Diverse Firewall Design

1
Diverse Firewall Design

• Alex X. Liu
• The University of Texas at Austin, U.S.A.

July 1, 2004 Co-author Mohamed G. Gouda
2
Firewall

• It is a sequence of rules to decide to
• accept or discard any packet.

• Example packet(F1, F2)

• Firewall Design is error-prone.

3
How to reduce firewall design errors?

• Solution Diverse Firewall Design
• Motived by N-version programming (Avizienis 1977)
  and back-to-back testing (Vouk
  1988)
• Differ from N-version programming
• only one version deployed
• Differ from back-to-back testing
• all discrepancies discovered

4
Diverse Firewall Design

• Design phase
• Same specification given to multiple teams to
  design
• firewalls
• Comparison phase
• Compare multiple firewalls to discover all
  discrepancies

5
How to compare two firewalls?

• Step 1
• construct an equivalent ordered FDD for each
  firewall
• Step 2
• make two ordered FDDs semi-isomorphic
• Step 3
• compare two semi-isomorphic FDDs for
  discrepancies

6
Firewall Decision Diagram (FDD)
F1
31,100
1,30
F2
F2
1,40
41,100
21,100
1,20
a
d
a
d

• Consistency
• labels of any two siblings are
  non-overlapping
• Completeness
• union of labels of all siblings is the domain of
  the field

7
Step 1

• Construct an equivalent ordered FDD for each
  firewall
• (An FDD is ordered if the labels along every path
  in the
• FDD are consistent with the same total order.)

8
Applying Step 1
(2)
(1)
F1
F1
1,30
1,30
F2
F2
21,100
1,20
1,20
a
a
d
(4)
(3)
F1
F1
31,100
31,100
1,30
1,30
F2
F2
F2
F2
21,100
21,100
1,20
1,40
1,20
41,100
1,40
a
d
a
d
a
d
a
9
Step 2

• Make two ordered FDDs semi-isomorphic
• Semi-isomorphic FDDs
• exactly same except labels of terminal nodes
• Example make these FDDs semi-isomorphic

F1
F1
51,100
31,100
1,50
1,30
F2
F2
F2
d
61,100
41,100
1,40
21,100
1,60
1,20
a
d
a
d
a
d
10
Applying Step 2
F1
F1
51,100
31,100
1,30
1,50
F2
F2
F2
d
1,40
21,100
61,100
41,100
1,20
1,60
a
d
a
d
a
d
F1
F1
1,30
1,30
51,100
51,100
31,50
31,50
F2
F2
F2
d
21,100
61,100
1,40
1,20
41,100
1,60
F2
F2
41,100
61,100
1,40
1,60
a
d
a
d
a
d
a
d
a
d
11
Results of Step 2
F1
1,30
51,100
31,50
F2
F2
F2
61,100
61,100
41,100
1,40
1,20
1,40
41,60
21,60
a
d
a
d
a
d
d
d
F1
1,30
51,100
31,50
F2
F2
F2
61,100
61,100
41,100
1,40
1,20
1,40
41,60
21,60
a
d
d
d
a
d
a
a
12
Step 3

• Compare two semi-isomorphic FDDs for discrepancies

13
Applying Step 3
F1
1,30
51,100
31,50
F2
F2
F2
61,100
61,100
41,100
1,40
1,20
1,40
41,60
21,60
a
d
a
d
a
d
d
d
F1
1,30
51,100
31,50
F2
F2
F2
61,100
61,100
1,40
1,20
1,40
41,100
41,60
21,60
a
d
d
d
a
d
a
a
14
Example

• 1. Design A of firewall
• 2. Design B of firewall
• 3. Comparison

F1
51,100
1,50
F2
d
61,100
1,60
a
d
15
Experimental Results

• Three algorithms implemented in Java JDK 1.4
• Experiments carried out on SunBlade 2000
• (OS Solaris 9, CPU1Ghz , memory 1 GB)

16
Conclusions

• Three contributions
• Propose diverse firewall design method
• Present a suite of algorithms to enable diverse
  firewall design
• FDD Construction Algorithm
• FDD Shaping Algorithm
• FDD Comparison Algorithm method
• FDD construction algorithm can be used to convert
  
• a conflict infested firewall to a conflict free
  firewall