Firewall Design: Consistency, Completeness, and Compactness

1
Firewall Design Consistency, Completeness, and
Compactness

• Authors Mohamed G. Gouda and Xing-Yang Alex Liu
• Presenters Jonathan Fomby and
• Matthew Ginley

2
Firewall Basics

• Placed at the entrance (borders) of private
  networks
• Examine all traffic passing through (source IP,
  dest IP, etc.)
• Accept, Discard, Log, Reply, Re-route, etc. as
  appropriate
• Implemented as additional software or stand-alone
  hardware (appliance)
• Functionally the same as packet filter or packet
  classifier, yet firewall implies security

3
Firewall as a Set of Rules

• Firewall functionality can be represented as an
  ordered list of rules
• Rule format
• Traditionally displayed as a table, but this
  paper uses individual Boolean formulas
• ltpredicategt ? ltdecisiongt
• authors only consider accept and discard
  decisions
• predicate is Boolean expression over packet fields

4
Firewalls As a Table (text p. 627)
5
Firewall As a List of Rules

• ( I0 Sany Ds Ptcp T25 ? a,
• I0 Sany Ds Pany Tany ? d,
• I0 Sm Dany Pany Tany ? d,
• I1 Sh Dany Pany Tany ? a,
• I1 Sany Dany Pany Tany ? a )
• An ordered listing of Boolean expressions

6
Firewall Operation

• Rules are compared individually against a packet
• Rules compared according to a specified order
  (i.e. importance)
• The first rule to match is chosen and followed
• Usually a final catch-all rule (probably discard)

7
Firewalls Stateful Packet Filters (text
p.629)

• traditional packet filters do not examine higher
  layer context
• i.e. matching return packets with outgoing flow
• stateful packet filters address this need
• they examine each IP packet in context
• keep track of client-server sessions
• check each packet validly belongs to one
• hence are better able to detect bogus packets out
  of context

8
Note of Limitation

• The authors do not discuss state considerations
• By adding state fields to packet fields, this
  should be feasible
• When filtering packets, check these fields in
  addition to packet fields

9
3 Cs

• Consistency correct ordering of rules
• Completeness every packet satisfies at least one
  rule
• Compactness no redundant rules

10
SIMPLE Firewall Example

• Accept incoming SMTP packets on Int0 destined for
  Mail Server
• Accept all outgoing packets

11
Packet Fields

• I incoming interface on the firewall
• S original source
• D final destination
• P transport protocol used
• T destination port
• Many others not used by authors source port,
  packet flags (IP, TCP, others), application layer
  message, etc.

12
Continuing the Example

• Accept incoming SMTP packets on Int0 destined for
  Mail Server
• (I 0) (S any) (D MailServer) (P
  TCP) (T 25) ? Accept
• Discard incoming non-SMTP packets on Int0
  destined for Mail Server
• (I 0) (S any) (D MailServer) (P
  any) (T any) ? Discard

13
Cont.

• Discard incoming packets whose source is a
  Malicious Host
• (I 0) (S MH) (D any) (P any) (T
  any) ? Discard
• Accept outgoing HTTP packets from any non-server
  host h
• (I 1) (S h) (D any) (P TCP) (T
  80) ? Accept
• Accept all outgoing packets
• (I 1) (S any) (D any) (P any) (T
  any) ? Accept

14
Problems with Example Rules

• Consistency Error
• Rules 1 and 3 can be matched to the same packet,
  yet have conflicting decisions
• Rule 1 will always be applied, thus ignoring the
  discarding of malicious packets intended by Rule
  3
• Solution Place Rule 3 first

15
Problems Cont.

• Completeness Error
• Packets with (I0 S?MH D?MailServer) do not
  satisfy any rules
• Solution add the following rule (at the end of
  list)
• (I 0) (S any) (D any) (P any) (T
  any) ? Accept

16
Problems Cont.

• Compactness Error
• Rule 4 is redundant
• All packets matching rule 4 will match rule 5 as
  well, with both rules accepting
• Solution remove Rule 4

17
Our Focus

• a method for designing the sequence of rules
  of a firewall to be consistent, complete, and
  compact.
• Start with a firewall decision diagram (defined
  later) that is processed by a series of
  algorithms
• Resulting FDD is functionally equivalent, yet
  consistent, complete, and compact

