Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang...
-
Upload
jack-floyd -
Category
Documents
-
view
212 -
download
0
Transcript of Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang...
Firewall Design: Consistency, Completeness, and CompactnessAuthors: Mohamed G. Gouda and Xing-
Yang Alex Liu
Presenters: Jonathan Fomby andMatthew Ginley
Firewall Basics Placed at the entrance (borders) of private
networks Examine all traffic passing through (source
IP, dest IP, etc.) Accept, Discard, Log, Reply, Re-route, etc.
as appropriate Implemented as additional software or stand-
alone hardware (appliance) Functionally the same as packet filter or
packet classifier, yet firewall implies security
Firewall as a Set of Rules
Firewall functionality can be represented as an ordered list of rules
Rule format Traditionally displayed as a table, but this paper
uses individual Boolean formulas <predicate> <decision> authors only consider accept and discard
decisions predicate is Boolean expression over packet fields
Firewalls – As a Table (text p. 627)
Firewall – As a List of Rules
( I=0 ^ S=any ^ D=s ^ P=tcp ^ T=25 a,
I=0 ^ S=any ^ D=s ^ P=any ^ T=any d,
I=0 ^ S=m ^ D=any ^ P=any ^ T=any d,
I=1 ^ S=h ^ D=any ^ P=any ^ T=any a,
I=1 ^ S=any ^ D=any ^ P=any ^ T=any a )
An ordered listing of Boolean expressions
Firewall Operation
Rules are compared individually against a packet
Rules compared according to a specified order (i.e. importance)
The first rule to match is chosen and followed Usually a final catch-all rule (probably
discard)
Firewalls – Stateful Packet Filters
(text p.629) traditional packet filters do not examine higher layer context i.e. matching return packets with outgoing flow
stateful packet filters address this need they examine each IP packet in context
keep track of client-server sessions check each packet validly belongs to one
hence are better able to detect bogus packets out of context
Note of Limitation
The authors do not discuss state considerations
By adding state fields to packet fields, this should be feasible
When filtering packets, check these fields in addition to packet fields
3 C’s
Consistency: correct ordering of rules Completeness: every packet satisfies at least
one rule Compactness: no redundant rules
SIMPLE** Firewall Example
Accept incoming SMTP packets on Int0 destined for Mail Server
Accept all outgoing packets
Packet Fields
I – incoming interface on the firewall S – original source D – final destination P – transport protocol used T – destination port Many others not used by authors: source
port, packet flags (IP, TCP, others), application layer message, etc.
Continuing the Example
Accept incoming SMTP packets on Int0 destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = TCP)
^ (T = 25) Accept Discard incoming non-SMTP packets on Int0
destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = any) ^
(T = any) Discard
Cont. Discard incoming packets whose source is a
Malicious Host (I = 0) ^ (S = MH) ^ (D = any) ^ (P = any) ^ (T = any)
Discard Accept outgoing HTTP packets from any non-
server host h (I = 1) ^ (S = h) ^ (D = any) ^ (P = TCP) ^ (T = 80)
Accept Accept all outgoing packets
(I = 1) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept
Problems with Example Rules Consistency Error
Rules 1 and 3 can be matched to the same packet, yet have conflicting decisions
Rule 1 will always be applied, thus ignoring the discarding of malicious packets intended by Rule 3
Solution: Place Rule 3 first
Problems Cont.
Completeness Error Packets with (I=0 ^ S≠MH ^ D≠MailServer) do not
satisfy any rules Solution: add the following rule (at the end of list):
(I = 0) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept
Problems Cont.
Compactness Error Rule 4 is redundant All packets matching rule 4 will match rule 5 as
well, with both rules accepting Solution: remove Rule 4
Our Focus
“… a method for designing the sequence of rules of a firewall to be consistent, complete, and compact.”
