Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to...
Transcript of Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to...
![Page 1: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/1.jpg)
Firewall Design Methods
Haipeng Dai
[email protected] CS Building
Department of Computer Science and TechnologyNanjing University
![Page 2: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/2.jpg)
2
Security Guard for Private Buildings
![Page 3: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/3.jpg)
3
Security Guard for Private Networks
Location: connects Internet and private network
Function: maps every packet to a decision - accept or discard
Configuration: a sequence of rules written by administrator
InternetPrivateNetwork
Firewall
![Page 4: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/4.jpg)
4
Firewall Example
Interface Source IP Dest. IP Dest. Port Protocol Decision
0 any mail server 25 TCP accept
0 malicious hosts any any any discard
1 {host1, host2} any 80 TCP accept
any any any any any accept
InternetFirewall0 1
Mail Server Host 1 Host 2
A Private Network
Rules are conflicting First match: decision for packet = decision of first matching rule Order matters
![Page 5: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/5.jpg)
5
Real-life Firewalls are ComplexNumber of rules can be large
Legacy rules
Cascade impact of change
![Page 6: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/6.jpg)
6
Problem As a result, firewall rules are hard to specify correctly
hard to understand correctlyhard to change correctly
Consequently, firewall configuration errors are common─ Most firewalls are poorly designed with errors [Wool'04]
Firewall errors are unacceptable─ Accept malicious packets: lose security─ Discard legitimate packets: disrupt business
Problem: How to design firewalls?
![Page 7: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/7.jpg)
7
State-of-the-art Industry: tweak and pray
Academia: analyze rules─ Such as conflict detection ([HSP 00] [EM 01] [BV 02])
anomaly detection ([AH 03] [AH 04])
“God bless my rules”
![Page 8: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/8.jpg)
8
Structured Firewall Design: Motivation The convention of designing a firewall directly as a sequence of
conflicting rules has been taken for granted
We point out that this convention is BAD.
Why: this convention has three major issues─ Consistency issue─ Completeness issue─ Compactness issue
![Page 9: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/9.jpg)
9
Consistency Issue
This firewall accepts email from malicious hosts!
This is wrong (assuming this firewall is required to discard all packets from malicious hosts)
Interface Source IP Dest. IP Dest. Port Protocol Decision0 any mail server 25 TCP accept
0 malicious hosts any any any discard
1 {host1, host2} any 80 TCP acceptany any any any any accept
![Page 10: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/10.jpg)
10
Consistency Issue
This firewall accepts email from malicious hosts!
This is wrong (assuming this firewall is required to discard all packets from malicious hosts)
We should swap the first two rules
Consistency issue: hard to ensure rules are ordered correctly
Interface Source IP Dest. IP Dest. Port Protocol Decision0 any mail server 25 TCP accept
0 malicious hosts any any any discard
1 {host1, host2} any 80 TCP acceptany any any any any accept
![Page 11: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/11.jpg)
11
Completeness Issue
This firewall accepts ─ non-email packets to the email server!─ email packets to hosts other than the email server!
This is wrong (assuming this firewall is required to discard the above two types of packets)
Interface Source IP Dest. IP Dest. Port Protocol Decision0 malicious hosts any any any discard
0 any mail server 25 TCP accept1 {host1, host2} any 80 TCP acceptany any any any any accept
![Page 12: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/12.jpg)
12
Completeness Issue
This firewall accepts ─ non-email packets to the email server!─ email packets to hosts other than the email server!
This is wrong (assuming this firewall is required to discard the above two types of packets)
Need to add two more rules Completeness issue: hard to ensure all necessary rules are included
Interface Source IP Dest. IP Dest. Port Protocol Decision0 malicious hosts any any any discard
0 any mail server 25 TCP accept0 any mail server any any discard
0 any any 25 TCP discard1 {host1, host2} any 80 TCP acceptany any any any any accept
![Page 13: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/13.jpg)
13
Compactness Issue
This rule is redundant!
