1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

Slides:

Advertisements

Similar presentations

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,

Advertisements

Heng Pan , Hongtao Guan, Junjie Liu (ICT, CAS)

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

Experiments on Query Expansion for Internet Yellow Page Services Using Log Mining Summarized by Dongmin Shin Presented by Dongmin Shin User Log Analysis.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

Parallelizing the graph isomorphism portion of an automatic reaction mechanism generation algorithm Geoff Oxberry Project, Spring 2009.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

ClearEye: An Visualization System for Document Revision CPSC 533C Project Update Qiang Kong Qixing Zheng.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Privacy-Preserving Cross-Domain Network Reachability Quantification

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.

Converting an NFA into an FSA Proving LNFA is a subset of LFSA.

university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.

A Policy-Based Optical VPN Management Architecture.

Selected Data Rate Packet Loss Channel-error Loss Collision Loss Reduced Packet Probing (RPP) Multirate Adaptation For Multihop Ad Hoc Wireless Networks.

Detection and Resolution of Anomalies in Firewall Policy Rules

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

TEDI: Efficient Shortest Path Query Answering on Graphs Author: Fang Wei SIGMOD 2010 Presentation: Dr. Greg Speegle.

Department of Computer Sciences The University of Texas at Austin Zmail : Zero-Sum Free Market Control of Spam Benjamin J. Kuipers, Alex X. Liu, Aashin.

Software Engineering for Business Information Systems (sebis) Department of Informatics Technische Universität München, Germany wwwmatthes.in.tum.de Data-Parallel.

1 Global Routing Method for 2-Layer Ball Grid Array Packages Yukiko Kubo*, Atsushi Takahashi** * The University of Kitakyushu ** Tokyo Institute of Technology.

Politecnico di Torino Dipartimento di Automatica ed Informatica TORSEC Group Performance of Xen’s Secured Virtual Networks Emanuele Cesena Paolo Carlo.

Protecting Sensitive Labels in Social Network Data Anonymization.

Mining High Utility Itemset in Big Data

MINATO ZDD Project Efficient Enumeration of the Directed Binary Perfect Phylogenies from Incomplete Data Toshiki Saitoh (ERATO) Joint work with Masashi.

VLDB'02, Aug 20 Efficient Structural Joins on Indexed XML1 Efficient Structural Joins on Indexed XML Documents Shu-Yao Chien, Zografoula Vagena, Donghui.

TFA : A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Tang Song and H. Jonathan Chao Publisher: Technical.

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Tao Lin Chris Chu TPL-Aware Displacement- driven Detailed Placement Refinement with Coloring Constraints ISPD ‘15.

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley.

Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.

Lexical Analysis: Finite Automata CS 471 September 5, 2007.

An Efficient Linear Time Triple Patterning Solver Haitong Tian Hongbo Zhang Zigang Xiao Martin D.F. Wong ASP-DAC’15.

1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,

Non-stitch Triple Patterning- Aware Routing Based on Conflict Graph Pre-coloring Po-Ya Hsu Yao-Wen Chang.

Outline Problem Definition Related Works & Complexity MILP Formulation Solution Algorithms Computational Experiments Conclusions & Future Research 1/26.

Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences.

Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

Network Virtualization Sandip Chakraborty. In routing table we keep both the next hop IP (gateway) as well as the default interface. Why do we require.

Energy-Efficient Protocol for Cooperative Networks.

® July 21, 2004GC Summer School1 Cycles to Recycle: Copy GC Without Stopping the World The Sapphire Collector Richard L. Hudson J. Eliot B. Moss Originally.

Overview of Previous Lesson(s) Over View  A token is a pair consisting of a token name and an optional attribute value.  A pattern is a description.

Binary Decision Diagrams Prof. Shobha Vasudevan ECE, UIUC ECE 462.

Perfect recall: Every decision node observes all earlier decision nodes and their parents (along a “temporal” order) Sum-max-sum rule (dynamical programming):

Victoria Ibarra Mat:  Generally, Computer hardware is divided into four main functional areas. These are:  Input devices Input devices  Output.

Author：Zarei.M.；Faez.K. ；Nya.J.M.

Firewall Modules and Modular Firewalls

Evolutionary Technique for Combinatorial Reverse Auctions

Unit-3 Bottom-Up-Parsing.

Software Defined Storage

Genomic Data Clustering on FPGAs for Compression

Multi-channel, multi-radio wireless networks

任課教授：陳朝鈞教授學生：王志嘉、馬敏修

Towards PubSub and Storage integration in ANIMA

Windows Server 2016 Software Defined Storage

Unit# 9: Computer Program Development

Paper Presentation by Bradley Hanna CSCE 715: Network System Security

Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li University of Pittsburgh, Pittsburgh, PA Hui Ling.

Effective Noise Figure in Hybrid BF system

802.11aa – OBSS Strategy and Plan

Packet Classification Using Binary Content Addressable Memory

Presentation transcript:

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda

2 Alex X. LiuThe University of Texas at Austin Firewall  It is a sequence of rules to decide to accept or discard any packet.  Example: packet(F1, F2)  Firewall Design is error-prone.

3 Alex X. LiuThe University of Texas at Austin How to reduce firewall design errors?  Solution: Diverse Firewall Design  Motived by N-version programming (Avizienis 1977) and back-to-back testing (Vouk 1988)  Differ from N-version programming: only one version deployed  Differ from back-to-back testing: all discrepancies discovered

4 Alex X. LiuThe University of Texas at Austin Diverse Firewall Design  Design phase: Same specification given to multiple teams to design firewalls  Comparison phase: Compare multiple firewalls to discover all discrepancies

5 Alex X. LiuThe University of Texas at Austin How to compare two firewalls?  Step 1: construct an equivalent ordered FDD for each firewall  Step 2: make two ordered FDDs semi-isomorphic  Step 3: compare two semi-isomorphic FDDs for discrepancies

6 Alex X. LiuThe University of Texas at Austin Firewall Decision Diagram (FDD)  Consistency: labels of any two siblings are non-overlapping  Completeness: union of labels of all siblings is the domain of the field F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [41,100] [1,40] [21,100] [1,20]

7 Alex X. LiuThe University of Texas at Austin Step 1  Construct an equivalent ordered FDD for each firewall  (An FDD is ordered if the labels along every path in the FDD are consistent with the same total order.)

8 Alex X. LiuThe University of Texas at Austin Applying Step 1 F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [1,40] [21,100] [1,20] F1F1 F2F2 a [1,30] [1,20] F1F1 F2F2 ad [1,30] [21,100] [1,20] F1F1 F2F2 F2F2 ad a [31,100] [1,30] [1,40] [21,100] [1,20][41,100] (1) (2) (4)(3)

9 Alex X. LiuThe University of Texas at Austin Step 2  Make two ordered FDDs semi-isomorphic  Semi-isomorphic FDDs: exactly same except labels of terminal nodes  Example: make these FDDs semi-isomorphic F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60] F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [41,100][1,40][21,100] [1,20]

10 Alex X. LiuThe University of Texas at Austin Applying Step 2: F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [1,40] [21,100] [1,20] F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60] [41,100] F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [21,100] [1,20][41,100] F2F2 ad [1,40] [31,50] F1F1 F2F2 ad d [51,100] [1,30] [61,100] [1,60] F2F2 ad [61,100] [1,60] [31,50]

11 Alex X. LiuThe University of Texas at Austin Results of Step 2 F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] dd [41,100] [21,60] [41,60] F1F1 F2F2 F2F2 ad dd [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] aa [21,60] [41,60] [41,100]

12 Alex X. LiuThe University of Texas at Austin Step 3:  Compare two semi-isomorphic FDDs for discrepancies

13 Alex X. LiuThe University of Texas at Austin Applying Step 3: F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] [21,60] [41,60] F1F1 F2F2 F2F2 ad dd [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] [21,60] [41,60] [41,100] aa d d

14 Alex X. LiuThe University of Texas at Austin Example  1. Design A of firewall:  2. Design B of firewall:  3. Comparison: F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60]

15 Alex X. LiuThe University of Texas at Austin Experimental Results  Three algorithms implemented in Java JDK 1.4  Experiments carried out on SunBlade 2000 (OS: Solaris 9, CPU:1Ghz, memory: 1 GB)

16 Alex X. LiuThe University of Texas at Austin Conclusions  Three contributions: –Propose diverse firewall design method –Present a suite of algorithms to enable diverse firewall design FDD Construction Algorithm FDD Shaping Algorithm FDD Comparison Algorithm method –FDD construction algorithm can be used to convert aconflict infested firewall to a conflict free firewall