Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

Published byRiver Eardley Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda."— Presentation transcript:

1 1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda

2 2 Alex X. LiuThe University of Texas at Austin Firewall  It is a sequence of rules to decide to accept or discard any packet.  Example: packet(F1, F2)  Firewall Design is error-prone.

3 3 Alex X. LiuThe University of Texas at Austin How to reduce firewall design errors?  Solution: Diverse Firewall Design  Motived by N-version programming (Avizienis 1977) and back-to-back testing (Vouk 1988)  Differ from N-version programming: only one version deployed  Differ from back-to-back testing: all discrepancies discovered

4 4 Alex X. LiuThe University of Texas at Austin Diverse Firewall Design  Design phase: Same specification given to multiple teams to design firewalls  Comparison phase: Compare multiple firewalls to discover all discrepancies

5 5 Alex X. LiuThe University of Texas at Austin How to compare two firewalls?  Step 1: construct an equivalent ordered FDD for each firewall  Step 2: make two ordered FDDs semi-isomorphic  Step 3: compare two semi-isomorphic FDDs for discrepancies

6 6 Alex X. LiuThe University of Texas at Austin Firewall Decision Diagram (FDD)  Consistency: labels of any two siblings are non-overlapping  Completeness: union of labels of all siblings is the domain of the field F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [41,100] [1,40] [21,100] [1,20]

7 7 Alex X. LiuThe University of Texas at Austin Step 1  Construct an equivalent ordered FDD for each firewall  (An FDD is ordered if the labels along every path in the FDD are consistent with the same total order.)

8 8 Alex X. LiuThe University of Texas at Austin Applying Step 1 F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [1,40] [21,100] [1,20] F1F1 F2F2 a [1,30] [1,20] F1F1 F2F2 ad [1,30] [21,100] [1,20] F1F1 F2F2 F2F2 ad a [31,100] [1,30] [1,40] [21,100] [1,20][41,100] (1) (2) (4)(3)

9 9 Alex X. LiuThe University of Texas at Austin Step 2  Make two ordered FDDs semi-isomorphic  Semi-isomorphic FDDs: exactly same except labels of terminal nodes  Example: make these FDDs semi-isomorphic F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60] F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [41,100][1,40][21,100] [1,20]

10 10 Alex X. LiuThe University of Texas at Austin Applying Step 2: F1F1 F2F2 F2F2 ad ad [31,100] [1,30] [1,40] [21,100] [1,20] F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60] [41,100] F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [21,100] [1,20][41,100] F2F2 ad [1,40] [31,50] F1F1 F2F2 ad d [51,100] [1,30] [61,100] [1,60] F2F2 ad [61,100] [1,60] [31,50]

11 11 Alex X. LiuThe University of Texas at Austin Results of Step 2 F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] dd [41,100] [21,60] [41,60] F1F1 F2F2 F2F2 ad dd [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] aa [21,60] [41,60] [41,100]

12 12 Alex X. LiuThe University of Texas at Austin Step 3:  Compare two semi-isomorphic FDDs for discrepancies

13 13 Alex X. LiuThe University of Texas at Austin Applying Step 3: F1F1 F2F2 F2F2 ad ad [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] [21,60] [41,60] F1F1 F2F2 F2F2 ad dd [51,100] [1,30] [1,40] [61,100] [1,20] F2F2 ad [61,100] [1,40] [31,50] [21,60] [41,60] [41,100] aa d d

14 14 Alex X. LiuThe University of Texas at Austin Example  1. Design A of firewall:  2. Design B of firewall:  3. Comparison: F1F1 F2F2 ad d [51,100] [1,50] [61,100] [1,60]

15 15 Alex X. LiuThe University of Texas at Austin Experimental Results  Three algorithms implemented in Java JDK 1.4  Experiments carried out on SunBlade 2000 (OS: Solaris 9, CPU:1Ghz, memory: 1 GB)

16 16 Alex X. LiuThe University of Texas at Austin Conclusions  Three contributions: –Propose diverse firewall design method –Present a suite of algorithms to enable diverse firewall design FDD Construction Algorithm FDD Shaping Algorithm FDD Comparison Algorithm method –FDD construction algorithm can be used to convert aconflict infested firewall to a conflict free firewall

Download ppt "1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda."

Similar presentations

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,
Heng Pan , Hongtao Guan, Junjie Liu (ICT, CAS)

Heng Pan , Hongtao Guan, Junjie Liu (ICT, CAS)
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Experiments on Query Expansion for Internet Yellow Page Services Using Log Mining Summarized by Dongmin Shin Presented by Dongmin Shin User Log Analysis.

Experiments on Query Expansion for Internet Yellow Page Services Using Log Mining Summarized by Dongmin Shin Presented by Dongmin Shin User Log Analysis.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
Parallelizing the graph isomorphism portion of an automatic reaction mechanism generation algorithm Geoff Oxberry 18.337 Project, Spring 2009.

Parallelizing the graph isomorphism portion of an automatic reaction mechanism generation algorithm Geoff Oxberry Project, Spring 2009.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
ClearEye: An Visualization System for Document Revision CPSC 533C Project Update Qiang Kong Qixing Zheng.

ClearEye: An Visualization System for Document Revision CPSC 533C Project Update Qiang Kong Qixing Zheng.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.

Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
Converting an NFA into an FSA Proving LNFA is a subset of LFSA.

Converting an NFA into an FSA Proving LNFA is a subset of LFSA.
-------------------------------------------------------- university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.

university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.
A Policy-Based Optical VPN Management Architecture.

A Policy-Based Optical VPN Management Architecture.

Similar presentations

Ads by Google