Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang...

Firewall Design: Consistency, Completeness, and CompactnessAuthors: Mohamed G. Gouda and Xing-

Yang Alex Liu

Presenters: Jonathan Fomby andMatthew Ginley

Firewall Basics Placed at the entrance (borders) of private

networks Examine all traffic passing through (source

IP, dest IP, etc.) Accept, Discard, Log, Reply, Re-route, etc.

as appropriate Implemented as additional software or stand-

alone hardware (appliance) Functionally the same as packet filter or

packet classifier, yet firewall implies security

Firewall as a Set of Rules

Firewall functionality can be represented as an ordered list of rules

Rule format Traditionally displayed as a table, but this paper

uses individual Boolean formulas <predicate> <decision> authors only consider accept and discard

decisions predicate is Boolean expression over packet fields

Firewalls – As a Table (text p. 627)

Firewall – As a List of Rules

( I=0 ^ S=any ^ D=s ^ P=tcp ^ T=25 a,

I=0 ^ S=any ^ D=s ^ P=any ^ T=any d,

I=0 ^ S=m ^ D=any ^ P=any ^ T=any d,

I=1 ^ S=h ^ D=any ^ P=any ^ T=any a,

I=1 ^ S=any ^ D=any ^ P=any ^ T=any a )

An ordered listing of Boolean expressions

Firewall Operation

Rules are compared individually against a packet

Rules compared according to a specified order (i.e. importance)

The first rule to match is chosen and followed Usually a final catch-all rule (probably

discard)

Firewalls – Stateful Packet Filters

(text p.629) traditional packet filters do not examine higher layer context i.e. matching return packets with outgoing flow

stateful packet filters address this need they examine each IP packet in context

keep track of client-server sessions check each packet validly belongs to one

hence are better able to detect bogus packets out of context

Note of Limitation

The authors do not discuss state considerations

By adding state fields to packet fields, this should be feasible

When filtering packets, check these fields in addition to packet fields

3 C’s

Consistency: correct ordering of rules Completeness: every packet satisfies at least

one rule Compactness: no redundant rules

SIMPLE** Firewall Example

Accept incoming SMTP packets on Int0 destined for Mail Server

Accept all outgoing packets

Packet Fields

I – incoming interface on the firewall S – original source D – final destination P – transport protocol used T – destination port Many others not used by authors: source

port, packet flags (IP, TCP, others), application layer message, etc.

Continuing the Example

Accept incoming SMTP packets on Int0 destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = TCP)

^ (T = 25) Accept Discard incoming non-SMTP packets on Int0

destined for Mail Server (I = 0) ^ (S = any) ^ (D = MailServer) ^ (P = any) ^

(T = any) Discard

Cont. Discard incoming packets whose source is a

Malicious Host (I = 0) ^ (S = MH) ^ (D = any) ^ (P = any) ^ (T = any)

Discard Accept outgoing HTTP packets from any non-

server host h (I = 1) ^ (S = h) ^ (D = any) ^ (P = TCP) ^ (T = 80)

Accept Accept all outgoing packets

(I = 1) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept

Problems with Example Rules Consistency Error

Rules 1 and 3 can be matched to the same packet, yet have conflicting decisions

Rule 1 will always be applied, thus ignoring the discarding of malicious packets intended by Rule 3

Solution: Place Rule 3 first

Problems Cont.

Completeness Error Packets with (I=0 ^ S≠MH ^ D≠MailServer) do not

satisfy any rules Solution: add the following rule (at the end of list):

(I = 0) ^ (S = any) ^ (D = any) ^ (P = any) ^ (T = any) Accept

Problems Cont.

Compactness Error Rule 4 is redundant All packets matching rule 4 will match rule 5 as

well, with both rules accepting Solution: remove Rule 4

Our Focus

“… a method for designing the sequence of rules of a firewall to be consistent, complete, and compact.”

