Firewall Queries

1
Firewall Queries
Alex X. Liu, Mohamed G. Gouda, The University
of Texas at Austin, U.S.A. Huibo Heidi Ma,
Anne HH. Ngu Texas State University,
U.S.A. December 16, 2004
2
Firewall

• It is a sequence of rules to decide to accept or
  discard any packet.
• Example packet(S, D)
• Firewalls are hard to understand and analyze

3
Firewall Queries

• Examples
• Which outside computers are not allowed to send
  emails to the inside email server?
• Which inside computers can receive BOOTP packets
  from outside?
• Such queries are useful for firewall analysis,
  understanding, testing
• Two questions remain
• How to describe a firewall query?
• How to process a firewall query?

4
Structured Firewall Query Language

• Example select field S
• from firewall f
• where (S?3..6)?(D?1)?(dec
  isionaccept
• Find all packets that satisfy the condition, and
  then project them into the selected field
• Meaning of the query
• Which source computers whose addresses are in
  3..6 can send packets to
• a destination whose address is 1?

5
Consistent Firewalls

• Two rules in a firewall are said to conflict iff
  they have different decisions and there is at
  least one packet that matches both rules.
• A firewall is consistent iff it has no two rules
  conflict.
• Example the following firewall is inconsistent
  because r1 and r2 conflict.

6
Query Processing

• Processing a query for a consistent firewall can
  be carried out on the rules of the firewall
  directly. (Algorithm in paper)
• Processing a query for a consistent or
  inconsistent firewall can be carried out on a
  firewall decision diagram that is equivalent to
  the firewall (Algorithm in paper)
• We discuss an example next.

7
Firewall Decision Diagram

• Firewall
• Firewall Decision Diagram
• Algorithm to construct an equivalent firewall
  decision diagram from a firewall is in Liu and
  Goudas Diverse Firewall Design, DSN 2004.

S
4..7
3,8
1,2,9,10
D
D
6..8
1,10
D
2..9
1,10
2..5, 9
1..10
a
a
a
d
d
a
8
First Step of Query Processing

• Example select field S
• from firewall f
• where (S?3..6)?(D?1)?(dec
  isionaccept
• First Step

S
4..7n3..64,5,6
3,8 n3..63
1,2,9,10 n3..6F
D
D
D
continue
continue
stop
9
Second Step of Query Processing

• Example select field S
• from firewall f
• where (S?3..6)?(D?1)?(dec
  isionaccept
• Second Step

S
4..7n3..64,5,6
3,8 n3..63
1,2,9,10 n3..6F
D
D
D
6..8n1 F
1,10 n11
continue
stop
2..5, 9n1 F
stop
stop
continue
10
Third Step of Query Processing

• Example select field S
• from firewall f
• where (S?3..6)?(D?1)?(dec
  isionaccept
• Third Step

S
4..7n3..64,5,6
3,8 n3..63
1,2,9,10 n3..6F
D
D
D
6..8n1 F
1,10 n11
1,10 n1 1
2..9 n1 F
stop
2..5, 9n1 F
stop
stop
continue
stop
continue
11
Fourth Step of Query Processing

• Example select field S
• from firewall f
• where (S?3..6)?(D?1)?(dec
  isionaccept
• Fourth Step

S
4..7n3..64,5,6
3,8 n3..63
1,2,9,10 n3..6F
D
D
D
6..8n1 F
1,10 n11
1,10 n1 1
2..9 n1 F
stop
2..5, 9n1 F
stop
stop
aaccept
aaccept
a
stop
a
continue
continue
12
Fifth Step of Query Processing

• Example select field S from firewall f
  where (S?3..6)?(D?1)?(decisionaccept
• Fifth Step
• Find the values of field S that results from the
  intersection in every continue path.
• In first red path, S14, 5, 6. In second red
  path, S23.
• So the result of this query S1 ?S2 3, 4, 5,
  6

S
4..7n3..64,5,6
3,8 n3..63
1,2,9,10 n3..6F
D
D
D
6..8n1 F
1,10 n11
1,10 n1 1
2..9 n1 F
stop
2..5, 9n1 F
stop
stop
aaccept
aaccept
a
stop
a
continue
continue
13
Experimental Results

• Implemented in Java JDK 1.4
• Experiments carried out on SunBlade 2000
• (OS Solaris 9, CPU1Ghz , Memory 1 GB)
• It takes less than 10 milliseconds to process a
  query over a firewall that has up
  10,000 rules.

14
Conclusion

• Contributions
• Introduce simple and effective SQL-like firewall
  query language
• Present Firewall Query Theorem as foundation for
  query processing
• Present efficient query processing algorithm
  using Firewall Decision Diagram