Complete Redundancy Detection in Firewalls

1
Complete Redundancy Detection in Firewalls
Alex X. LiuDepartment of Computer SciencesThe
University of Texas at AustinCo-author Mohamed
G. Gouda
2
Firewall Basics

• A firewall connects a private network and the
  outside Internet such that all incoming and
  outgoing packets have to pass through it.
• Function maps every packet to a decision.
• This function is specified by a sequence of rules.

3
Firewall Example

• Firewall example
• Resolving conflicts first match
• Firewalls often have redundant rules.

4
Redundant Rules (Upward)

• A rule in a firewall is redundant iff eliminating
  the rule does not change the function of the
  firewall.
• Example
• Rule r3 is redundant (upward redundant).
• A rule r in a firewall is upward redundant iff
  there is no packet whose first matching rule is r.

1
50
accept
r1 F?1, 50 ? accept r2 F?40, 90 ?
discard r3 F?30, 60 ? accept r4
F?51,100 ? discard
40
90
discard
30
60
accept
100
51
discard
5
Redundant Rules (Downward)
1
50
accept
r1 F?1, 50 ? accept r2 F?40, 90 ?
discard r4 F?51,100 ? discard
40
90
discard
100
51
discard

• Rule r2 becomes redundant (downward redundant).
• A rule r in a firewall is downward redundant iff
  for each packet whose first matching rule is r,
  the first matching rule below r has the same
  decision as r.

6
Redundant Rules Hurt Firewall Performance

• Packet classification algorithms map a packet to
  a decision using data structures built from
  firewall rules
• Software based packet classification algorithms
  need
• either O(nd) space and O(log n) time
• or O(n) space and O(logd-1n) time
• (n of rules, d of fields)
• On-chip cache is limited.
• Hardware based packet classification algorithms
  (TCAM Ternary Content Addressable Memory) need
• O(n) space and constant time
• TCAM consumes too much power as n increases.

7
Matching Set vs. Resolving Set

• Let f be any firewall that consists of n
  rulesltr1, r2,, rngt.
• The matching set M(ri) of rule ri is set of all
  packets that match ri.
• The resolving set R(ri, f) of rule ri in f is set
  of all packets that match ri, but do not match
  any rule listed before ri in f.

1
50
accept
r1 F?1, 50 ? accept M(r1)R(r1,
f)1,50 r2 F?40, 90 ? discard M(r1)40,90
, R(r1, f)40,90-1,5051,90 r3 F?30,
60 ? accept M(r1)30,60, R(r1,
f)30,60-40,90-1,50 Ø r4 F?51,100 ?
discard M(r1)51,100, R(r1, f)51,100-30,60
-40,90-1,50 91,100
40
90
discard
30
60
accept
100
51
discard
8
Redundancy Theorem

• A rule ri is redundant in f iff
• (1) R(ri, f)Ø, or
• (2) R(ri, f)?Ø, and for any packet p in R(ri,
  f),
• ltri1, ri2,, rngt(p) yields the same decision as
  that of ri.
• ri is upward redundant iff (1)
• ri is downward redundant iff (2)
• We need to calculate R(ri, f) Firewall Decision
  Trees

9
Firewall Decision Trees (FDTs)

• Consistency
• for any two outgoing edges of a node, their
  labels are non-overlapping
• Completeness
• the union of the labels of all the outgoing
  edges of a node is the domain of the label of
  that node

F1
1,19
20,50
51,100
F2
F2
1,34
1,100
35,65
66,100
d
d
a

• A decision path in an FDT defines a rule
• Example F1?1,19?51,100 ? F2?1,100 ? d

10
Calculate Resolving Set

• Calculate R(ri, f) for each rule ri while
  constructing an equivalent FDT.
• Definition A set of rules e1, e2,, ek is
  called an effective rule set of ri if
• (1) every ej has the same decision as r ,
• (2) .
• E1F1?20, 50 ? F2?35, 65 ?
  a

