Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang

Firewall Policy Queries

Author: Alex X. Liu, Mohamed G. GoudaPublisher: IEEE Transaction on Parallel and

Distributed Systems 2009Presenter: Chen-Yu ChangDate: 2009/5/13

Outline Introduction

Formal Definitions

Structured Firewall Query Language

Firewall Query Processing

Firewall Query Post Processing

Firewall Query Algebra

Experiment Results

Introduction(1/3)

Firewalls are crucial elements in network security, The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy.

An error in a firewall policy means that some illegitimate packets are identified as being legitimate, or some legitimate packets are identified as being illegitimate.

Introduction(2/3)

A policy error either creates security holes or disrupts normal business processes.

An effective way to detect design errors of the firewalls is to issue some firewall queries and checking whether the answers to the queries are consistent with the firewall specification.

Introduction(3/3)

To make firewall queries practically useful, two problems need to be solved: how to describe a firewall query and how to process a firewall query.

In this paper, we present solutions to both problems. First, we introduce a simple and effective SQL-like query langu

age, called the Structured Firewall Query Language (SFQL), for describing firewall queries.

Second, we present a theorem, called the Firewall Query Theorem, as the foundation for developing two firewall query processing algorithms ： rule-base and FDD firewall query processing algorithms.


Formal Definitions





Experiment Results

Formal Definitions(1/4) In a relational database, each field of a tuple has a fixe

d value, but each field of a rule in a firewall is a range, not a fixed value.

A field Fi is a variable whose domain, denoted D(Fi), is a finite interval of nonnegative integers.

A packet over the d fields F1, . . . , Fd is a d-tuple (p1, . . . , pd), where each pi (i = 1~d) is an element in D(Fi).

We use Σ to denote the set of all packets over fields F1, . . . , Fd, so that |Σ| = |D(F1)| x . . . x |D(Fd)|

Formal Definitions(2/4)

A firewall rule has the form <predicate> → <decision>Ex ：

A packet (p1, . . . , pd) matches a predicate F1∈S1 ∧ . . . ∧ Fd∈Sd and the corresponding rule, if and only if the condition p1∈S1 ∧ . . . p∧ d∈Sd holds.

For any i, if Si = D(Fi), we often use the keyword all to denote Si.

F1 F2S1 S2α∈ ∈ →


A firewall f over the d fields F1, . . . , Fd is a sequence of firewall rules. The size of f, denoted |f|, is the number of rules in f.

To ensure that a firewall is complete, the predicate of the last rule in a firewall is usually specified as F1∈D(F1 ) ∧ . . . ∧ Fd ∈ D(Fd ), which every packet matches.

Conflict

To resolve such conflicts, firewalls typically employ a first-match resolution strategy.

The decision that firewall f makes for packet p is denoted f(p).


We can think of a firewall f as defining a many-to-one mapping function from Σ to α.

Two firewalls f1 and f2 are equivalent, denoted f1≡f2, if and only if they define the same mapping function from Σ to α, that is, for any packet p∈Σ , we have f1(p) = f2(p).


Formal Definitions





Experiment Results

Query Language(1/2)

A query, denoted Q, in our Structured Firewall Query Language (SFQL) is of the following format:

The result of query Q, denoted Q.result, is the following set:

Query Language(2/2)

Ex:

The result of this query is {4, 5, 6, 7}.The result of this query is {3, 8}.

Which computers whose addresses are in the set [4, 8] can send packets to the computer whose address is 6?

Which computers cannot send packets to the computer whose address is 6?

Firewall query example

In these examples, we assume each packet has the following five fields: I (Interface), S (Source IP), D (Destination IP), N (Destination Port), and P (Protocol Type).


Formal Definitions





Experiment Results

Theory Foundation(1/4)

A firewall is consistent if and only if no two rules in the firewall conflict.

In this section, we discuss how to process a firewall query for consistent firewalls.

inconsistentconsistent

Theory Foundation(2/4)

Our interest in consistent firewalls is twofold ： First, each inconsistent firewall can be converted to

an equivalent consistent firewall.

Second, as shown in the following theorem, it is easier to process queries for consistent firewalls than for inconsistent ones.

inconsistentconsistent

Theory Foundation(3/4) Theorem 1. (Firewall Query Teorem)

Let Q be a query of the following form:

Also let f be a consistent firewall that consists of n rules r1, . . . ,rn, where each rule rj is of the form (F1∈S1’) ∧ . . . ∧ (Fd∈Sd’) → <dec’>. Then ：

Where each Q.rj is defined using rj as follows ：

Theory Foundation(4/4) Ex ：

Q.r1 = {4, 5, 6, 7} Q.r2 = ∅

Q.r3 = ∅ Q.r4 = ∅

Q.r5 = ∅ Q.r6 = ∅

Q.result => {4, 5, 6, 7}

S1 S2

S1’ S2’

Rule-Based Firewall Query Processing

FDD-Based Firewall Query Processing Algorithm(1/7) Multiple rules in a consistent firewall may share

the same prefix.

