Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Modules and Modular Firewalls

Published byMitchell Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewall Modules and Modular Firewalls"— Presentation transcript:

1 Firewall Modules and Modular Firewalls
- H.B. Acharya, Aditya Joshi, M.G. Gouda Classroom Presentation - Shaayendra Raju

2 Topics to be covered What is a Firewall Metrics of Firewall
Types of Firewalls Need for Modular Firewalls Remarks

3 What is a Firewall A packet filter placed at the entry point of a network in the Internet Most important Line of defense for Enterprise networks. Can be implemented in both hardware & software versions.

4 How does a firewall works
<Function> -> <Decision>

5 Dependency explained Function employs "First - Match" criterion to determine sequence of rules to be applied on any incoming/outgoing packet. Much of a short-circuit evaluation. If packet matches multiple rules, action of first matching rule will be taken.

6 Order of Rules matters Order of rules creates dependency.
Level of dependency is proportional to Complexity of firewall. Consumes lot of time to understand and design a firewall.

7 New Metric …? Inversion - Number of pairs of adjacent rules that have different decisions in a give firewall F. For modular firewalls Inversion metric would be 1 or 2. Inversion and dependency are correlated.

8 Fields, Packets, Rules and Firewalls
Fields - variables - Source/destination IP address, Transport protocol, Source port number and destination port number. Consider d fields, f1,f2,….fd and domain values denoted by D(f1)..,D(fd). Rule would be of form <r.decision> - accept/discard. All accept rule - All discard rule - Last rule in firewall - accept-all / discard-all.

9 Dependency metric Accept band Discard band
Dependency set - For a given rule 'r' in firewall 'F', it is set containing every rule 's' where s precedes r in F and r, s occurs in different bands in F Dependency varies with cardinality between 'r' &'s'. Theorem-1 If the rules in a band in a firewall 'F' are reordered in any way, then the resulting firewall is equivalent to 'F'

10 Theorem-2 Let 'F' be any firewall with 'n' rules
The smallest possible value of dependency metric is (n-1)/n. The largest possible value of dependency metric is (n-1)/2. Proof : Consider 'F' has only 2 bands , first one has n-1 rules and other has 1 rule. Average cardinality of dependency set (n-1)/n. Consider 'F' has 'n' bands and each band consists of only 1 rule, dep. set of first rule - 0 rules, 2nd rule - 1 rule , nth rule - n rules. Average cardinality (n-1)/2.

11 Inversion Metric - Theorem - 3
The smallest possible value of the inversion metric in 'F' is '1'. The largest possible value of the inversion metric in 'F' is 'n-1'. Proof - Consider firewall with two or more bands. Smallest possible value of inversion metric - 1. Largest possible value of inversion metric - (n-1). **Inversion metric

12 Theorem 4 Let 'F' be a uniform firewall with n rules. 'dm' value of dependency metric of 'F'.'im' be the value of inversion metric of F. Then dm = n* im / 2*(im+1)

13 Simple Firewalls Should have 3 bands B0, B1, B2 and satisfy 3 conditions B0 consists of zero or more discard rules. B1 consists of zero or more accept rules. B2 consists of only one discard-all rule. If B0 exists, inversion metric is 2. else Inversion metric is 1.

14 Identifying irrelevant rules
Identify irrelevant rules and removing them from firewall 'f' yields firewall 'g' which is simple and equivalent to 'F'. Conditions Rule 's' is in band B0 and there is another rule 'r' in B0 where "r covers s". Rule 's' is in band B0 and there is no rule r in B1 where "r overlaps s" Rule 's' is in band B1 and there is another rule r in B1 where "r covers s"

15 Algorithm for removing Irrelevant rules

16 Partitioned Firewalls
A non-empty set {PF1,PF2,…,PFn} of firewalls, such that oneness condition holds true. If a packet is accepted by one firewall in a partitioned firewall PF, then packet is said to be accepted by PF. else if packet is discarded by every firewall in PF, the packet is said to be discarded by PF.

17 A simple/ Monolithic firewall (F) <=> partitioned firewall (PF)
iff F & PF accept / discard same set of packets. Advantages of partitioned firewalls Parallel processing of packets. Ease of design and update. Small inversion metric.

18 Theorem 5 Let F & G be two firewalls.
If for every accept rule 'r' in 'F' and every accept rule 's' in 'G', r does not overlap s, then 'F' and 'G' can be components in same firewall

19 Modular firewall It is a partitioned firewall {MF1,….,MFr} where each component MFk, called a firewall module, is a simple firewall. Inversion metric of module MFk is 1 or 2. Inversion metric of Modular Firewall MF is 1 or 2. Design Set of all packets is partitioned into r non-overlapping classes PC1.....PCN Each module is designed to accept some or all the packets that belong to packet class PCk.

20 Theorem 6 Assume that Algorithm2 is applied to Monolithic firewall and produced the simple firewalls {MF1,…..,MFr}. Then no two distinct firewalls MF1 and MFk accept the same packet.

21 Algorithm2

22 Theorem 7 Assume that algorithm2 is applied to monolithic firewall 'F' and produced a modular firewall MF that consists of modules {MF1,MF2,...MFk} Each packet accepted by 'F' is also accepted by 'MF'. Each packet, that is accepted by 'MF' , is also accepted by 'F'

23 Design goal Given a Firewall 'F', whose inversion metric is very large , it's output should be a modular firewall 'MF' whose design metric is 1 or 2. Complexity - O(n^2). Algorithm1 is called from algorithm2 to remove irrelevant rules and compute modular firewall.

24 Simulation Results

25 Simulation Results

26 Conclusion The author has presented a new metric called 'Inversion' which is related to dependency and designed an algortihm that can compute modular firewall 'MF', given firewall 'F' in O(n^2) time. Advantage of modular firewalls Cleanness of design Low inversion metric that makes firewalls easy to understand. Permits modification with no unexpected side effects.

27 Thank you

Download ppt "Firewall Modules and Modular Firewalls"

Similar presentations

16.4 Estimating the Cost of Operations Project GuidePrepared By Dr. T. Y. LinVinayan Verenkar Computer Science Dept San Jose State University.

16.4 Estimating the Cost of Operations Project GuidePrepared By Dr. T. Y. LinVinayan Verenkar Computer Science Dept San Jose State University.
Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.

Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.
Longest Common Subsequence

Longest Common Subsequence
Walks, Paths and Circuits Walks, Paths and Circuits Sanjay Jain, Lecturer, School of Computing.

Walks, Paths and Circuits Walks, Paths and Circuits Sanjay Jain, Lecturer, School of Computing.
Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.

Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.
1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.
Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:

Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:
COS 338 Day 16. 2 DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.

COS 338 Day DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
Delivery, Forwarding, and Routing

Delivery, Forwarding, and Routing
-------------------------------------------------------- university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.

university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.5 Routing algorithms m Link state m Distance.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.5 Routing algorithms m Link state m Distance.
Detection and Resolution of Anomalies in Firewall Policy Rules

Detection and Resolution of Anomalies in Firewall Policy Rules

Similar presentations

Ads by Google