18
Overall Process - 5 Algorithms
19
Algorithm Summary

• Starting with a user specified FDD f
• 1 FDD Reduction
• Output a reduced FDD equivalent to f
• 2 FDD Marking
• Output an equivalent, marked version f of f

20
Algorithm Summary

• 3 Firewall Generation
• A firewall r over the same fields as f, that is
  functionally equivalent to f and each rule in r
  is provided a rank
• 4 Firewall Compaction
• Output a compact firewall, equivalent to r
• 5 Firewall Simplification
• Output a simple firewall, equivalent to r

21
Related Work

• 3 Existing Design Errors
• Efficient Data Structures for Rule Checking
• 12 Trie Data Structures
• 6 Area Based Quadtrees
• 8 Fat Inverted Segment Trees
• 9 Survey of such data structures
• Specification Languages
• 3 Simple Model Definition Language
• 10 Lisp-like specification language
• 4 Declarative Predicate Language
• 1 High level firewall language

22
More Related Work Detecting Conflicting Rules

• 11 Detecting and Resolving Packet Filter
  Conflicts
• Ambiguity in packet classification deserves more
  attention
• Demonstrates resolving conflicts by
  prioritization is ineffective
• Resolve conflicts by adding filters

23
More Related Work Detecting Conflicting Rules

• 7 Internet packet filter management and
  rectangle geometry
• Claim that previous best for detecting conflicts
  was O(n2 log n) time
• Their presented approach is O(n3/2)
• Based on rectangle coverage of a kD-tree and
  stripe conflict detection (lots of difficult
  theory)

24
More Related Work Detecting Conflicting Rules

• 2 Fast and scalable conflict detection for
  packet classifiers
• Claim the best known algorithm for conflict
  detection is naïve comparison, O(n2)
• Their approach is based on the aggregation of bit
  vector data
• Do not provide theoretical complexity, but state
  a factor of 40 improvement for a 20,000 rule
  database

25
More Related Work Decision Diagrams

• 5 Binary Decision Diagrams
• 13 Interval Decision Diagrams
• Similar to Firewall Decision Diagrams, but the
  diagram format is not the focus (nor particularly
  novel)

26
Firewall Decision Diagrams

• Circles are non-terminal nodes
• Boxes are terminal nodes (always a Accept or
  d Discard for our purposes
• Arrows are edges
• Decision Path directed path from the root to a
  terminal node

27
Fields

• field Fi variable whose value is taken from the
  domain of Fi
• Domain of Fi, D(Fi) a predefined interval of
  nonnegative integers
• Packet over fields F0,, Fn-1 an n-tuple (p0,,
  pn-1) where each pi is taken from the
  corresponding domain and field

28
Firewall Decision Diagram

• An FDD f over the fields F0,, Fn-1 IS
• Acyclic and directed graph
• Satisfies the following 5 properties
• f has a root and 2 or more terminal nodes
  (leaves)
• each non-terminal node v is labeled with one of
  the above fields, F(v) a terminal node v is
  labeled with a or d
• No two nodes on a decision path have the same
  label

29
Firewall Decision Diagram

• Each edge e leaving node v is labeled with an
  integer set I(e) (a subset of D(F(v)))
• For any non-terminal node v, the set E(v) of all
  edges leaving v must satisfy
• Consistency any distinct ei and ek in E(v),
• I(ei) n I(ek) empty set
• Completeness Ue ? E(v) I(e) D(F(v))

30
Firewall Decision Diagrams

• This FDD is over fields F0, F1
• Domain of all fields is 0, 9
• one possible decision path
• F0 ? 4,5 F1 ? 2,3 U 5,7 ? a
• In a decision path, there is 0 or 1 Boolean
  primitive for each field of the FDD (0 implies
  any value for that field).

31
Firewall Decision Diagrams

• FDDs are represented as a sequence of rules, each
  of the form
• F0 ? S0 Fn-1 ? Sn-1 ? ltdecisiongt
• 1 to 1 correspondence of decision paths in the
  FDD to rules
• Order does not matter (later changes)
• Firewall sequence of rules that represents an FDD

32
Acceptance and Discarding

• For a packet (p0,, pn-1) over fields F0,,Fn-1
  received by an FDD f over the same fields
• Accepted iff f has an accepting rule such that
• p0 ? S0 pn-1 ? Sn-1 holds
• Discarded iff f has a discarding rule such that
  ?
• For the set of all packets, S
• f.accept the subset of S that contains all
  packets accepted by f
• f.discard the subset of S that contains all
  packets discarded by f

33
Acceptance and Discarding

• FDD Equivalence FDDs f and g over the same
  fields are equivalent iff
• f.accept g.accept
• and
• f.discard g.discard
• Thm. 1 for any FDD f over fields F0,,Fn-1
• f.accept n f.discard empty set
• f.accept U f.discard S

34
FDD Reductions

• Advantageous to reduce of decision paths
  without changing accept and discard sets
• Auxiliary Def.--Isomorphic Nodes. Two nodes, v0
  and v1, are isomorphic iff (1) or (2) is
  satisfied.
• (1) v0 and v1 Are terminal nodes with the same
  label
• (2) v0 and v1 are non-terminal nodes with an
  1-to-1 correspondence between the outgoing edges
  of v0 and outgoing edges of v1

35
Isomorphic Node Example

• The above red-highlighted nodes are isomorphic
• Same label F1
• 2 edges one edge with label 2,3 U 5,7
  incoming on a, and one edge with label 0,1 U
  4,4 U 8,9 incoming on d

36
FDD Reductions

• An FDD f is called reduced iff it satisfies the
  following three conditions
• 1. f has no node with exactly one outgoing edge.
• 2. f has no two edges that are outgoing of one
  node and are incoming of another node.
• 3. f has no two distinct isomorphic nodes.

37
Algorithm 1 FDD Reduction

• Input an FDD f
• Output a reduced FDD that is equivalent to f
• Repeat steps 1-3 until none can be applied
  further
• 1. If f has a node v0 with only one outgoing edge
  e and if e is incoming of another node v1, then
  remove v0 and e from f and make the incoming
  edges of v0 incoming of v1.

38
Algorithm 1

• 2. If f has two edges e0 and e1 that are outgoing
  of node v0 and incoming of node v1, then remove
  e0 and make the label of e1 be the integer set
  I(e0) U I(e1),where I(e0) and I(e1) are the
  integer sets that labeled edges e0 and e1
  respectively.
• 3. If f has two isomorphic nodes v0 and v1, then
  remove node v1 and its outgoing edges, and make
  the incoming edges of v1 incoming of v0.

39
Before (below)After (right)3 rule/decision
pathreduction
40
Marking of FDDs

• A Marked FDD is similar to the reduced FDD,
  with an ALL label being added to a single edge
  from each node
• The number of simple rules eventually generated
  in the firewall depends upon the degree of a
  marked FDD
• Nodes and Edges are given degrees in order to
  find which edges should be marked ALL

41
Marking of FDDs (cont.)

• Many marked versions of reduced FDDs are possible
• Number of simple rules generated by a firewall is
  determined by the degree of the marked FDD
• Note that this refers to the final simple
  rules, not the number of rules that will be
  generated in the intermediate steps
• Degree is determined by which edges are marked
  ALL
• Smaller degree -gt Fewer final rules -gt Simpler
  firewall -gt Good Thing

42
Marking of FDDs (cont.)

• Degree of a set of integers, denoted deg(S), is
  the smallest number of non-overlapping integer
  intervals that covers set S.
• Ex For the set 0,1,3,4,5,7,9, the degree is
  4, composed of the intervals 0,1, 3,5, 7,7,
  and 9,9

43
Marking of FDDs (cont.)

• Degree of an edge e is denoted deg(e)
• If e is marked ALL, then deg(e) 1
• Else, deg(e) deg(S)

Degree 1
Degree 2
Degree 2
Degree 3
44
Marking of FDDs (cont.)

• Degree of a node v, denoted deg(v), is calculated
  using a simple formula
• If v is a terminal node, then deg(v) 1
• Else, for a non-terminal node v with k outgoing
  edges, e0, , ek-1 that are incoming of nodes v0,
  , vk-1 respectively, then
• deg(v) ? deg(ei) deg(vi)

45
Marking of FDDs (cont.)

• To put it in simpler terms The get the degree
  of a node, take each outgoing edge and multiply
  its degree by the degree of the node into which
  the edge leads. Add these together, and you have
  the degree of the node.

46
Marking of FDDs (cont.)

• Since the edges marked ALL have such a large
  impact on the complexity of the firewall, it is
  critical to pick the ALL-edges carefully and
  minimize the degree of the FDD
• One edge from the collection of edges leaving
  each node is marked ALL, so pick the edge that
  would minimize the degree of said node to label
  ALL

47
Marking of FDDs Algorithm 2

• Step 1 Compute the degree of each terminal node
  v in f as deg(v) 1
• Step 2 For every node v whose degree has not
  yet been calculated
• 1 Find the outgoing edge e of current node
  whose quanity (deg(ej)-1) x deg(vj) is larger
  than or equal to the corresponding quantity in
  every other outgoing edge of v
• 2 Mark edge ej with ALL
• Compute the degree of v with the summation formula

48
Marking of FDDs (cont.)
3 1 4
3 2 5
1
1
2
1
21 3
213
1
1
2
2
Terminal Nodes Degree 1
Two Marked FDDs from the same Reduced FDD
49
Firewall Generation

• Generated Firewall is a sequence of rules such
  that each rule corresponds to a decision path in
  the marked FDD
• This step produces the rules of the firewall, as
  well as a ranking for each rule, and two
  predicates, the exhibited and the original
  predicate
• Rank is used for ordering the rules, predicates
  for making the firewall Compact in the next step

50
Firewall Generation (cont.)

• For our purposes, a Firewall r over the fields
  F0,,Fn-1 is a sequence of rules r0,,rm-1 where
  each rule is of the form
• F0 ? S0 ? ? Fn-1 ? Sn-1 ? ltdecisiongt
• where each Si is either the mark ALL or a
  nonempty set of integers from the domain of field
  Fi, and the ltdecisiongt is either a (accept) or d
  (discard).
• Ex. F0 ? 4,7 ? F1 ? 2,3 U 5,7 ? a

51
Firewall Generation (cont.)

• For the final rule in a firewall, rm-1, each Si
  is either the mark ALL or the entire domain of
  field Fi
• This acts as a catchall, ensuring that there is
  no condition in which the firewall will not know
  what to do

52
Firewall Generation (cont.)

• A packet (p0,,pn-1) over the fields F0,,Fn-1
  matches a rule ri iff ri is of the aforementioned
  form and the predicate (p0 ? S0 ? ? pn-1 ?
  Sn-1) holds
• Packet is accepted by the firewall if the
  firewall has a rule ri such that
• the packet matches ri
• the packet does not match any rule preceding ri
• the ltdecisiongt of ri is a (accept)

53
Firewall Generation (cont.)

• The set of all packets accepted by firewall r is
  denoted r.accept, the set of those discarded is
  denoted r.discard.
• For any firewall r over the fields F0,,Fn-1,
• r.accept n r.discard Ø
• r.accept U r.discard ?
• where Ø is the empty set and ? is the set of all
  packets over the fields F0,,Fn-1

54
Firewall Generation (cont.)

• From a marked FDD f over the fields
• F0,,Fn-1, we generate a corresponding firewall
  r such that
• r.accept f.accept, and
• r.discard f.discard
• We also generate a binary number called the rank,
  denoted b0bn-1, where each node contributes one
  bit to the whole number, and the two predicates
  which are later used to make the firewall
  compact, the exhibited predicate (epi) and the
  original predicate (opi)

55
Firewall Generation (cont.) Algorithm 3

• Each decision path in the FDD f is converted into
  a rule in firewall r
• To make each rule, go down the decision path one
  node at a time, with three separate cases to
  consider at each node Fi
• Case 1 The decision path has no nodes labeled
  Fi
• Case 2 The decision path has a node labeled Fi,
  and its outgoing edge e has no mark
• Case 3 The decision path has a node labeled Fi,
  and its outgoing edge has an ALL mark

56
Firewall Generation (cont.) Algorithm 3

• Case 1 The decision path has no nodes labeled
  Fi
• bi 0
• Si the domain ai, bi of Fi
• Ti the domain ai, bi of Fi
• In this case, there is no node Fi in the path,
  but each rule must address each field in the
  range 0,,n-1
• Case 2 The decision path has a node labeled Fi,
  and its outgoing edge e has no mark
• bi 0
• Si the integer set that labels e
• Ti the integer set that labels e
• Case 3 The decision path has a node labeled Fi,
  and its outgoing edge has an ALL mark
• bi 1
• Si ALL
• Ti the integer set that labels e

57
Firewall Generation (cont.) Algorithm 3

• Sample marked FDD has three different decision
  paths, resulting in three different rules

58
Firewall Generation (cont.) Algorithm 3

• Taking Leftmost path
• Node F0 Falls under case 2, so
• rank 0, Si 4,7, Ti 4,7
• Node F1 Falls under case 2, so
• rank 0, Si 2,3U5,7, Ti 2,3U5,7
• Overall rank 00
• Rule F0 ? 4,7 ? F1 ? 2,3U5,7?a
• epi F0 ? 4,7 ? F1 ? 2,3U5,7
• opi F0 ? 4,7 ? F1 ? 2,3U5,7

59
Firewall Generation (cont.) Algorithm 3

• Taking Middle path
• Node F0 Falls under case 2, so
• rank 0, Si 4,7, Ti 4,7
• Node F1 Falls under case 3, so
• rank 1, Si ALL, Ti 0,1U4,4U8,9
• Overall rank 01
• Rule F0 ? 4,7 ? F1 ? ALL?d
• epi F0 ? 4,7 ? F1 ? ALL
• opi F0 ? 4,7 ? F1 ? 0,1U4,4U8,9

60
Firewall Generation (cont.) Algorithm 3

• Taking Rightmost path
• Node F0 Falls under case 3, so
• rank 1, Si ALL, Ti 0,3U8,9
• Node F1 Falls under case 1, so
• rank 0, Si 0,9, Ti 0,9
• Overall rank 10
• Rule F0 ? ALL ? F1 ? 0,9?d
• epi F0 ? ALL ? F1 ? 0,9
• opi F0 ? 0,3U8,9 ? F1 ? 0,9

61
Firewall Generation (cont.) Algorithm 3

• Rules are put in ascending order in regards to
  their rank
• Generated Firewall
• r ( F0 ? 4,7 ? F1 ? 2,3U5,7?a
• F0 ? 4,7 ? F1 ? ALL?d
• F0 ? ALL ? F1 ? 0,9?d
• )

62
Firewall Generation (cont.)

• The rank works based on the priority system. The
  more specific the rule is, the higher it needs to
  be. If there is an ALL in the rule, it is
  assumed that any case in which the input mattered
  in that field will be taken care of by a previous
  rule in the ordering.

63
Firewall Compactness

• The firewall which has been generated at this
  point may include redundant rules, which can be
  safely removed from the firewall without changing
  the accept or discard sets, resulting in a
  simpler, still complete firewall
• A Compact firewall is one in which there are no
  redundant rules

64
Firewall Compactness (cont.)

• Let (r0,,rm-1) be a firewall over the fields
  F0,,Fn-1 as generated by our algorithm. A rule
  ri, i lt m-1 is considered redundant iff for each
  j, i lt j lt m-1, and least one of the following
  two conditions hold
• ltdecisiongt of rj ltdecisiongt of ri
• No packet over the fields F0,,Fn-1 satisfies the
  predicate ri.op ? (ri1.ep ? ? rj-1.ep) ?
  rj.ep

65
Firewall Compactness (cont.)

• Explanation If from rule ri until the end one
  of these conditions holds for each intermediate
  rule, that original rule ri is redundant
• First condition If rule rj from i to m-1 has
  the same decision as ri, then this condition
  holds. For example, if the last three rules are
  all d (discard), then the two leading up to the
  last are redundant, as the last one will take
  care of those decisions
• Second condition For the rules ri and rj, rj
  being any rule between ri and the end of the rule
  listing, the condition holds only if there is a
  rule between ri and rj which which would satisfy
  the same packet. If the packet would be
  satisfied by ri and rj, and no rules in between,
  then the rule ri is not redundant.

66
Firewall Compactness (cont.) Algorithm 4

• The algorithm given operates by having an array
  of booleans, each slot holding either true or
  false for redundant or not. The array then
  starts from the bottom up, with the last rule
  being ri, and checks every rule after ri one at a
  time to see if it meets one of the two
  conditions. If every rule meets one of the
  conditions, then ri is listed as true. If not,
  then false. After every rule is checked, those
  listed as true in the boolean array are removed
  as they are redundant. The result is a compact
  array.

67
Firewall Compactness (cont.)

• Firewall before Compacting
• r ( F0 ? 4,7 ? F1 ? 2,3U5,7?a
• F0 ? 4,7 ? F1 ? ALL?d
• F0 ? ALL ? F1 ? 0,9?d
• )
• Rule two is found to be redundant, and can
  safely be removed from the firewall without
  changing the accept and discard sets

68
Firewall Compactness (cont.)

• Firewall after Compacting
• r ( F0 ? 4,7 ? F1 ? 2,3U5,7?a
• F0 ? ALL ? F1 ? 0,9?d
• )
• Since rules two and three both were discards,
  rule two can be removed since rule three will
  catch any packets that would have been caught by
  rule two, and still discard them

69
Firewall Simplification

• A rule of the form
• F0 ? S0 ? ? Fn-1 ? Sn-1 ? ltdecisiongt
• is called simple iff every Si in the rule is
  either the ALL marker or a single interval of
  non-negative integers.
• A Firewall is called simple if all of its rules
  are simple. Even though a simple firewall will
  have more rules than a non-simple one, the
  simplicity is preferred to the fewer rules

70
Firewall Simplification (cont.) Algorithm 5

• To simplify the firewall, break up any
  complicated rules by forming two new, simpler
  rulessimply iterate through the list one rule at
  a time.
• Example Rule 1
• F0 ? 4,7 ? F1 ? 2,3U5,7?a
• F1 ? 2,3U5,7 is complex
• Can be broken down into two different statements,
  F1 ? 2,3 and F1 ? 5,7
• New rules
• F0 ? 4,7 ? F1 ? 2,3?a
• F0 ? 4,7 ? F1 ? 5,7?a

71
Firewall Simplification (cont.)

• Final Simplified Firewall
• r ( F0 ? 4,7 ? F1 ? 2,3?a F0 ?
  4,7 ? F1 ? 5,7?a
• F0 ? ALL ? F1 ? 0,9?d
• )
• Had a firewall been generated directly from the
  initial FDD, then it would have had 14 simple
  rules. By reducing the FDD and compacting the
  rules, we have ended up with a much simpler
  firewall which has the same accept and discard
  sets

72
Summary

• This paper details a method of constructing
  firewalls from supplied FDDs, whose consistency
  and completeness were hopefully already
  established. The method takes the FDD through
  six different stages, from the user specified FDD
  to the final simple firewall

73
Summary (cont.)

• From the user specified FDD, we apply the
  reduction algorithm. This simplifies the number
  of decision paths, resulting in fewer final
  simple rules in the generated firewall

74
Summary (cont.)

• From the reduced FDD, we apply the Marking
  algorithm, systematically finding which marked
  edges would result in the simplest final firewall.

75
Summary (cont.)

• Once marked, the firewall is generated. Each
  decision path is converted in to a rule, and a
  ranking system which is included with the rule
  generation algorithm helps us order the rules
  properly. Two other predicates are also created
  to be used to remove redundancy.

76
Summary (cont.)

• Even though the FDD was reduced at an early
  stage, it is still possibly and even likely that
  there is still redundancy in the firewall. A
  carefully applied algorithm removes rules that
  are found to be redundant, further simplifying
  the firewall

77
Summary (cont.)

• Once the firewall is known to be compact, a
  simplification algorithm is applied, which
  converts all of the complex rules into more,
  simpler rules. At this point we have our
  completed firewall

78
Conclusion

• Despite a plethora of typos which made the paper
  sometimes confusing, the authors have shown a
  systematic, testable way of ensuring a
  consistent, complete, and simple firewall. They
  developed a series of algorithms which could be
  applied to any FDD in order to guarantee a
  simple, effective firewall, effectively
  automating what was likely a time-consuming,
  difficult to prove process