For instance, whose “where clause” contains the conjunct S∈{3}, over the firewall in Fig. 3, then the algorithm will repeat three times the calculation of {3} ∩[4, 7].

FDD-Based Firewall Query Processing Algorithm(2/7) Clearly, if we reduce the number of these

repeated calculations, the efficiency of the firewall query processing algorithm can be greatly improved.

Now we present a more efficient firewall query processing algorithm that has no repeated calculations and can be applied to both consistent and inconsistent firewalls.

FDD-Based Firewall Query Processing Algorithm(3/7) The basic idea of this query processing algorithm is as

follows: First, we convert the firewall (whether consistent or inconsiste

nt) that we want to query to an equivalent firewall decision diagram.

Second, run the FDD-based firewall query processing algorithm. (The resulting firewall decision diagram is a consistent and compact representation of the original firewall)

FDD-Based Firewall Query Processing Algorithm(4/7)

Definition 1. (FDD). A Firewall Decision Diagram (FDD) has the following five properties:

The root of f ： The node has no incoming edges.The terminal nodes ： The nodes have no outgoing edges.

Each node v has a label, denoted F(v) ：

Each edge e in f has a label, denoted I(e), I(e) is a nonempty subset of D(F(v)).

A directed path in f from the root to a terminal node is called a decision path of f. No two nodes on a decision path have the same label.

The set of all outgoing edges of a node v in f, denoted E(v), satisfies the following two conditions:

FDD-Based Firewall Query Processing Algorithm(5/7) full-length ordered FDD

For any packet p, there is one and only one rule in Sf that p matches because of the consistency and completeness properties.

The order of the rules in such a firewall is immaterial because the rules in Sf are nonoverlapping.

FDD-Based Firewall Query Processing Algorithm(6/7) Given a sequence of rules, we can construct an equivalent FDD u

sing the FDD construction algorithm in [32].

S

D

a

[4, 7]

[6, 8]

APPEND (v, r2 )

v

D

d

[3, 3] [8, 8]

[2, 9]

v

d

[2, 5] [9, 9]

FDD-Based Firewall Query Processing Algorithm(7/7)

Efficient FDD Reduction Using Hashing(1/2) A full-length ordered FDD is reduced if and only if no t

wo nodes are isomorphic and no two nodes have more than one edge between them. Isomorphic ； Two nodes v and v’

1) both v and v’ are terminal nodes with identical labels.

2) both v and v’ are nonterminal nodes and their corresponding outgoing edges have

identical labels and they both point to the same node.

Efficient FDD Reduction Using Hashing(2/2) We use a more efficient FDD reduction algorithm that

processes the nodes level by level from the terminal nodes to the root node.

Where h is a one-way and collision resistant hash function such as MD5 [39] and SHA-1 [13].

Complexity Analysis of Firewall Query Processing Algorithm(1/2) Complexity of Rule-Based Firewall Query Processing A

lgorithm ： Given a firewall with n rules where each rule examines d packe

t fields, its equivalent consistent firewall will have O(nd) rules.

So that, the Rule-Based Firewall Query Processing Algorithm’s complexity is O(nd+1).

Complexity Analysis of Firewall Query Processing Algorithm(2/2) Complexity of FDD-Based Firewall Query Processing Al

gorithm ： Every nonterminal node in a reduced FDD cannot have more t

han 2n-1 outgoing edges, finding the right outgoing edge to traverse takes O(logn) time using binary search.

Let k be the total number of paths that a query overlaps on an FDD, the processing time for the query is O(kdlogn). Note that k is typically small.


Formal Definitions





Experiment Results

Firewall Query Post Processing(1/3) In fact, the “select” clause in a query can be extende

d to have more than one field.

However, when the “select” clause in a query has more than one field, the query result may contain many disjoint multidimensional predicates.

Firewall Query Post Processing(2/2) To make the query result easier for firewall

administrators to read, we next present an algorithm to minimize the number of predicates.

FDD reduction algorithm

A partial FDD


Formal Definitions





Experiment Results

Firewall Query Algebra <Union> <Intersect> Union ：

Intersect ：

Firewall Query Algebra <Minus>

Minus ：

To compute A1-A2 ： First, construct a partial FDD from A2.

Second, we append S∈[6, 9] ∧ D ∈[4, 7] to this partial FDD.


Formal Definitions





Experiment Results

Experiment Results(1/2)

Experiment Results(2/2)

Documents

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang