Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang Date: 2009/5/13

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Introduction(1/3) Firewalls are crucial elements in network security, The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy. An error in a firewall policy means that some illegitimate packets are identified as being legitimate, or some legitimate packets are identified as being illegitimate.

Introduction(2/3) A policy error either creates security holes or disrupts normal business processes. An effective way to detect design errors of the firewalls is to issue some firewall queries and checking whether the answers to the queries are consistent with the firewall specification.

Introduction(3/3) To make firewall queries practically useful, two problems need to be solved: how to describe a firewall query and how to process a firewall query. In this paper, we present solutions to both problems.  First, we introduce a simple and effective SQL-like query language, called the Structured Firewall Query Language (SFQL), for describing firewall queries.  Second, we present a theorem, called the Firewall Query Theorem, as the foundation for developing two firewall query processing algorithms ： rule-base and FDD firewall query processing algorithms.

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Formal Definitions(1/4) In a relational database, each field of a tuple has a fixed value, but each field of a rule in a firewall is a range, not a fixed value. A field F i is a variable whose domain, denoted D(F i ), is a finite interval of nonnegative integers. A packet over the d fields F 1,..., F d is a d-tuple (p 1,..., p d ), where each p i (i = 1~d) is an element in D(F i ). We use Σ to denote the set of all packets over fields F1,..., Fd, so that |Σ| = |D(F 1 )| x... x |D(F d )|

Formal Definitions(2/4) A firewall rule has the form → Ex ： A packet (p 1,..., p d ) matches a predicate F 1 ∈ S 1 ∧... ∧ F d ∈ S d and the corresponding rule, if and only if the condition p 1 ∈ S 1 ∧... ∧ p d ∈ S d holds. For any i, if S i = D(F i ), we often use the keyword all to denote S i. F1F1 F2F2 S1S1 S2S2 α ∈∈ →

Formal Definitions(3/4) A firewall f over the d fields F 1,..., F d is a sequence of firewall rules. The size of f, denoted |f|, is the number of rules in f. To ensure that a firewall is complete, the predicate of the last rule in a firewall is usually specified as F 1 ∈ D(F 1 ) ∧... ∧ F d ∈ D(F d ), which every packet matches. Conflict To resolve such conflicts, firewalls typically employ a first- match resolution strategy. The decision that firewall f makes for packet p is denoted f(p).

Formal Definitions(4/4) We can think of a firewall f as defining a many-to-one mapping function from Σ to α. Two firewalls f 1 and f 2 are equivalent, denoted f1 ≡ f2, if and only if they define the same mapping function from Σ to α, that is, for any packet p ∈ Σ, we have f 1 (p) = f 2 (p).

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Query Language(1/2) A query, denoted Q, in our Structured Firewall Query Language (SFQL) is of the following format: The result of query Q, denoted Q.result, is the following set:

Query Language(2/2) Ex: The result of this query is {4, 5, 6, 7}.The result of this query is {3, 8}. Which computers whose addresses are in the set [4, 8] can send packets to the computer whose address is 6? Which computers cannot send packets to the computer whose address is 6?

Firewall query example In these examples, we assume each packet has the following five fields: I (Interface), S (Source IP), D (Destination IP), N (Destination Port), and P (Protocol Type).

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Theory Foundation(1/4) A firewall is consistent if and only if no two rules in the firewall conflict. In this section, we discuss how to process a firewall query for consistent firewalls. inconsistent consistent

Theory Foundation(2/4) Our interest in consistent firewalls is twofold ：  First, each inconsistent firewall can be converted to an equivalent consistent firewall.  Second, as shown in the following theorem, it is easier to process queries for consistent firewalls than for inconsistent ones. inconsistent consistent

Theory Foundation(3/4) Theorem 1. (Firewall Query Teorem)  Let Q be a query of the following form:  Also let f be a consistent firewall that consists of n rules r 1,...,r n, where each rule r j is of the form (F 1 ∈ S 1 ’) ∧... ∧ (F d ∈ S d ’) →. Then ：  Where each Q.r j is defined using r j as follows ：

Theory Foundation(4/4) Ex ： Q.r 1 = {4, 5, 6, 7} Q.r 2 = ∅ Q.r 3 = ∅ Q.r 4 = ∅ Q.r 5 = ∅ Q.r 6 = ∅ Q.result => {4, 5, 6, 7} S1S1 S2S2 S1’S1’S2’S2’

Rule-Based Firewall Query Processing

FDD-Based Firewall Query Processing Algorithm(1/7) Multiple rules in a consistent firewall may share the same prefix. For instance, whose “where clause” contains the conjunct S ∈ {3}, over the firewall in Fig. 3, then the algorithm will repeat three times the calculation of {3} ∩ [ 4, 7].

FDD-Based Firewall Query Processing Algorithm(2/7) Clearly, if we reduce the number of these repeated calculations, the efficiency of the firewall query processing algorithm can be greatly improved. Now we present a more efficient firewall query processing algorithm that has no repeated calculations and can be applied to both consistent and inconsistent firewalls.

FDD-Based Firewall Query Processing Algorithm(3/7) The basic idea of this query processing algorithm is as follows:  First, we convert the firewall (whether consistent or inconsistent) that we want to query to an equivalent firewall decision diagram.  Second, run the FDD-based firewall query processing algorithm. (The resulting firewall decision diagram is a consistent and compact representation of the original firewall)

FDD-Based Firewall Query Processing Algorithm(4/7) Definition 1. (FDD).  A Firewall Decision Diagram (FDD) has the following five properties: The root of f ： The node has no incoming edges. The terminal nodes ： The nodes have no outgoing edges. Each node v has a label, denoted F(v) ： Each edge e in f has a label, denoted I(e), I(e) is a nonempty subset of D(F(v)). A directed path in f from the root to a terminal node is called a decision path of f. No two nodes on a decision path have the same label. The set of all outgoing edges of a node v in f, denoted E(v), satisfies the following two conditions:

FDD-Based Firewall Query Processing Algorithm(5/7) full-length ordered FDD For any packet p, there is one and only one rule in S f that p matches because of the consistency and completeness properties. The order of the rules in such a firewall is immaterial because the rules in S f are nonoverlapping.

FDD-Based Firewall Query Processing Algorithm(6/7) Given a sequence of rules, we can construct an equivalent FDD using the FDD construction algorithm in [32]. S D a [4, 7] [6, 8] APPEND (v, r2 ) v D d [3, 3] [8, 8] [2, 9] v d [2, 5] [9, 9]

FDD-Based Firewall Query Processing Algorithm(7/7)

Efficient FDD Reduction Using Hashing(1/2) A full-length ordered FDD is reduced if and only if no two nodes are isomorphic and no two nodes have more than one edge between them.  Isomorphic ； Two nodes v and v’ 1) both v and v’ are terminal nodes with identical labels. 2) both v and v’ are nonterminal nodes and their corresponding outgoing edges have identical labels and they both point to the same node.

Efficient FDD Reduction Using Hashing(2/2) We use a more efficient FDD reduction algorithm that processes the nodes level by level from the terminal nodes to the root node. Where h is a one-way and collision resistant hash function such as MD5 [39] and SHA-1 [13].

Complexity Analysis of Firewall Query Processing Algorithm(1/2) Complexity of Rule-Based Firewall Query Processing Algorithm ：  Given a firewall with n rules where each rule examines d packet fields, its equivalent consistent firewall will have O(n d ) rules.  So that, the Rule-Based Firewall Query Processing Algorithm’s complexity is O(n d+1 ).

Complexity Analysis of Firewall Query Processing Algorithm(2/2) Complexity of FDD-Based Firewall Query Processing Algorithm ：  Every nonterminal node in a reduced FDD cannot have more than 2n-1 outgoing edges, finding the right outgoing edge to traverse takes O(log n ) time using binary search.  Let k be the total number of paths that a query overlaps on an FDD, the processing time for the query is O(kdlog n ). Note that k is typically small.

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Firewall Query Post Processing(1/3) In fact, the “select” clause in a query can be extended to have more than one field. However, when the “select” clause in a query has more than one field, the query result may contain many disjoint multidimensional predicates.

Firewall Query Post Processing(2/2) To make the query result easier for firewall administrators to read, we next present an algorithm to minimize the number of predicates. FDD reduction algorithm A partial FDD

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Firewall Query Algebra Union ： Intersect ：

Firewall Query Algebra Minus ： To compute A 1 -A 2 ：  First, construct a partial FDD from A2.  Second, we append S ∈ [ 6, 9] ∧ D ∈ [ 4, 7] to this partial FDD.

Outline Introduction Formal Definitions Structured Firewall Query Language Firewall Query Processing Firewall Query Post Processing Firewall Query Algebra Experiment Results

Experiment Results(1/2)

Experiment Results(2/2)