Start with a firewall decision diagram (defined later) that is processed by a series of algorithms

Resulting FDD is functionally equivalent, yet consistent, complete, and compact

Overall Process - 5 Algorithms

Algorithm Summary

Starting with a user specified FDD f #1 – FDD Reduction

Output: a reduced FDD equivalent to f #2 – FDD Marking

Output: an equivalent, marked version f’ of f

Algorithm Summary

#3 – Firewall Generation A firewall r over the same fields as f’, that is

functionally equivalent to f’ and each rule in r is provided a rank

#4 – Firewall Compaction Output: a compact firewall, equivalent to r

#5 – Firewall Simplification Output: a simple firewall, equivalent to r

Related Work [3] : Existing Design Errors Efficient Data Structures for Rule Checking

[12] : Trie Data Structures [6] : Area Based Quadtrees [8] : Fat Inverted Segment Trees [9] : Survey of such data structures

Specification Languages [3] : Simple Model Definition Language [10] : Lisp-like specification language [4] : Declarative Predicate Language [1] : High level firewall language

More Related Work – Detecting Conflicting Rules [11] : Detecting and Resolving Packet Filter

Conflicts Ambiguity in packet classification deserves more

attention Demonstrates resolving conflicts by prioritization

is ineffective Resolve conflicts by adding filters

More Related Work – Detecting Conflicting Rules [7] : Internet packet filter management and

rectangle geometry Claim that previous best for detecting conflicts

was O(n2 log n) time Their presented approach is O(n3/2) Based on rectangle coverage of a kD-tree and

stripe conflict detection (lots of difficult theory)

More Related Work – Detecting Conflicting Rules [2] : Fast and scalable conflict detection for

packet classifiers Claim the best known algorithm for conflict

detection is naïve comparison, O(n2) Their approach is based on the aggregation of bit

vector data Do not provide theoretical complexity, but state “a

factor of 40 improvement for a 20,000 rule database”

More Related Work – Decision Diagrams [5] : Binary Decision Diagrams [13] : Interval Decision Diagrams Similar to Firewall Decision Diagrams, but the

diagram format is not the focus (nor particularly novel)

Firewall Decision Diagrams

Circles are non-terminal nodes Boxes are terminal nodes (always ‘a’ = Accept or ‘d’ =

Discard for our purposes Arrows are edges Decision Path: directed path from the root to a terminal node

Fields

field Fi: variable whose value is taken from the domain of Fi

Domain of Fi, D(Fi): a predefined interval of nonnegative integers

Packet over fields F0,…, Fn-1: an n-tuple (p0,…, pn-1) where each pi is taken from the corresponding domain and field

Firewall Decision Diagram

An FDD f over the fields F0,…, Fn-1 IS Acyclic and directed graph Satisfies the following 5 properties

f has a root and 2 or more terminal nodes (leaves) each non-terminal node v is labeled with one of

the above fields, F(v); a terminal node v is labeled with ‘a’ or ‘d’

No two nodes on a decision path have the same label

Firewall Decision Diagram

Each edge e leaving node v is labeled with an integer set I(e) (a subset of D(F(v)))

For any non-terminal node v, the set E(v) of all edges leaving v must satisfy: Consistency: any distinct ei and ek in E(v),

I(ei) ∩ I(ek) = empty set

Completeness: Ue є E(v) I(e) = D(F(v))


This FDD is over fields F0, F1

Domain of all fields is [0, 9] one possible decision path:

F0 є [4,5] ^ F1 є [2,3] U [5,7] a In a decision path, there is 0 or 1 Boolean primitive

for each field of the FDD (0 implies any value for that field).


FDDs are represented as a sequence of rules, each of the form F0 є S0 ^ … ^ Fn-1 є Sn-1 <decision>

1 to 1 correspondence of decision paths in the FDD to rules

Order does not matter (later changes) Firewall: sequence of rules that represents an

FDD

Acceptance and Discarding

For a packet (p0,…, pn-1) over fields F0,…,Fn-1 received by an FDD f over the same fields Accepted: iff f has an accepting rule such that

p0 є S0 ^ … ^ pn-1 є Sn-1 holds Discarded: iff f has a discarding rule such that ↑

For the set of all packets, Σ f.accept: the subset of Σ that contains all packets

accepted by f f.discard: the subset of Σ that contains all packets

discarded by f

Acceptance and Discarding

FDD Equivalence: FDDs f and g over the same fields are equivalent iff f.accept = g.accept

and f.discard = g.discard

Thm. 1: for any FDD f over fields F0,…,Fn-1

f.accept ∩ f.discard = empty set f.accept U f.discard = Σ

FDD Reductions

Advantageous to reduce # of decision paths without changing accept and discard sets

Auxiliary Def.--Isomorphic Nodes. Two nodes, v0 and v1, are isomorphic iff (1) or (2) is satisfied. (1) v0 and v1 Are terminal nodes with the same

label (2) v0 and v1 are non-terminal nodes with an 1-to-1

correspondence between the outgoing edges of v0 and outgoing edges of v1

Isomorphic Node Example

The above red-highlighted nodes are isomorphic Same label: F1 2 edges: one edge with label [2,3] U [5,7] incoming

on ‘a’, and one edge with label [0,1] U [4,4] U [8,9] incoming on ‘d’

FDD Reductions

An FDD f is called reduced iff it satisfies the following three conditions: 1. f has no node with exactly one outgoing edge. 2. f has no two edges that are outgoing of one

node and are incoming of another node. 3. f has no two distinct isomorphic nodes.

