Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Slides:



Advertisements
Similar presentations
Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,
Advertisements

Constraint Propagation Algorithms for Temporal Reasoning Marc Vilain, Henry Kautz (AAAI 1986) Presentation by Lin XU March 4, 2002.
Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.
A Difference Resolution Approach to Compressing Access Control Lists
1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.
1 Finding Shortest Paths on Terrains by Killing Two Birds with One Stone Manohar Kaul (Aarhus University) Raymond Chi-Wing Wong (Hong Kong University of.
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Turing Machines (At last!). Designing Universal Computational Devices Was Not The Only Contribution from Alan Turing… Enter the year 1940: The world is.
Tries Standard Tries Compressed Tries Suffix Tries.
C-Perfect Hashing Schemes for Arrays, with Applications to Parallel Memories G. Cordasco 1, A. Negro 1, A. L. Rosenberg 2 and V. Scarano 1 1 Dipartimento.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Why the algorithm works! Converting an NFA into an FSA.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
File Systems and Databases
Parallel Routing Bruce, Chiu-Wing Sham. Overview Background Routing in parallel computers Routing in hypercube network –Bit-fixing routing algorithm –Randomized.
Privacy-Preserving Cross-Domain Network Reachability Quantification
Implementing a Distributed Firewall
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
CS 310 – Fall 2006 Pacific University CS310 P vs NP the steel cage death match Section 7.2 November 29, 2006.
Normal forms for Context-Free Grammars
Abstract Shortest distance query is a fundamental operation in large-scale networks. Many existing methods in the literature take a landmark embedding.
university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.
A Customizable k-Anonymity Model for Protecting Location Privacy Written by: B. Gedik, L.Liu Presented by: Tal Shoseyov.
Final Exam Review Cummulative Chapters 0, 1, 2, 3, 4, 5 and 7.
Detection and Resolution of Anomalies in Firewall Policy Rules
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.
©Brooks/Cole, 2003 Foundations of Computer Science from Data Manipulation to Theory of Computation Behrouz A. Forouzan, Brooks/Cole — Thomson Learning,
m-Privacy for Collaborative Data Publishing
Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.
Introduction to CS Theory Lecture 3 – Regular Languages Piotr Faliszewski
Object Management Group (OMG) Specifies open standards for every aspect of distributed computing Multiplatform Model Driven Architecture (MDA)
How Does the Internet Work? Protocols Protocols are rules that describe how computers communicate and exchange data. The Internet has a series of these.
MINATO ZDD Project Efficient Enumeration of the Directed Binary Perfect Phylogenies from Incomplete Data Toshiki Saitoh (ERATO) Joint work with Masashi.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
1 CS 430: Information Discovery Lecture 3 Inverted Files.
Firewall Design: Consistency, Completeness, and Compactness Authors: Mohamed G. Gouda and Xing- Yang Alex Liu Presenters: Jonathan Fomby and Matthew Ginley.
Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.
CSCI 115 Chapter 8 Topics in Graph Theory. CSCI 115 §8.1 Graphs.
Complexity and Computability Theory I Lecture #8 Instructor: Rina Zviel-Girshin Lea Epstein.
1 The Encoding Complexity of Network Coding Michael Langberg California Institute of Technology Joint work with Jehoshua Bruck and Alex Sprintson.
m-Privacy for Collaborative Data Publishing
CS 203: Introduction to Formal Languages and Automata
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences.
Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.
CS 3813: Introduction to Formal Languages and Automata Chapter 13 Other Models of Computation These class notes are based on material from our textbook,
Security Knowledge Should be Embedded Inside the Protocol RFCs The corresponding implementations should come out robust even if the implementers blindly.
Transparency No. 4-1 Formal Language and Automata Theory Chapter 4 Patterns, Regular Expressions and Finite Automata (include lecture 7,8,9) Transparency.
Minimal NFA Problems are hard Tao Jiang & B. Ravikumar N Andres Parra.
1 Introduction to Turing Machines
Algorithms and Decision Procedures for Regular Languages Chapter 9.
Instructor & Todd Lammle
Firewall Modules and Modular Firewalls
Model and complexity Many measures Space complexity Time complexity
“Link All Together” – Linktile 2D game programming
ECE 544 Protocol Design Project 2016
Link state routing In link state routing, if each node in the domain has the entire topology of the domain list of nodes and links, how they are connected.
Segment Trees Basic data structure in computational geometry.
Firewalls Routers, Switches, Hubs VPNs
Paper Presentation by Bradley Hanna CSCE 715: Network System Security
IP Control Gateway (IPCG)
Chapter 10 Circles.
Packet Classification Using Binary Content Addressable Memory
Presentation transcript:

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December 16, 2004

2Alex X. LiuThe University of Texas at Austin Firewall  It is a sequence of rules to decide to accept or discard any packet.  Example: packet(S, D)  Firewalls are hard to understand and analyze

3Alex X. LiuThe University of Texas at Austin Firewall Queries  Examples: -“Which outside computers are not allowed to send s to the inside server?” -“Which inside computers can receive BOOTP packets from outside?”  Such queries are useful for firewall analysis, understanding, testing …  Two questions remain: -How to describe a firewall query? -How to process a firewall query?

4Alex X. LiuThe University of Texas at Austin Structured Firewall Query Language  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Find all packets that satisfy the condition, and then project them into the selected field  Meaning of the query: -Which source computers whose addresses are in {3..6} can send packets to a destination whose address is 1?

5Alex X. LiuThe University of Texas at Austin Consistent Firewalls  Two rules in a firewall are said to conflict iff they have different decisions and there is at least one packet that matches both rules.  A firewall is consistent iff it has no two rules conflict.  Example: the following firewall is inconsistent because r1 and r2 conflict.

6Alex X. LiuThe University of Texas at Austin Query Processing  Processing a query for a consistent firewall can be carried out on the rules of the firewall directly. (Algorithm in paper)  Processing a query for a consistent or inconsistent firewall can be carried out on a “firewall decision diagram” that is equivalent to the firewall (Algorithm in paper)  We discuss an example next.

7Alex X. LiuThe University of Texas at Austin Firewall Decision Diagram  Firewall:  Firewall Decision Diagram:  Algorithm to construct an equivalent firewall decision diagram from a firewall is in Liu and Gouda’s “Diverse Firewall Design”, DSN S D D aa a {1,2,9,10} {4..7} {1..10} {2..5, 9} {6..8} D da {2..9} d {3,8} {1,10}

8Alex X. LiuThe University of Texas at Austin First Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  First Step: S D D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} D {3,8} ∩{3..6}={3} continue stop

9Alex X. LiuThe University of Texas at Austin Second Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Second Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} D {3,8} ∩{3..6}={3} continue stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue

10Alex X. LiuThe University of Texas at Austin Third Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Third Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stopcontinue

11Alex X. LiuThe University of Texas at Austin Fourth Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Fourth Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stop continue a a=accept a

12Alex X. LiuThe University of Texas at Austin Fifth Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Fifth Step:  Find the values of field S that results from the intersection in every “continue” path. In first red path, S1={4, 5, 6}. In second red path, S2={3}. So the result of this query = S1 ∪ S2 = {3, 4, 5, 6} S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stop continue a a=accept a

13Alex X. LiuThe University of Texas at Austin Experimental Results  Implemented in Java JDK 1.4  Experiments carried out on SunBlade 2000 (OS: Solaris 9, CPU:1Ghz, Memory: 1 GB)  It takes less than 10 milliseconds to process a query over a firewall that has up 10,000 rules.

14Alex X. LiuThe University of Texas at Austin Conclusion  Contributions: -Introduce simple and effective SQL-like firewall query language -Present Firewall Query Theorem as foundation for query processing -Present efficient query processing algorithm using Firewall Decision Diagram

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.