Start with a firewall decision diagram (defined later) that is processed by a series of algorithms
Resulting FDD is functionally equivalent, yet consistent, complete, and compact
Overall Process - 5 Algorithms
Algorithm Summary
Starting with a user specified FDD f #1 – FDD Reduction
Output: a reduced FDD equivalent to f #2 – FDD Marking
Output: an equivalent, marked version f’ of f
Algorithm Summary
#3 – Firewall Generation A firewall r over the same fields as f’, that is
functionally equivalent to f’ and each rule in r is provided a rank
#4 – Firewall Compaction Output: a compact firewall, equivalent to r
#5 – Firewall Simplification Output: a simple firewall, equivalent to r
Related Work [3] : Existing Design Errors Efficient Data Structures for Rule Checking
[12] : Trie Data Structures [6] : Area Based Quadtrees [8] : Fat Inverted Segment Trees [9] : Survey of such data structures
Specification Languages [3] : Simple Model Definition Language [10] : Lisp-like specification language [4] : Declarative Predicate Language [1] : High level firewall language
More Related Work – Detecting Conflicting Rules [11] : Detecting and Resolving Packet Filter
Conflicts Ambiguity in packet classification deserves more
attention Demonstrates resolving conflicts by prioritization
is ineffective Resolve conflicts by adding filters
More Related Work – Detecting Conflicting Rules [7] : Internet packet filter management and
rectangle geometry Claim that previous best for detecting conflicts
was O(n2 log n) time Their presented approach is O(n3/2) Based on rectangle coverage of a kD-tree and
stripe conflict detection (lots of difficult theory)
More Related Work – Detecting Conflicting Rules [2] : Fast and scalable conflict detection for
packet classifiers Claim the best known algorithm for conflict
detection is naïve comparison, O(n2) Their approach is based on the aggregation of bit
vector data Do not provide theoretical complexity, but state “a
factor of 40 improvement for a 20,000 rule database”
More Related Work – Decision Diagrams [5] : Binary Decision Diagrams [13] : Interval Decision Diagrams Similar to Firewall Decision Diagrams, but the
diagram format is not the focus (nor particularly novel)
Firewall Decision Diagrams
Circles are non-terminal nodes Boxes are terminal nodes (always ‘a’ = Accept or ‘d’ =
Discard for our purposes Arrows are edges Decision Path: directed path from the root to a terminal node
Fields
field Fi: variable whose value is taken from the domain of Fi
Domain of Fi, D(Fi): a predefined interval of nonnegative integers
Packet over fields F0,…, Fn-1: an n-tuple (p0,…, pn-1) where each pi is taken from the corresponding domain and field
Firewall Decision Diagram
An FDD f over the fields F0,…, Fn-1 IS Acyclic and directed graph Satisfies the following 5 properties
f has a root and 2 or more terminal nodes (leaves) each non-terminal node v is labeled with one of
the above fields, F(v); a terminal node v is labeled with ‘a’ or ‘d’
No two nodes on a decision path have the same label
Firewall Decision Diagram
Each edge e leaving node v is labeled with an integer set I(e) (a subset of D(F(v)))
For any non-terminal node v, the set E(v) of all edges leaving v must satisfy: Consistency: any distinct ei and ek in E(v),
I(ei) ∩ I(ek) = empty set
Completeness: Ue є E(v) I(e) = D(F(v))
Firewall Decision Diagrams
This FDD is over fields F0, F1
Domain of all fields is [0, 9] one possible decision path:
F0 є [4,5] ^ F1 є [2,3] U [5,7] a In a decision path, there is 0 or 1 Boolean primitive
for each field of the FDD (0 implies any value for that field).
Firewall Decision Diagrams
FDDs are represented as a sequence of rules, each of the form F0 є S0 ^ … ^ Fn-1 є Sn-1 <decision>
1 to 1 correspondence of decision paths in the FDD to rules
Order does not matter (later changes) Firewall: sequence of rules that represents an
FDD
Acceptance and Discarding
For a packet (p0,…, pn-1) over fields F0,…,Fn-1 received by an FDD f over the same fields Accepted: iff f has an accepting rule such that
p0 є S0 ^ … ^ pn-1 є Sn-1 holds Discarded: iff f has a discarding rule such that ↑
For the set of all packets, Σ f.accept: the subset of Σ that contains all packets
accepted by f f.discard: the subset of Σ that contains all packets
discarded by f
Acceptance and Discarding
FDD Equivalence: FDDs f and g over the same fields are equivalent iff f.accept = g.accept
and f.discard = g.discard
Thm. 1: for any FDD f over fields F0,…,Fn-1
f.accept ∩ f.discard = empty set f.accept U f.discard = Σ
FDD Reductions
Advantageous to reduce # of decision paths without changing accept and discard sets
Auxiliary Def.--Isomorphic Nodes. Two nodes, v0 and v1, are isomorphic iff (1) or (2) is satisfied. (1) v0 and v1 Are terminal nodes with the same
label (2) v0 and v1 are non-terminal nodes with an 1-to-1
correspondence between the outgoing edges of v0 and outgoing edges of v1
Isomorphic Node Example
The above red-highlighted nodes are isomorphic Same label: F1 2 edges: one edge with label [2,3] U [5,7] incoming
on ‘a’, and one edge with label [0,1] U [4,4] U [8,9] incoming on ‘d’
FDD Reductions
An FDD f is called reduced iff it satisfies the following three conditions: 1. f has no node with exactly one outgoing edge. 2. f has no two edges that are outgoing of one
node and are incoming of another node. 3. f has no two distinct isomorphic nodes.