Algorithm 1: FDD Reduction

Input: an FDD f Output: a reduced FDD that is equivalent to f Repeat steps 1-3 until none can be applied

further 1. If f has a node v0 with only one outgoing edge

e and if e is incoming of another node v1, then remove v0 and e from f and make the incoming edges of v0 incoming of v1.

Algorithm 1

2. If f has two edges e0 and e1 that are outgoing of node v0 and incoming of node v1, then remove e0 and make the label of e1 be the integer set I(e0) U I(e1),where I(e0) and I(e1) are the integer sets that labeled edges e0 and e1 respectively.

3. If f has two isomorphic nodes v0 and v1, then remove node v1 and its outgoing edges, and make the incoming edges of v1 incoming of v0.

Before (below)After (right)3 rule/decision pathreduction

Marking of FDDs

A “Marked” FDD is similar to the reduced FDD, with an “ALL” label being added to a single edge from each node

The number of simple rules eventually generated in the firewall depends upon the “degree” of a marked FDD

Nodes and Edges are given degrees in order to find which edges should be marked ALL

Marking of FDDs (cont.)

Many marked versions of reduced FDDs are possible

Number of simple rules generated by a firewall is determined by the degree of the marked FDD Note that this refers to the final “simple” rules, not the number of rules

that will be generated in the intermediate steps

Degree is determined by which edges are marked ALL

Smaller degree -> Fewer final rules -> Simpler firewall -> Good Thing™


Degree of a set of integers, denoted deg(S), is the smallest number of non-overlapping integer intervals that covers set S.

Ex: For the set {0,1,3,4,5,7,9}, the degree is 4, composed of the intervals [0,1], [3,5], [7,7], and [9,9]


Degree of an edge e is denoted deg(e) If e is marked ALL, then deg(e) = 1 Else, deg(e) = deg(S)

Degree 1

Degree 2

Degree 2

Degree 3


Degree of a node v, denoted deg(v), is calculated using a simple formula

If v is a terminal node, then deg(v) = 1 Else, for a non-terminal node v with k

outgoing edges, e0, …, ek-1 that are incoming of nodes v0, …, vk-1 respectively, then

deg(v) = ∑ deg(ei) × deg(vi)


To put it in simpler terms: The get the degree of a node, take each outgoing edge and multiply its degree by the degree of the node into which the edge leads. Add these together, and you have the degree of the node.


Since the edges marked ALL have such a large impact on the complexity of the firewall, it is critical to pick the ALL-edges carefully and minimize the degree of the FDD

One edge from the collection of edges leaving each node is marked ALL, so pick the edge that would minimize the degree of said node to label ALL

Marking of FDDs – Algorithm 2 Step 1: Compute the degree of each terminal node

v in f as deg(v) = 1 Step 2: For every node v whose degree has not yet

been calculated 1 – Find the outgoing edge e of current node whose

quanity (deg(ej)-1) x deg(vj) is larger than or equal to the corresponding quantity in every other outgoing edge of v

2 – Mark edge ej with ALL Compute the degree of v with the summation formula


Two Marked FDDs from the same Reduced FDD

Terminal Nodes: Degree = 1

2

2

12

1

1

12+1 = 3

3 + 2 = 5

2+1=31

3 + 1 = 4

Firewall Generation

Generated Firewall is a sequence of rules such that each rule corresponds to a decision path in the marked FDD

This step produces the rules of the firewall, as well as a ranking for each rule, and two predicates, the exhibited and the original predicate

Rank is used for ordering the rules, predicates for making the firewall “Compact” in the next step

Firewall Generation (cont.)

For our purposes, a Firewall r over the fields F0,…,Fn-1 is a sequence of rules r0,…,rm-1 where each rule is of the form

F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>

where each Si is either the mark ALL or a nonempty set of integers from the domain of field Fi, and the <decision> is either a (accept) or d (discard).

Ex. F0 Є [4,7] Λ F1 Є [2,3] U [5,7] → a


For the final rule in a firewall, rm-1, each Si is either the mark ALL or the entire domain of field Fi

This acts as a catchall, ensuring that there is no condition in which the firewall will not know what to do


A packet (p0,…,pn-1) over the fields F0,…,Fn-1 matches a rule ri iff ri is of the aforementioned form and the predicate (p0 Є S0 Λ … Λ pn-1 Є Sn-1) holds

Packet is accepted by the firewall if the firewall has a rule ri such that: the packet matches ri

the packet does not match any rule preceding ri

the <decision> of ri is a (accept)


The set of all packets accepted by firewall r is denoted r.accept, the set of those discarded is denoted r.discard.

For any firewall r over the fields F0,…,Fn-1, r.accept ∩ r.discard = Ø r.accept U r.discard = ∑

where Ø is the empty set and ∑ is the set of all packets over the fields F0,…,Fn-1


From a marked FDD f over the fields

F0,…,Fn-1, we generate a corresponding firewall r such thatr.accept = f.accept, andr.discard = f.discard

We also generate a binary number called the rank, denoted b0…bn-1, where each node contributes one bit to the whole number, and the two predicates which are later used to make the firewall compact, the exhibited predicate (epi) and the original predicate (opi)

Firewall Generation (cont.) – Algorithm 3 Each decision path in the FDD f is converted into a

rule in firewall r To make each rule, go down the decision path one

node at a time, with three separate cases to consider at each node Fi: Case 1: The decision path has no nodes labeled Fi

Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no mark

Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL mark

Firewall Generation (cont.) – Algorithm 3 Case 1: The decision path has no nodes labeled Fi

bi = 0Si = the domain [ai, bi] of Fi

Ti = the domain [ai, bi] of Fi In this case, there is no node Fi in the path, but each rule must address each field in

the range 0,…,n-1

Case 2: The decision path has a node labeled Fi, and its outgoing edge e has no markbi = 0Si = the integer set that labels eTi = the integer set that labels e

Case 3: The decision path has a node labeled Fi, and its outgoing edge has an ALL markbi = 1Si = ALLTi = the integer set that labels e

Firewall Generation (cont.) – Algorithm 3 Sample marked FDD has three different

decision paths, resulting in three different rules

Firewall Generation (cont.) – Algorithm 3 Taking Leftmost path:

Node F0: Falls under case 2, so

rank = 0, Si = [4,7], Ti = [4,7]


rank = 0, Si = [2,3]U[5,7], Ti = [2,3]U[5,7]Overall rank: 00

Rule: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a

epi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]

opi: F0 Є [4,7] Λ F1 Є [2,3]U[5,7]

Firewall Generation (cont.) – Algorithm 3 Taking Middle path:


rank = 0, Si = [4,7], Ti = [4,7]


rank = 1, Si =ALL, Ti = [0,1]U[4,4]U[8,9]Overall rank: 01

Rule: F0 Є [4,7] Λ F1 Є ALL→d

epi: F0 Є [4,7] Λ F1 Є ALL

opi: F0 Є [4,7] Λ F1 Є [0,1]U[4,4]U[8,9]

Firewall Generation (cont.) – Algorithm 3 Taking Rightmost path:


rank = 1, Si = ALL, Ti = [0,3]U[8,9]


rank = 0, Si =[0,9], Ti =[0,9]Overall rank: 10

Rule: F0 Є ALL Λ F1 Є [0,9]→d

epi: F0 Є ALL Λ F1 Є [0,9]

opi: F0 Є [0,3]U[8,9] Λ F1 Є [0,9]

Firewall Generation (cont.) – Algorithm 3 Rules are put in ascending order in regards

to their rank Generated Firewall:

r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a

F0 Є [4,7] Λ F1 Є ALL→d

F0 Є ALL Λ F1 Є [0,9]→d

)


The rank works based on the priority system. The more specific the rule is, the higher it needs to be. If there is an ALL in the rule, it is assumed that any case in which the input mattered in that field will be taken care of by a previous rule in the ordering.

Firewall Compactness

The firewall which has been generated at this point may include redundant rules, which can be safely removed from the firewall without changing the accept or discard sets, resulting in a simpler, still complete firewall

A Compact firewall is one in which there are no redundant rules

Firewall Compactness (cont.)

Let (r0,…,rm-1) be a firewall over the fields F0,…,Fn-1 as generated by our algorithm. A rule ri, i < m-1 is considered redundant iff for each j, i < j < m-1, and least one of the following two conditions hold <decision> of rj = <decision> of ri

No packet over the fields F0,…,Fn-1 satisfies the predicate ri.op Λ (¬ri+1.ep Λ … Λ ¬rj-1.ep) Λ rj.ep


Explanation: If from rule ri until the end one of these conditions holds for each intermediate rule, that original rule ri is redundant First condition: If rule rj from i to m-1 has the same

decision as ri, then this condition holds. For example, if the last three rules are all d (discard), then the two leading up to the last are redundant, as the last one will take care of those decisions

Second condition: For the rules ri and rj, rj being any rule between ri and the end of the rule listing, the condition holds only if there is a rule between ri and rj which which would satisfy the same packet. If the packet would be satisfied by ri and rj, and no rules in between, then the rule ri is not redundant.

Firewall Compactness (cont.) – Algorithm 4 The algorithm given operates by having an array of

booleans, each slot holding either true or false for redundant or not. The array then starts from the bottom up, with the last rule being ri, and checks every rule after ri one at a time to see if it meets one of the two conditions. If every rule meets one of the conditions, then ri is listed as true. If not, then false. After every rule is checked, those listed as true in the boolean array are removed as they are redundant. The result is a compact array.


Firewall before Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a

F0 Є [4,7] Λ F1 Є ALL→d

F0 Є ALL Λ F1 Є [0,9]→d

)

Rule two is found to be redundant, and can safely be removed from the firewall without changing the accept and discard sets


Firewall after Compacting r = ( F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a

F0 Є ALL Λ F1 Є [0,9]→d

)

Since rules two and three both were discards, rule two can be removed since rule three will catch any packets that would have been caught by rule two, and still discard them

Firewall Simplification

A rule of the form

F0 Є S0 Λ … Λ Fn-1 Є Sn-1 → <decision>

is called simple iff every Si in the rule is either the ALL marker or a single interval of non-negative integers.

A Firewall is called simple if all of its rules are simple. Even though a simple firewall will have more rules than a non-simple one, the simplicity is preferred to the fewer rules

Firewall Simplification (cont.) – Algorithm 5 To simplify the firewall, break up any complicated

rules by forming two new, simpler rules…simply iterate through the list one rule at a time.

Example: Rule 1 F0 Є [4,7] Λ F1 Є [2,3]U[5,7]→a

F1 Є [2,3]U[5,7] is complex

Can be broken down into two different statements, F1 Є [2,3] and F1 Є [5,7]

New rules: F0 Є [4,7] Λ F1 Є [2,3]→a

F0 Є [4,7] Λ F1 Є [5,7]→a

Firewall Simplification (cont.) Final Simplified Firewall:

r = ( F0 Є [4,7] Λ F1 Є [2,3]→a F0 Є [4,7] Λ F1 Є [5,7]→a

F0 Є ALL Λ F1 Є [0,9]→d

)

Had a firewall been generated directly from the initial FDD, then it would have had 14 simple rules. By reducing the FDD and compacting the rules, we have ended up with a much simpler firewall which has the same accept and discard sets

Summary

This paper details a method of constructing firewalls from supplied FDDs, whose consistency and completeness were hopefully already established. The method takes the FDD through six different stages, from the user specified FDD to the final simple firewall

Summary (cont.)

From the user specified FDD, we apply the reduction algorithm. This simplifies the number of decision paths, resulting in fewer final simple rules in the generated firewall

Summary (cont.)

From the reduced FDD, we apply the Marking algorithm, systematically finding which marked edges would result in the simplest final firewall.

Summary (cont.)

Once marked, the firewall is generated. Each decision path is converted in to a rule, and a ranking system which is included with the rule generation algorithm helps us order the rules properly. Two other predicates are also created to be used to remove redundancy.

Summary (cont.)

Even though the FDD was reduced at an early stage, it is still possibly and even likely that there is still redundancy in the firewall. A carefully applied algorithm removes rules that are found to be redundant, further simplifying the firewall

Summary (cont.)

Once the firewall is known to be compact, a simplification algorithm is applied, which converts all of the complex rules into more, simpler rules. At this point we have our completed firewall

Conclusion

Despite a plethora of typos which made the paper sometimes confusing, the author’s have shown a systematic, testable way of ensuring a consistent, complete, and simple firewall. They developed a series of algorithms which could be applied to any FDD in order to guarantee a simple, effective firewall, effectively automating what was likely a time-consuming, difficult to prove process

Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang...

Documents

Transcript of Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang...