1

Diverse Firewall DesignAlex X. Liu

The University of Texas at Austin, U.S.A.

July 1, 2004

Co-author: Mohamed G. Gouda

Alex X. Liu The University of Texas at Austin

2

Firewall It is a sequence of rules to decide to

accept or discard any packet.

discardFFacceptFFdiscardFFacceptFF

]100,1[]100,1[]40,1[]100,1[]100,1[]30,1[]20,1[]30,1[

21

21

21

21

Example: packet(F1, F2)

Firewall Design is error-prone.

Alex X. Liu The University of Texas at Austin

3

How to reduce firewall design errors? Solution: Diverse Firewall Design

Motived by N-version programming (Avizienis 1977) and back-to-back testing (Vouk 1988)

Differ from N-version programming: only one version deployed

Differ from back-to-back testing: all discrepancies discovered

Alex X. Liu The University of Texas at Austin

4

Diverse Firewall Design

Design phase:Same specification given to multiple teams to design

firewalls

Comparison phase:Compare multiple firewalls to discover all discrepancies

Alex X. Liu The University of Texas at Austin

5

How to compare two firewalls?

Step 1: construct an equivalent ordered FDD for each

firewall

Step 2: make two ordered FDDs semi-isomorphic

Step 3: compare two semi-isomorphic FDDs for discrepancies

Alex X. Liu The University of Texas at Austin

6

Firewall Decision Diagram (FDD)

Consistency: labels of any two siblings are non-overlapping

Completeness: union of labels of all siblings is the domain of the field

F1

F2 F2

a d a d

[31,100][1,30]

[41,100][1,40][21,100][1,20]

Alex X. Liu The University of Texas at Austin

7

Step 1

Construct an equivalent ordered FDD for each firewall

(An FDD is ordered if the labels along every path in the FDD are consistent with the same total order.)

Alex X. Liu The University of Texas at Austin

8

Applying Step 1

dFF

aFF

dFF

aFF

]100,1[2]100,1[1

]40,1[2]100,1[1

]100,1[2]30,1[1

]20,1[2]30,1[1

F1

F2 F2

a d a d

[31,100][1,30]

[1,40][21,100][1,20]

F1

F2

a

[1,30]

[1,20]

F1

F2

a d

[1,30]

[21,100][1,20]

aFF ]20,1[2]30,1[1

F1

F2 F2

a d a

[31,100][1,30]

[1,40][21,100][1,20]

dFF

aFF

]100,1[2]30,1[1

]20,1[2]30,1[1

aFF

dFF

aFF

]40,1[2]100,1[1

]100,1[2]30,1[1

]20,1[2]30,1[1

[41,100]

(1) (2)

(4)(3)

Alex X. Liu The University of Texas at Austin

9

Step 2 Make two ordered FDDs semi-isomorphic

Semi-isomorphic FDDs: exactly same except labels of terminal nodes

Example: make these FDDs semi-isomorphic

F1

F2

a d

d

[51,100][1,50]

[61,100][1,60]

F1

F2 F2

a d a d

[31,100][1,30]

[41,100][1,40][21,100][1,20]

Alex X. Liu The University of Texas at Austin

10

Applying Step 2:F1

F2 F2

a d a d

[31,100][1,30]

[1,40][21,100][1,20]

F1

F2

a d

d

[51,100][1,50]

[61,100][1,60][41,100]

F1

F2 F2

a d a d

[51,100][1,30]

[1,40][21,100][1,20] [41,100]

F2

a d

[41,100][1,40]

[31,50]

F1

F2

a d

d

[51,100][1,30]

[61,100][1,60]

F2

a d

[61,100][1,60]

[31,50]

Alex X. Liu The University of Texas at Austin

11

Results of Step 2F1

F2 F2

a d a d

[51,100][1,30]

[1,40][61,100][1,20]F2

a d

[61,100][1,40]

[31,50]

d d

[41,100]

[21,60] [41,60]

F1

F2 F2

a d d d

[51,100][1,30]

[1,40][61,100][1,20]F2

a d

[61,100][1,40]

[31,50]

a a

[21,60] [41,60]

[41,100]

Alex X. Liu The University of Texas at Austin

12

Step 3:

Compare two semi-isomorphic FDDs for discrepancies

Alex X. Liu The University of Texas at Austin

13

Applying Step 3:F1

F2 F2

a d a d

[51,100][1,30]

[1,40][61,100][1,20]F2

a d

[61,100][1,40]

[31,50]

[21,60] [41,60]

F1

F2 F2

a d d d

[51,100][1,30]

[1,40][61,100][1,20]F2

a d

[61,100][1,40]

[31,50]

[21,60] [41,60]

[41,100]

[41,100]

aa

dd

Alex X. Liu The University of Texas at Austin

14

Example

?/]60,21[2]30,1[1 adFF

1. Design A of firewall:

2. Design B of firewall:

3. Comparison:

?/]60,41[2]50,31[1 adFF ?/]40,1[2]100,51[1 daFF

dFF

aFF

dFF

aFF

]100,1[2]100,1[1

]40,1[2]100,1[1

]100,1[2]30,1[1

]20,1[2]30,1[1

F1

F2

a d

d

[51,100][1,50]

[61,100][1,60]

Alex X. Liu The University of Texas at Austin

15

Experimental Results Three algorithms implemented in Java JDK 1.4 Experiments carried out on SunBlade 2000

(OS: Solaris 9, CPU:1Ghz , memory: 1 GB)

Alex X. Liu The University of Texas at Austin

16

Conclusions

Three contributions:

– Propose diverse firewall design method

– Present a suite of algorithms to enable diverse firewall design• FDD Construction Algorithm• FDD Shaping Algorithm• FDD Comparison Algorithm method

– FDD construction algorithm can be used to convert a conflict infested firewall to a conflict free firewall