Algorithm 1: FDD Reduction
Input: an FDD f Output: a reduced FDD that is equivalent to f Repeat steps 1-3 until none can be applied
further 1. If f has a node v0 with only one outgoing edge
e and if e is incoming of another node v1, then remove v0 and e from f and make the incoming edges of v0 incoming of v1.
Algorithm 1
2. If f has two edges e0 and e1 that are outgoing of node v0 and incoming of node v1, then remove e0 and make the label of e1 be the integer set I(e0) U I(e1),where I(e0) and I(e1) are the integer sets that labeled edges e0 and e1 respectively.
3. If f has two isomorphic nodes v0 and v1, then remove node v1 and its outgoing edges, and make the incoming edges of v1 incoming of v0.
Before (below)After (right)3 rule/decision pathreduction
Marking of FDDs
A “Marked” FDD is similar to the reduced FDD, with an “ALL” label being added to a single edge from each node
The number of simple rules eventually generated in the firewall depends upon the “degree” of a marked FDD
Nodes and Edges are given degrees in order to find which edges should be marked ALL
Marking of FDDs (cont.)
Many marked versions of reduced FDDs are possible
Number of simple rules generated by a firewall is determined by the degree of the marked FDD Note that this refers to the final “simple” rules, not the number of rules
that will be generated in the intermediate steps
Degree is determined by which edges are marked ALL
Smaller degree -> Fewer final rules -> Simpler firewall -> Good Thing™
Marking of FDDs (cont.)
Degree of a set of integers, denoted deg(S), is the smallest number of non-overlapping integer intervals that covers set S.
Ex: For the set {0,1,3,4,5,7,9}, the degree is 4, composed of the intervals [0,1], [3,5], [7,7], and [9,9]
Marking of FDDs (cont.)
Degree of an edge e is denoted deg(e) If e is marked ALL, then deg(e) = 1 Else, deg(e) = deg(S)
Degree 1
Degree 2
Degree 2
Degree 3
Marking of FDDs (cont.)
Degree of a node v, denoted deg(v), is calculated using a simple formula
If v is a terminal node, then deg(v) = 1 Else, for a non-terminal node v with k
outgoing edges, e0, …, ek-1 that are incoming of nodes v0, …, vk-1 respectively, then
deg(v) = ∑ deg(ei) × deg(vi)
Marking of FDDs (cont.)
To put it in simpler terms: The get the degree of a node, take each outgoing edge and multiply its degree by the degree of the node into which the edge leads. Add these together, and you have the degree of the node.
Marking of FDDs (cont.)
Since the edges marked ALL have such a large impact on the complexity of the firewall, it is critical to pick the ALL-edges carefully and minimize the degree of the FDD
One edge from the collection of edges leaving each node is marked ALL, so pick the edge that would minimize the degree of said node to label ALL
Marking of FDDs – Algorithm 2 Step 1: Compute the degree of each terminal node
v in f as deg(v) = 1 Step 2: For every node v whose degree has not yet
been calculated 1 – Find the outgoing edge e of current node whose
quanity (deg(ej)-1) x deg(vj) is larger than or equal to the corresponding quantity in every other outgoing edge of v
2 – Mark edge ej with ALL Compute the degree of v with the summation formula
Marking of FDDs (cont.)
Two Marked FDDs from the same Reduced FDD
Terminal Nodes: Degree = 1
2
2
12
1
1
12+1 = 3
3 + 2 = 5
2+1=31
3 + 1 = 4
Firewall Generation
Generated Firewall is a sequence of rules such that each rule corresponds to a decision path in the marked FDD
This step produces the rules of the firewall, as well as a ranking for each rule, and two predicates, the exhibited and the original predicate
Rank is used for ordering the rules, predicates for making the firewall “Compact” in the next step
Firewall Generation (cont.)
For our purposes, a Firewall r over the fields F0,…,Fn-1 is a sequence of rules r0,…,rm-1 where each rule is of the form
F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>
where each Si is either the mark ALL or a nonempty set of integers from the domain of field Fi, and the <decision> is either a (accept) or d (discard).
Ex. F0 Є [4,7] Λ F1 Є [2,3] U [5,7] → a
Firewall Generation (cont.)
For the final rule in a firewall, rm-1, each Si is either the mark ALL or the entire domain of field Fi
This acts as a catchall, ensuring that there is no condition in which the firewall will not know what to do
Firewall Generation (cont.)
A packet (p0,…,pn-1) over the fields F0,…,Fn-1 matches a rule ri iff ri is of the aforementioned form and the predicate (p0 Є S0 Λ … Λ pn-1 Є Sn-1) holds
Packet is accepted by the firewall if the firewall has a rule ri such that: the packet matches ri
the packet does not match any rule preceding ri
the <decision> of ri is a (accept)
Firewall Generation (cont.)
The set of all packets accepted by firewall r is denoted r.accept, the set of those discarded is denoted r.discard.
For any firewall r over the fields F0,…,Fn-1, r.accept ∩ r.discard = Ø r.accept U r.discard = ∑
where Ø is the empty set and ∑ is the set of all packets over the fields F0,…,Fn-1
Firewall Generation (cont.)
From a marked FDD f over the fields
F0,…,Fn-1, we generate a corresponding firewall r such thatr.accept = f.accept, andr.discard = f.discard
We also generate a binary number called the rank, denoted b0…bn-1, where each node contributes one bit to the whole number, and the two predicates which are later used to make the firewall compact, the exhibited predicate (epi) and the original predicate (opi)
Firewall Generation (cont.) – Algorithm 3 Each decision path in the FDD f is converted into a
rule in firewall r To make each rule, go down the decision path one
node at a time, with three separate cases to consider at each node Fi: Case 1: The decision path has no nodes labeled Fi
Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no mark
Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL mark
Firewall Generation (cont.) – Algorithm 3 Case 1: The decision path has no nodes labeled Fi
bi = 0Si = the domain [ai, bi] of Fi
Ti = the domain [ai, bi] of Fi In this case, there is no node Fi in the path, but each rule must address each field in
the range 0,…,n-1
Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no markbi = 0Si = the integer set that labels eTi = the integer set that labels e
Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL markbi = 1Si = ALLTi = the integer set that labels e
Firewall Generation (cont.) – Algorithm 3 Sample marked FDD has three different
decision paths, resulting in three different rules
Firewall Generation (cont.) – Algorithm 3 Taking Leftmost path:
Node F0: Falls under case 2, so
rank = 0, Si = [4,7], Ti = [4,7]
Node F1: Falls under case 2, so
rank = 0, Si = [2,3]U[5,7], Ti = [2,3]U[5,7]Overall rank: 00
Rule: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
epi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]
opi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]
Firewall Generation (cont.) – Algorithm 3 Taking Middle path:
Node F0: Falls under case 2, so
rank = 0, Si = [4,7], Ti = [4,7]
Node F1: Falls under case 3, so
rank = 1, Si =ALL, Ti = [0,1]U[4,4]U[8,9]Overall rank: 01
Rule: F0 Є [4,7] Λ F1 Є ALL→d
epi: F0 Є [4,7] Λ F1 Є ALL
opi: F0 Є [4,7] Λ F1 Є [0,1]U[4,4]U[8,9]
Firewall Generation (cont.) – Algorithm 3 Taking Rightmost path:
Node F0: Falls under case 3, so
rank = 1, Si = ALL, Ti = [0,3]U[8,9]
Node F1: Falls under case 1, so
rank = 0, Si =[0,9], Ti =[0,9]Overall rank: 10
Rule: F0 Є ALL Λ F1 Є [0,9]→d
epi: F0 Є ALL Λ F1 Є [0,9]
opi: F0 Є [0,3]U[8,9] Λ F1 Є [0,9]
Firewall Generation (cont.) – Algorithm 3 Rules are put in ascending order in regards
to their rank Generated Firewall:
r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є [4,7] Λ F1 Є ALL→d
F0 Є ALL Λ F1 Є [0,9]→d
)
Firewall Generation (cont.)
The rank works based on the priority system. The more specific the rule is, the higher it needs to be. If there is an ALL in the rule, it is assumed that any case in which the input mattered in that field will be taken care of by a previous rule in the ordering.
Firewall Compactness
The firewall which has been generated at this point may include redundant rules, which can be safely removed from the firewall without changing the accept or discard sets, resulting in a simpler, still complete firewall
A Compact firewall is one in which there are no redundant rules
Firewall Compactness (cont.)