Compactness issue: hard to ensure all rules are needed
Interface Source IP Dest. IP Dest. Port Protocol Decision0 malicious hosts any any any discard
0 any mail server 25 TCP accept0 any mail server any any discard0 any any 25 TCP discard1 {host1, host2} any 80 TCP acceptany any any any any accept
![Page 14: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/14.jpg)
14
Consistency, Completeness, and Compactness Consistency and completeness issues cause firewall errors
Compactness issue causes low firewall performance
─ Less rules, faster decision─ Fast firewalls use TCAM (Ternary Content Addressable Memory)
Solution: Structured Firewall Design
Firewall
(a sequence of rules)packet decision
![Page 15: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/15.jpg)
15
Structured Firewall Design
Step 1: Formally specify the function of a firewall using aFirewall Decision Diagram (FDD)
Step 2: Use a series of 3 algorithms to automatically convert the FDD to a compact sequence of rules
![Page 16: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/16.jpg)
16
Firewall Decision Diagram (FDD)
I
S
d
outgoingincoming
~maliciousmalicious
a
D
N
P
mail server
25
a
TCP
d
~TCPd
~25 N
P
25
d
TCP
a
~TCPa
~25
~mail server
I: Interface
S: Source IP address
D: Dest. IP address
N: Dest. port number
P: Protocol typea: acceptd: discard
Two important properties:
1. Consistency Property: addresses the consistency issue
2. Completeness Property: addresses the completeness issue
![Page 17: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/17.jpg)
17
FDD vs. A Sequence of Conflicting Rules
I
S
d
outgoingincoming
~maliciousmalicious
a
D
N
P
mail server
25
a
TCP
d
~TCPd
~25 N
P
25
d
TCP
a
~TCPa
~25
~mail server
I Source IP Dest. IP
Dest. Port
Protocol
Decision
0 malicious hosts
any any any d
0 any mail server
25 TCP a
0 any mail server
any any d
0 any any 25 TCP d
any any any any any a
FDD: easy to understand
easy to update
“Goto Statement Considered Harmful”
Edsger W. Dijkstra (1968)
![Page 18: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/18.jpg)
18
Compatible with Existing Firewalls Current firewall hardware and software takes a sequence of rules
We can convert an FDD to a sequence of rules
Firewall
(a sequence of rules)packet decision
![Page 19: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/19.jpg)
19
FDD and RulesF1
F2
a d
[30,50]
[20,40][60,80]
[1,19][41,59][81,100]
F2
a d
[20,40][60,80]
F2
d d
[1,50] [51,100]
[51,70][1,29]
[71,100]
F1∈[30,50]∧F2∈[20,40] → aF1∈[30,50]∧F2∈[60,80] → a…Total: 14 simple rules
F1, F2 : packet fields
F1’s domain=F2’s domain=[1,100]
General rule format:F1∈S1∧… ∧Fd∈Sd→ a/d
Simple rule: each Si is one intervalFirewall implementations requires simple rules.
[1,19][41,59][81,100]
![Page 20: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/20.jpg)
20
Reduce Number of Rules Three techniques:
─ FDD reduction─ FDD marking─ Redundancy removal
![Page 21: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/21.jpg)
21
Optimization Ⅰ: FDD Reduction
14 simple rules 7 simple rules
Similar to BDD (Binary Decision Diagram) reduction [Bryant 1986]
F1
F2
a d
[30,70]
[20,40][60,80]
[1,19][41,59][81,100]
[1,29][71,100]
F1
F2
a d
[30,50]
[20,40][60,80]
[1,19][41,59][81,100]
F2
a d
[20,40][60,80]
F2
d d
[1,50] [51,100]
[51,70][1,29]
[71,100]
[1,19][41,59][81,100]
![Page 22: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/22.jpg)
22
Optimization Ⅱ: FDD Marking For each non-terminal node, mark one of its
outgoing edges “ALL”.
In depth-first traversal, marked edges are traversed last:F1∈[30, 70]∧F2∈[20, 40] → aF1∈[30, 70]∧F2∈[60, 80] → aF1∈[30, 70]∧F2∈ALL → dF1∈ALL ∧F2∈[1, 100] → d
7 simple rules 4 simple rules
We have an optimal marking algorithm (complexity: O(V+E))
F1
F2
a d
[30,70]
[20,40][60,80]
[1,19][41,59][81,100]
[1,29][71,100]
ALL
ALL
![Page 23: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/23.jpg)
23
Optimization Ⅲ: Redundancy Removal
4 simple rules 3 simple rules We have an algorithm that can remove all redundant rules
F1∈[30, 70]∧F2∈[20, 40] → aF1∈[30, 70]∧F2∈[60, 80] → aF1∈[30, 70]∧F2∈ALL → dF1∈ALL ∧F2∈[1, 100] → d
This rule is redundant!
F1
F2
a d
[30,70]
[20,40][60,80]
[1,19][41,59][81,100]
[1,29][71,100]
ALL
ALL
![Page 24: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/24.jpg)
24
Summary of Structured Firewall Design
Step 1: Formally specify the function of a firewall using an FDD
Step 2: FDD (consistent)(complete)
FDD Reduction
FDD Marking &
Rule Generation
Rule Compaction a sequence of rules
(compact)
HumanMachine
![Page 25: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/25.jpg)
25
Not Just Firewalls…… Routers have packet classifiers too.
─ Access control─ Accounting─ Quality of Service
![Page 26: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/26.jpg)
Diverse Firewall Design
![Page 27: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/27.jpg)
27
Diverse Firewall Design Two steps:
Step 1: give same requirement to multiple teams to design firewallsStep 2: compare multiple firewalls to discover all functional discrepancies
Inspired by N-version programming [Avizienis’77]
Only deploy one firewall because we can discover all discrepancies
Technical Challenge: How to discover all the discrepancies between two given firewalls?
![Page 28: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/28.jpg)
28
Example Firewall A:
Firewall B:
Discrepancies between A and B:F1∈[1, 30]∧F2∈[21, 60] → a/dF1∈[31, 50]∧F2∈[41, 60] → a/dF1∈[51,100]∧F2∈[1, 40] → d/a
F1∈[1, 30] ∧ F2∈[1, 20] → aF1∈[1, 30] ∧ F2∈[1, 100]→ dF1∈[1, 100] ∧ F2∈[1, 40] → aF1∈[1, 100] ∧ F2∈[1, 100]→ d
F1∈[1, 50] ∧ F2∈[1, 60] → aF1∈[1, 100] ∧ F2∈[1, 100]→ d
![Page 29: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/29.jpg)
29
Comparing Two Firewalls Step 1: FDD construction
construct an equivalent FDD from each firewall
Step 2: FDD shapingmake the two FDDs semi-isomorphic
Step 3: FDD comparisoncompare the two semi-isomorphic FDDs for discrepancies
![Page 30: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/30.jpg)
30
Step 1: FDD Construction FDD Construction Algorithm
─ Input: a firewall of a sequence of rules─ Output: an equivalent FDD
F1∈[1, 30] ∧ F2∈[1, 20] → aF1∈[1, 30] ∧ F2∈[1, 100]→ dF1∈[1, 100] ∧ F2∈[1, 40] → aF1∈[1, 100] ∧ F2∈[1, 100]→ d
F1∈[1, 50] ∧ F2∈[1, 60] → aF1∈[1, 100] ∧ F2∈[1, 100]→ d
F1
F2 F2
a d a d
[31,100][1,30]
[41,100][1,40][21,100][1,20]
F1
F2
a d
d
[51,100][1,50]
[61,100][1,60]
Firewall A:
Firewall B:
![Page 31: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/31.jpg)
31
Constructing FDD
dFF
aFF
dFF
aFF
→∈∧∈
→∈∧∈
→∈∧∈
→∈∧∈
]100,1[2]100,1[1
]40,1[2]100,1[1
]100,1[2]30,1[1
]20,1[2]30,1[1
F1
F2 F2
a d a d
[31,100][1,30]
[1,40][21,100][1,20]
F1
F2
a
[1,30]
[1,20]
F1
F2
a d
[1,30]
[21,100][1,20]
aFF →∈∧∈ ]20,1[2]30,1[1
F1
F2 F2
a d a
[31,100][1,30]
[1,40][21,100][1,20]
dFF
aFF
→∈∧∈
→∈∧∈
]100,1[2]30,1[1
]20,1[2]30,1[1
aFF
dFF
aFF
→∈∧∈
→∈∧∈
→∈∧∈
]40,1[2]100,1[1
]100,1[2]30,1[1
]20,1[2]30,1[1
[41,100]
(1) (2)
(4)(3)
![Page 32: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/32.jpg)
32
Step 2: FDD Shaping
F1
F2 F2
a d a d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
d d
[41,100][21,60] [41,60]
F1
F2 F2
a d d d
[51,100][1,30]
[1,40][61,100][1,20]F2
a d
[61,100][1,40]
[31,50]
a a[21,60] [41,60]
[41,100]
Make two FDDs semi-isomorphic Semi-isomorphic FDDs: exactly same except labels of terminal nodes
![Page 33: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/33.jpg)
33
FDD Shaping Example: make these FDDs semi-isomorphic
F1
F2
a d
d
[51,100][1,50]
[61,100][1,60]
F1
F2 F2
a d a d
[31,100][1,30]
[41,100][1,40][21,100][1,20]
![Page 34: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/34.jpg)
34
FDD Shaping
F1 [51,100][1,30]
F1 [51,100][1,30]
[31,100]
[1,50]
[31,50]
[31,50]
![Page 35: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/35.jpg)
35
FDD Shaping
F1 [51,100][1,30]
F1 [51,100][1,30]
[31,50]
[31,50]
F2
a d
[61,100][1,20]
d[21,60]
F2
a d
[61,100][1,20]
a[21,60]
[21,100]
[1,60]
![Page 36: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/36.jpg)
36
FDD Shaping
F1 [51,100][1,30]
F1 [51,100][1,30]
[31,50]
[31,50]
F2
a d
[61,100][1,20]
d[21,60]
F2
a d
[61,100][1,20]
a[21,60]
F2
a d
[61,100][1,40]
d[41,60]
F2
a d
[61,100][1,40]
a[41,60]
[41,100]
[1,60]
![Page 37: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/37.jpg)
37
FDD Shaping
F1 [51,100][1,30]
F1 [51,100][1,30]
[31,50]
[31,50]
F2
a d
[61,100][1,20]
d[21,60]
F2
a d
[61,100][1,20]
a[21,60]
F2
a d
[61,100][1,40]
d[41,60]
F2
a d
[61,100][1,40]
a[41,60]
F2
a d
[1,40] [41,100]
dF2
d d
[1,40] [41,100]F2
d
[1,100]
![Page 38: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/38.jpg)
38
Step 3: FDD Comparison
F1 [51,100][1,30]
F1 [51,100][1,30]
[31,50]
[31,50]
F2
a d
[61,100][1,20]
d[21,60]
F2
a d
[61,100][1,20]
a[21,60]
F2
a d
[61,100][1,40]
d[41,60]
F2
a d
[61,100][1,40]
a
[41,60]
F2
a d
[1,40] [41,100]
F2
d d
[1,40] [41,100]
Compare two semi-isomorphic FDDs for discrepancies
![Page 39: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/39.jpg)
39
Complexity Analysis n: total number of rules, d: total number of fields
Size of constructed FDD: O(nd), d is a constant
For IP packets, d is usually 4─ Fields: Source IP, Dest. IP, Dest. Port, Protocol Type
In practice, this worst case is very unlikely to happen because firewall rules are not arbitrary
![Page 40: Firewall Design Methods - Nanjing University€¦ · This firewall accepts ─non-email packets to the email server! ─email packets to hosts other than the email server! This is](https://reader034.fdocuments.us/reader034/viewer/2022052020/6033b1df948d374b042772ce/html5/thumbnails/40.jpg)
40
Summary of Diverse Firewall Design
FDD Construction
FDD Shaping
FDD Comparison
Two firewalls
Two FDDs
Two semi-isomorphic FDDs
all discrepancies
Step 1: give same requirement to multiple teams to design firewallsStep 2: compare multiple firewalls to discover all functional discrepancies