F1
20,50
r1 F1?20, 50 ? F2?35, 65 ? a r2
F1?10, 60 ? F2?15, 45 ? d r3 F1?30,
40 ? F2?25, 55 ? a r4 F1?1, 100 ?
F2?1, 100 ? d
F2
35,65
a
11
Detecting Upward Redundant Rules
r1 F1?20, 50 ? F2?35, 65 ? a r2
F1?10, 60 ? F2?15, 45 ? d r3 F1?30,
40 ? F2?25, 55 ? a r4 F1?1, 100 ?
F2?1, 100 ? d
F1
20,50
10,19
51,60
F2
F2
35,65
15,34
15,45

• E1F1?20, 50 ? F2?35, 65 ? a,
• E2F1?10, 19?51, 60 ? F2?15, 45 ? d,
• F1?20, 50 ? F2?15, 34 ? d,
• Similarly, we get
• E3Ø,
• E4F1?1,9?61,100 ? F2?1,100 ? d,
• F1?20,29?41,50 ? F2?1,14?66,100 ? d,
• F1?30,40 ? F2?1,14?66,100 ? d,
• F1?10,19?51,60 ? F2?1,14?46,100 ? d

a
d
d
12
Detecting Downward Redundant Rules

• Consider a rule r and a non-overlapping firewall
  ltr1, r2,, rngt. If r does not conflict with any
  rule ri , then
• ltr, r1, r2,, rngt ltr1, r2,, rngt.
• Example

r F?20, 40 ? accept r1 F?1, 50
? accept r2 F?51,100 ? discard
20
40
accept
1
50
accept
100
51
discard
13
Detecting Downward Redundant Rules (cont.)

• To test whether ri is downward redundant
• (1) calculate effective rule set e1, e2,,
  ek,
• (2) convert firewallltri1, ri2,, rngtto
  non-overlapping firewall,
• (3) ri is downward redundant iff ej and rm do
  not conflict
• for any 1jk and i1mn.
• To convert firewallltri1, ri2,, rngtto
  non-overlapping firewall, we construct an
  equivalent FDT.

14
Detecting Downward Redundant Rules (cont.)
r1 F1?20, 50 ? F2?35, 65 ? a r2
F1?10, 60 ? F2?15, 45 ? d r3 F1?1,
100 ? F2?1, 100 ? d
F1
1,100
F2
E2 F1?10, 19?51, 60 ? F2?15, 45 ? d,
F1?20, 50 ? F2?15, 34 ? d,
1,100
d

• Rule r2 is downward redundant.

15
Summarize

• Detect upward redundant rules
• (1) Calculate effective rule set for every rule
  while constructing FDT top down,
• (2) Rule whose effective rule set is empty is
  upward redundant.
• Detect downward redundant rules
• (1) Construct FDT bottom up,
• (2) Check whether a rule is downward redundant
  by comparing the rules effective rule set and
  the FDT.

16
Previous Work

• Gupta 2000 identified two special types of
  redundant rules backward redundant rules and
  forward redundant rules
• Backward redundant rules A rule r in a firewall
  is backward redundant iff there exists another
  rule r list above r such that all packets that
  match r also match r.
• Backward redundant rules ? Upward redundant rules

r1 F1?1, 50 ? accept r2 F1?40, 90
? discard r3 F1?30, 60 ? accept r4
F1?51,100 ? discard
1
50
accept
40
90
discard
30
60
accept
100
51
discard
17
Previous Work (cont.)

• Forward redundant rules A rule r in a firewall
  is forward redundant iff there exists another
  rule r listed below r such that the following
  three conditions hold
• (1) all packets that match r also match r,
• (2) r and r have the same decision,
• (3) for each rule r listed between r and r,
  either r and r have the same decision or no
  packet matches both r and r.
• Forward redundant rules ? Downward redundant rules

1
50
accept
r1 F1?1, 50 ? accept r2 F1?40, 90
? discard r4 F1?51,100 ? discard
40
90
discard
100
51
discard
18
Our Contribution

• Solve the problem of detecting all redundant
  rules
• We give a necessary and sufficient condition for
  identifying all redundant rules.
• We present algorithms for detecting all redundant
  rules.