Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December."— Presentation transcript:

1 Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December 16, 2004

2 2Alex X. LiuThe University of Texas at Austin Firewall  It is a sequence of rules to decide to accept or discard any packet.  Example: packet(S, D)  Firewalls are hard to understand and analyze

3 3Alex X. LiuThe University of Texas at Austin Firewall Queries  Examples: -“Which outside computers are not allowed to send emails to the inside email server?” -“Which inside computers can receive BOOTP packets from outside?”  Such queries are useful for firewall analysis, understanding, testing …  Two questions remain: -How to describe a firewall query? -How to process a firewall query?

4 4Alex X. LiuThe University of Texas at Austin Structured Firewall Query Language  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Find all packets that satisfy the condition, and then project them into the selected field  Meaning of the query: -Which source computers whose addresses are in {3..6} can send packets to a destination whose address is 1?

5 5Alex X. LiuThe University of Texas at Austin Consistent Firewalls  Two rules in a firewall are said to conflict iff they have different decisions and there is at least one packet that matches both rules.  A firewall is consistent iff it has no two rules conflict.  Example: the following firewall is inconsistent because r1 and r2 conflict.

6 6Alex X. LiuThe University of Texas at Austin Query Processing  Processing a query for a consistent firewall can be carried out on the rules of the firewall directly. (Algorithm in paper)  Processing a query for a consistent or inconsistent firewall can be carried out on a “firewall decision diagram” that is equivalent to the firewall (Algorithm in paper)  We discuss an example next.

7 7Alex X. LiuThe University of Texas at Austin Firewall Decision Diagram  Firewall:  Firewall Decision Diagram:  Algorithm to construct an equivalent firewall decision diagram from a firewall is in Liu and Gouda’s “Diverse Firewall Design”, DSN 2004. S D D aa a {1,2,9,10} {4..7} {1..10} {2..5, 9} {6..8} D da {2..9} d {3,8} {1,10}

8 8Alex X. LiuThe University of Texas at Austin First Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  First Step: S D D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} D {3,8} ∩{3..6}={3} continue stop

9 9Alex X. LiuThe University of Texas at Austin Second Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Second Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} D {3,8} ∩{3..6}={3} continue stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue

10 10Alex X. LiuThe University of Texas at Austin Third Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Third Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stopcontinue

11 11Alex X. LiuThe University of Texas at Austin Fourth Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Fourth Step: S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stop continue a a=accept a

12 12Alex X. LiuThe University of Texas at Austin Fifth Step of Query Processing  Example: select field S from firewall f where (S ∈ {3..6}) ∧ (D ∈ {1}) ∧ (decision=accept}  Fifth Step:  Find the values of field S that results from the intersection in every “continue” path. In first red path, S1={4, 5, 6}. In second red path, S2={3}. So the result of this query = S1 ∪ S2 = {3, 4, 5, 6} S D {1,2,9,10} ∩{3..6}=Φ {4..7}∩{3..6}={4,5,6} {3,8} ∩{3..6}={3} stop D {2..5, 9}∩{1} = Φ {6..8}∩{1}= Φ{1,10} ∩{1}={1} stop continue D {2..9} ∩{1}= Φ {1,10} ∩{1}= {1} stop continue a a=accept a

13 13Alex X. LiuThe University of Texas at Austin Experimental Results  Implemented in Java JDK 1.4  Experiments carried out on SunBlade 2000 (OS: Solaris 9, CPU:1Ghz, Memory: 1 GB)  It takes less than 10 milliseconds to process a query over a firewall that has up 10,000 rules.

14 14Alex X. LiuThe University of Texas at Austin Conclusion  Contributions: -Introduce simple and effective SQL-like firewall query language -Present Firewall Query Theorem as foundation for query processing -Present efficient query processing algorithm using Firewall Decision Diagram

Download ppt "Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December."

Similar presentations

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,
Constraint Propagation Algorithms for Temporal Reasoning Marc Vilain, Henry Kautz (AAAI 1986) Presentation by Lin XU March 4, 2002.

Constraint Propagation Algorithms for Temporal Reasoning Marc Vilain, Henry Kautz (AAAI 1986) Presentation by Lin XU March 4, 2002.
Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.

Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.
A Difference Resolution Approach to Compressing Access Control Lists

A Difference Resolution Approach to Compressing Access Control Lists
1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.
1 Finding Shortest Paths on Terrains by Killing Two Birds with One Stone Manohar Kaul (Aarhus University) Raymond Chi-Wing Wong (Hong Kong University of.

1 Finding Shortest Paths on Terrains by Killing Two Birds with One Stone Manohar Kaul (Aarhus University) Raymond Chi-Wing Wong (Hong Kong University of.
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.

Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Turing Machines (At last!). Designing Universal Computational Devices Was Not The Only Contribution from Alan Turing… Enter the year 1940: The world is.

Turing Machines (At last!). Designing Universal Computational Devices Was Not The Only Contribution from Alan Turing… Enter the year 1940: The world is.
Tries Standard Tries Compressed Tries Suffix Tries.

Tries Standard Tries Compressed Tries Suffix Tries.
C-Perfect Hashing Schemes for Arrays, with Applications to Parallel Memories G. Cordasco 1, A. Negro 1, A. L. Rosenberg 2 and V. Scarano 1 1 Dipartimento.

C-Perfect Hashing Schemes for Arrays, with Applications to Parallel Memories G. Cordasco 1, A. Negro 1, A. L. Rosenberg 2 and V. Scarano 1 1 Dipartimento.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Why the algorithm works! Converting an NFA into an FSA.

Why the algorithm works! Converting an NFA into an FSA.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
File Systems and Databases

File Systems and Databases
Parallel Routing Bruce, Chiu-Wing Sham. Overview Background Routing in parallel computers Routing in hypercube network –Bit-fixing routing algorithm –Randomized.

Parallel Routing Bruce, Chiu-Wing Sham. Overview Background Routing in parallel computers Routing in hypercube network –Bit-fixing routing algorithm –Randomized.

Similar presentations

Ads by Google