Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paper Presentation by Bradley Hanna CSCE 715: Network System Security

Similar presentations


Presentation on theme: "Paper Presentation by Bradley Hanna CSCE 715: Network System Security"— Presentation transcript:

1 Firewall Design: Consistency, Completeness, and Compactness Gouda & Liu
Paper Presentation by Bradley Hanna CSCE 715: Network System Security 24 April 2017

2 Agenda Important definitions from the paper.
Purpose of the paper Firewall Design: Consistency, Completeness, and Compactness. An example of poor firewall design. Using Firewall Decision Diagrams (FDDs) for purpose of design. Main Contribution. Weaknesses and suggestion for improvement. In Conclusion.

3 Definitions Firewall: One part of a network system designed to block unauthorized access to a network by comparing network packets to a system of rules. Packets that are accepted will be allowing to proceed, while packets that are not accepted will be discarded. Rule: A function consisting of a predicate Boolean expression over the different fields of a packet that leads to a decision to either accept or discard that packet. Consistency: The correct ordering of rules that ensures packets are appropriately accepted or discarded. Completeness: Every packet satisfies at least one rule in the firewall. Compactness: The firewall design contains no redundant rules.

4 Purpose of this paper. The purpose of this paper is to implement a firewall design method that generates a complete, consistent, and compact firewall.

5 Review an example of poor design.
Assume a private network contains a mail server s and a host h and is connected to the firewall by interface 1. The internet is connected to the firewall via interface 0 and contains malicious host m. Each packet contains 5 fields named as follows: I – is the interface on which the packet reaches the firewall. S – is the original source of the packet. D – is the ultimate destination of the packet. P – is the transport protocol of the packet. T – is the destination port of the packet.

6 Review an example of poor design.
Predicate Decision r0 : I = 0 ^ S = any ^ D = s ^ P = TCP ^ T = 25  a r1 : I = 0 ^ S = any ^ D = s ^ P = any ^ T = any  d r2 : I = 0 ^ S = m ^ D = any ^ P = any ^ T = any  d r3 : I = 1 ^ S = h ^ D = any ^ P = any ^ T = any  a r4 : I = 1 ^ S = any ^ D = any ^ P = any ^ T = any  a Example A

7 Review an example of poor design.
r0 : I = 0 ^ S = m ^ D = any ^ P = any ^ T = any  d r1 : I = 0 ^ S = any ^ D = s ^ P = TCP ^ T = 25  a r2 : I = 0 ^ S = any ^ D = s ^ P = any ^ T = any  d r3 : I = 0 ^ S = any ^ D = any ^ P = any ^ T = any  a r4 : I = 1 ^ S = any ^ D = any ^ P = any ^ T = any  a Example A

8 Understanding the n-Tuple
Tuple – term used to refer to a number set of things. A packet is represented by a series of fields, for example: Destination IP Address: [0, 232-1] Destination Port Number: [0, 65,535] including all well-known, registered, and ephemeral Source IP Address: [0, 232-1] Source Port Number: [0, 65,535] including all well-known, registered, and ephemeral Protocol Used Etc. Therefore, a field Fi is a variable whose value is taken from a predefined interval of nonnegative integers that establish a domain denoted by D(Fi). The n-Tuple represents a set Si where each field can be an element of that set.

9 Understanding the n-Tuple
A packet over the fields F0, …, Fn-1 is an n-Tuple p0, …, pn-1 Where each pi is taken from the domain D(Fi) of the corresponding field Fi A firewall rule then takes the form: F0 ∈󠄀 S0 ^ … ^ Fn-1 ∈ Sn-1  <decision> Simplify the field domain for the Firewall Decision Diagram example. Fi = Fj = [0,9]

10 Firewall Decision Diagram (FDD) f
Ignore the practical application of the subsets labeling the edges and assume a domain of [0,9] Every FDD has a root node F0 Every FDD has at least two terminal nodes labeled a for accept and d for discard Every FDD has edges with labels having the value of at least a subset of domain D(Fi)

11 FDD Rules A packet over the field F0,…,Fn-1 is said to be accepted by an FDD iff F0 ∈ S0 ^ … ^ Fn-1 ∈ Sn-1  accept A packet of the field F0,…,Fn-1 is said to be discarded by an FDD iff F0 ∈ S0 ^ … ^ Fn-1 ∈ Sn-1  discard The set of all rules in FDD f whose decision is to accept is called f.accept The set of all rules in FDD f whose decision is to discard is called f.discard Two FDDs f and f’ over the same fields are said to be equivalent iff f.accept ∩ f.discard = 0 f.accept ∪ f.discard = ∑ f.accept = f’.accept f.discard = f’.discard