Let (r0,…,rm-1) be a firewall over the fields F0,…,Fn-1 as generated by our algorithm. A rule ri, i < m-1 is considered redundant iff for each j, i < j < m-1, and least one of the following two conditions hold <decision> of rj = <decision> of ri
No packet over the fields F0,…,Fn-1 satisfies the predicate ri.op Λ (¬ri+1.ep Λ … Λ ¬rj-1.ep) Λ rj.ep
Firewall Compactness (cont.)
Explanation: If from rule ri until the end one of these conditions holds for each intermediate rule, that original rule ri is redundant First condition: If rule rj from i to m-1 has the same
decision as ri, then this condition holds. For example, if the last three rules are all d (discard), then the two leading up to the last are redundant, as the last one will take care of those decisions
Second condition: For the rules ri and rj, rj being any rule between ri and the end of the rule listing, the condition holds only if there is a rule between ri and rj which which would satisfy the same packet. If the packet would be satisfied by ri and rj, and no rules in between, then the rule ri is not redundant.
Firewall Compactness (cont.) – Algorithm 4 The algorithm given operates by having an array of
booleans, each slot holding either true or false for redundant or not. The array then starts from the bottom up, with the last rule being ri, and checks every rule after ri one at a time to see if it meets one of the two conditions. If every rule meets one of the conditions, then ri is listed as true. If not, then false. After every rule is checked, those listed as true in the boolean array are removed as they are redundant. The result is a compact array.
Firewall Compactness (cont.)
Firewall before Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є [4,7] Λ F1 Є ALL→d
F0 Є ALL Λ F1 Є [0,9]→d
)
Rule two is found to be redundant, and can safely be removed from the firewall without changing the accept and discard sets
Firewall Compactness (cont.)
Firewall after Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F0 Є ALL Λ F1 Є [0,9]→d
)
Since rules two and three both were discards, rule two can be removed since rule three will catch any packets that would have been caught by rule two, and still discard them
Firewall Simplification
A rule of the form
F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>
is called simple iff every Si in the rule is either the ALL marker or a single interval of non-negative integers.
A Firewall is called simple if all of its rules are simple. Even though a simple firewall will have more rules than a non-simple one, the simplicity is preferred to the fewer rules
Firewall Simplification (cont.) – Algorithm 5 To simplify the firewall, break up any complicated
rules by forming two new, simpler rules…simply iterate through the list one rule at a time.
Example: Rule 1 F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a
F1 Є [2,3]U[5,7] is complex
Can be broken down into two different statements, F1 Є [2,3] and F1 Є [5,7]
New rules: F0 Є [4,7] Λ F1 Є [2,3]→a
F0 Є [4,7] Λ F1 Є [5,7]→a
Firewall Simplification (cont.) Final Simplified Firewall:
r = ( F0 Є [4,7] Λ F1 Є [2,3]→a F0 Є [4,7] Λ F1 Є [5,7]→a
F0 Є ALL Λ F1 Є [0,9]→d
)
Had a firewall been generated directly from the initial FDD, then it would have had 14 simple rules. By reducing the FDD and compacting the rules, we have ended up with a much simpler firewall which has the same accept and discard sets
Summary
This paper details a method of constructing firewalls from supplied FDDs, whose consistency and completeness were hopefully already established. The method takes the FDD through six different stages, from the user specified FDD to the final simple firewall
Summary (cont.)
From the user specified FDD, we apply the reduction algorithm. This simplifies the number of decision paths, resulting in fewer final simple rules in the generated firewall
Summary (cont.)
From the reduced FDD, we apply the Marking algorithm, systematically finding which marked edges would result in the simplest final firewall.
Summary (cont.)
Once marked, the firewall is generated. Each decision path is converted in to a rule, and a ranking system which is included with the rule generation algorithm helps us order the rules properly. Two other predicates are also created to be used to remove redundancy.
Summary (cont.)
Even though the FDD was reduced at an early stage, it is still possibly and even likely that there is still redundancy in the firewall. A carefully applied algorithm removes rules that are found to be redundant, further simplifying the firewall
Summary (cont.)
Once the firewall is known to be compact, a simplification algorithm is applied, which converts all of the complex rules into more, simpler rules. At this point we have our completed firewall
Conclusion
Despite a plethora of typos which made the paper sometimes confusing, the author’s have shown a systematic, testable way of ensuring a consistent, complete, and simple firewall. They developed a series of algorithms which could be applied to any FDD in order to guarantee a simple, effective firewall, effectively automating what was likely a time-consuming, difficult to prove process