic FDDs: exactly same except labels of terminal nodes
Example: make these FDDs semi-isomorphic
F1
F2
a d
d
[51,100][1,50]
[61,100][1,60]
F1
F2 F2
a d a d
[31,100][1,30]
[41,100][1,40][21,100][1,20]
Alex X. Liu The University of Texas at Austin
10
Applying Step 2:F1
F2 F2
a d a d
[31,100][1,30]
[1,40][21,100][1,20]
F1
F2
a d
d
[51,100][1,50]
[61,100][1,60][41,100]
F1
F2 F2
a d a d
[51,100][1,30]
[1,40][21,100][1,20] [41,100]
F2
a d
[41,100][1,40]
[31,50]
F1
F2
a d
d
[51,100][1,30]
[61,100][1,60]
F2
a d
[61,100][1,60]
[31,50]
Alex X. Liu The University of Texas at Austin
11
Results of Step 2F1
F2 F2
a d a d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
d d
[41,100]
[21,60] [41,60]
F1
F2 F2
a d d d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
a a
[21,60] [41,60]
[41,100]
Alex X. Liu The University of Texas at Austin
12
Step 3:
Compare two semi-isomorphic FDDs for discrepancies
Alex X. Liu The University of Texas at Austin
13
Applying Step 3:F1
F2 F2
a d a d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
[21,60] [41,60]
F1
F2 F2
a d d d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
[21,60] [41,60]
[41,100]
[41,100]
aa
dd
Alex X. Liu The University of Texas at Austin
14
Example
?/]60,21[2]30,1[1 adFF
1. Design A of firewall:
2. Design B of firewall:
3. Comparison:
?/]60,41[2]50,31[1 adFF ?/]40,1[2]100,51[1 daFF
dFF
aFF
dFF
aFF
]100,1[2]100,1[1
]40,1[2]100,1[1
]100,1[2]30,1[1
]20,1[2]30,1[1
F1
F2
a d
d
[51,100][1,50]
[61,100][1,60]
Alex X. Liu The University of Texas at Austin
15
Experimental Results Three algorithms implemented in Java JDK 1.4 Experiments carried out on SunBlade 2000
(OS: Solaris 9, CPU:1Ghz , memory: 1 GB)
Alex X. Liu The University of Texas at Austin
16
Conclusions
Three contributions:
– Propose diverse firewall design method
– Present a suite of algorithms to enable diverse firewall design• FDD Construction Algorithm• FDD Shaping Algorithm• FDD Comparison Algorithm method
– FDD construction algorithm can be used to convert a conflict infested firewall to a conflict free firewall