12 Algorithm 1 – FDD Reduction
The number of rules in a firewall of FDD f equals the number of decision paths in f. We should reduce the number of decision paths to promote compactness and eliminate redundancies. An FDD f can be reduced if the semantics of the FDDs are equivalent. FDD f is reduced to FDD f’ if the sets f.accept = f’.accept and f.discard = f’.discard. Reduce FDD f by identifying and removing Isomorphic nodes. Two nodes v0 and v1 in FDD f are isomorphic iff: Both v0 and v1 are terminal nodes with identical labels in f. Both v0 and v1 are non terminal nodes and there is a one-to-one correspondence between the outgoing edges of v0 and the outgoing edges of v1.

13 Identify isometric nodes in FDD f

14 FDD f is Reduced iff FDD f has no node with exactly one outgoing edge.
FDD f has no two edges that are outgoing of one node and incoming of another node. FDD f has no two distinct isomorphic nodes.

15 Reduced FDD f’

16 FDD f and FDD f’ If F0 has value {4,5,6,7} go to F1
If F0 has value {0,1,2,3,8,9} discard If F1 has value {2,3,5,6,7} accept If F1 has value {0,1,4,8,9} discard

17 Algorithm 2: FDD Marking
We mark a reduced FDD in order to determine the lowest number of rules possible to achieve: During marking the lowest degree of the FDD is found. Degrees are determined recursively starting with the terminal nodes a & d. The degree of a terminal node is always 1. The degree of a nonterminal node is found using the following equation: Assume v is a node with k out going edges e0,…,ek-1 Compute The degree of FDD f is the degree of the root node of f. f.accept ∪ f.discard = ∑ deg 𝑣 = 𝑖=1 𝑘−1 deg 𝑒𝑖 ∗ deg⁡(𝑣𝑖)

18 deg 𝑣 = 𝑖=1 𝑘−1 deg 𝑒𝑖 ∗ deg⁡(𝑣𝑖)
5 4 1 1 2 1 2 3 2 3 1 1 1 1 1 1

19 Algorithm 3: Firewall Generation
A sequence of rules is generated from the marked FDD generated by algorithm 2. One rule is constructed for each decision flow of the marked FDD f’. A firewall r is a sequence of rules r0,…,rm-1. F0 ∈󠄀 S0 ^ … ^ Fn-1 ∈ Sn-1  <decision>

20 Firewall Generation A packet over the fields F0,…,Fn-1 is accepted by firewall r iff: The packet matches ri. The packet does not match any rule that precedes ri. The <decision> of ri is accept. A packet over the fields F0,…,Fn-1 is discarded by firewall r iff: The <decision> of ri is discard.

21 Firewall Generation r = ( F0 ∈ [4,7] ^ F1 ∈ [2,3] ∪ [5,7]  accept
F0 ∈ [4,7] ^ F1 ∈ ALL  discard F0 ∈ ALL ^ F1 ∈ [0,9]  discard ) Remember the degree of f’ was 4 and the number of simple rules is 4.

22 Algorithm 4: Firewall Compactness
Redundant rules are rules that can be removed from a firewall without affecting the accept or discard sets of the firewall. Consider firewall r and compact firewall r’: A firewall is called compact iff it has no redundant rules. Theorem for redundancy of firewall rules For a rule ri where i < m-1, is redundant iff each j where i < j ≤ m-1, the original predicate for ri = the exhibited predicate for rj. The <decision> for rj = <decision> for ri. r.accept = r’.accept, and r.discard = r’.discard

23 Firewall Compactness r = ( F0 ∈ [4,7] ^ F1 ∈ [2,3]  accept
F0 ∈ [4,7] ^ F1 ∈ ALL  discard F0 ∈ ALL ^ F1 ∈ [0,9]  discard ) r = ( F0 ∈ [4,7] ^ F1 ∈ [2,3]  accept F0 ∈ [4,7] ^ F1 ∈ [5,7]  accept F0 ∈ ALL ^ F1 ∈ [0,9]  discard ) ri rj The original predicate of ri is [4,7] for F0 The exhibited predicate of rj is ALL for F0 Considering that the domain of F0 is [0,9] then a packet holding true for ri at F0 would also hold true for rj at F0 and is therefore considered redundant.

24 Algorithm 5: Firewall Simplification
A firewall is called simple iff every Si in every rule is either the ALL mark or an interval of consecutive nonnegative integers. r = ( F0 ∈ [4,7] ^ F1 ∈ [2,3] ∪ [5,7]  accept F0 ∈ ALL ^ F1 ∈ [0,9]  discard ) r = ( F0 ∈ [4,7] ^ F1 ∈ [2,3]  accept F0 ∈ [4,7] ^ F1 ∈ [5,7]  accept F0 ∈ ALL ^ F1 ∈ [0,9]  discard )

25 Main Contribution Changes to a firewalls design can be made by building logic into a Firewall Decision Diagram before running the firewall generation algorithms instead of simply adding new rules to an already complex set of firewall rules. By running the generation algorithms over a new FDD every time a change must be made to a firewall we can continue to achieve consistency, completeness, and compactness.

26 Weakness Discussed in Cheng et al. “A new approach to designing firewalls based on a multidimensional matrix.” Suggest a weakness in the Gouda and Liu method that introduces possible conflicts. Gouda and Liu’s description of the marking algorithm is vaguely written. How should edges be marked when multiple outgoing edges of a field are of the same degree? Cheng et al. suggest that conflicts are introduced because rules may be swapped.

27 Weakness

28 Weakness Conflict proposed by Cheng et al.
r1 assigns all packets that match tuple ([0,4], [5,5]) to accept r2 assigns all packets that match tuple ([04,], [0,9]) to discard Therefore, a packet matching ([0,4], [5,5]) can therefore reach an accept or discard decision Response from Gouda and Liu from Figure 5. A generated firewall. R0 assigns all packets that match tuple ([0,4], [2,3] U [5,7] to accept R1 assigns all packets that match tuple ([4,7], ALL) to discard This presents the same situation described in the Cheng et al. example. Cheng et al. does not mention rank in their example. Rank addresses the issue for Gouda and Liu. The order of rules should not be changed if the change violates rank.

29 Weakness Gouda and Liu’s explanation of the marking algorithm is vague. Find an outgoing edge ej of node v whose quantity is greater than or equal to the corresponding quantity of every other outgoing edge of v Mark edge ej with ALL Compute the degree of v as follows: deg(ej) * deg(vj) deg 𝑣 = 𝑖=1 𝑘−1 deg 𝑒𝑖 ∗ deg⁡(𝑣𝑖)

30 Weakness ALL 2 2 2 1 1

31 Weakness Gouda and Liu do not explain which edge to mark when the degree is equal. The ranking of rules done during firewall generation solves this issue. But: What is the best decision to make when marking a large decision tree? This may introduce more conflicts as described by Cheng et al.

32 Conclusion Firewall design will continue to present complex challenges. We need to find answers to ensure the effectiveness of firewalls. Decision trees and Multidimensional Matrices are effective methods. They present tools that maximize computer power when designing firewalls. They allow new firewalls to be generated as policies change.

33 Future Study Cheng, Y. A new approach to designing firewall based on multidimensional matrix. Concurrency and Computation: Practice and Experience, November 2013. Six rules are produced with no apparent conflict. How does this method affect compactness in larger firewall examples? Gouda and Liu: Strong compactness through marking method. Should we restrict the ordering of rules through rank?

34 Future Study Diverse Firewall Design – Using multiple teams to design a firewall policy independently and then create the firewall based on comparison of the results. Gouda, M. Diverse Firewall Design, IEEE Transaction on Parallel and Distributed Systems, Volume 19, Issue 9, September 2008. Firewall Information Exchange Protocol – A TCP/IP based protocol that allows two or more firewalls to exchange policy information, updates, and information about attacks. Similar to the Border Gateway Protocol of routers. Pedditi, S. FIEP: An initial design of a firewall information exchange protocol, Information Reuse and Integration, 2013 IEEE 14th International Conference, August 2013.

35 Citations Gouda, M. Firewall Design: Consistency, Completeness, and Compactness, Proceedings of 24th International Conference on Distributed Computing Systems, March 2004. Cheng, Y. A new approach to designing firewall based on multidimensional matrix. Concurrency and Computation: Practice and Experience, November 2013.


Download ppt "Paper Presentation by Bradley Hanna CSCE 715: Network System Security"

Similar presentations


Ads by Google