Department of Computer Sciences

The University of Texas at Austin

Complete Redundancy Detection in Firewalls

Alex X. Liu

Department of Computer SciencesThe University of Texas at Austin

Co-author: Mohamed G. Gouda

Alex X. Liu The University of Texas at Austin 2

Firewall Basics A firewall connects a private network and the outside

Internet such that all incoming and outgoing packets have to pass through it.

Function: maps every packet to a decision.

This function is specified by a sequence of rules.

CISCOSYSTEMSRest ofInternet Private

Network

Firewall

0 1

Alex X. Liu The University of Texas at Austin 3

Firewall Example

Firewall example:

Resolving conflicts: first match Firewalls often have redundant rules.

CISCOSYSTEMS

0 1Internet

Mail Server Host 1 Host 2Firewall

(Gateway Router)

A Private Network

Interface Source IP Dest. IP Dest. Port Protocol Decision

0 malicious hosts

any any any discard

0 any mail server 25 TCP acceptany any any any any accept

Alex X. Liu The University of Texas at Austin 4

Redundant Rules (Upward) A rule in a firewall is redundant iff eliminating the rule does not

change the function of the firewall.

Example:

Rule r3 is redundant (upward redundant).

A rule r in a firewall is upward redundant iff there is no packet whose first matching rule is r.

r1 : F [1, 50] →∈ accept

r2 : F [40, 90] →∈ discard

r3 : F [30, 60] →∈ accept

r4 : F [51,100] →∈ discard

1 5040 90

30 60

51 100

acceptdiscard

discard

accept

Alex X. Liu The University of Texas at Austin 5

Redundant Rules (Downward)

Rule r2 becomes redundant (downward redundant).

A rule r in a firewall is downward redundant iff for each packet whose first matching rule is r, the first matching rule below r has the same decision as r.

r1 : F [1, 50] →∈ accept

r2 : F [40, 90] →∈ discard

r4 : F [51,100] →∈ discard

1 5040 90

51 100

acceptdiscard

discard

Alex X. Liu The University of Texas at Austin 6

Redundant Rules Hurt Firewall Performance

Packet classification algorithms: map a packet to a decision using data structures built from firewall rules

Software based packet classification algorithms needeither O(nd) space and O(log n) timeor O(n) space and O(logd-1n) time(n: #of rules, d: # of fields)

On-chip cache is limited. Hardware based packet classification algorithms (TCAM:

Ternary Content Addressable Memory) need O(n) space and constant time

TCAM consumes too much power as n increases.

Alex X. Liu The University of Texas at Austin 7

Matching Set vs. Resolving SetLet f be any firewall that consists of n rules 〈 r1, r2,…, rn 〉 . The matching set M(ri) of rule ri is set of all packets that match ri. The resolving set R(ri, f) of rule ri in f is set of all packets that

match ri, but do not match any rule listed before ri in f.r1 : F [1, 50] →∈ accept

M(r1)=R(r1, f)=[1,50]

r2 : F [40, 90] →∈ discard

M(r1)=[40,90], R(r1, f)=[40,90]-[1,50]=[51,90]

r3 : F [30, 60] →∈ accept

M(r1)=[30,60], R(r1, f)=[30,60]-[40,90]-[1,50]= Ø

r4 : F [51,100] →∈ discard

M(r1)=[51,100], R(r1, f)=[51,100]-[30,60]-[40,90]-[1,50]= [91,100]

1 50

40 90

accept

discard

30 60

51 100discard

accept

Alex X. Liu The University of Texas at Austin 8

Redundancy Theorem A rule ri is redundant in f iff:

(1) R(ri, f)=Ø, or

(2) R(ri, f)≠Ø, and for any packet p in R(ri, f),

〈 ri+1, ri+2,…, rn 〉 (p) yields the same decision as that of ri.

ri is upward redundant iff (1)

ri is downward redundant iff (2)

We need to calculate R(ri, f) – Firewall Decision Trees

Alex X. Liu The University of Texas at Austin 9

Firewall Decision Trees (FDTs)F1

F2

d

[1,19]

[1,100]

F2

d a

[1,34] [35,65]

[20,50][51,100]

[66,100]

Consistency: for any two outgoing edges of a

node, their labels are non-overlapping

Completeness:the union of the labels of all the outgoing edges of a node is the domain of the label of that node

A decision path in an FDT defines a rule Example: F1 [1,19]∈ ∪[51,100] ∧ F2 [1,100] →∈ d

Alex X. Liu The University of Texas at Austin 10

Calculate Resolving Set Calculate R(ri, f) for each rule ri while constructing an equivalent FDT.

Definition: A set of rules {e1, e2,…, ek} is called an effective rule set of ri if :(1) every ej

has the same decision as r ,

(2) .

E1={F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a}

r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] ∈ → ar2 : F1 [10, 60] ∈ ∧ F2 [15, 45] ∈ → dr3 : F1 [30, 40] ∈ ∧ F2 [25, 55] ∈ → ar4 : F1 [1, 100] ∈ ∧ F2 [1, 100] ∈ → d

F1

F2

a

[35,65]

[20,50])(),(1

k

jji eMfrR

Alex X. Liu The University of Texas at Austin 11

Detecting Upward Redundant Rules

E1={F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a},E2={F1 [10, 19]∈ ∪[51, 60] ∧ F2 [15, 45] →∈ d,

F1 [20, 50] ∈ ∧ F2 [15, 34] →∈ d},Similarly, we get E3=Ø, E4={F1 [1,9]∈ ∪[61,100] ∧ F2 [1,100] →∈ d,

F1 [20,29]∈ ∪[41,50] ∧ F2 [1,14]∈ ∪[66,100] → d, F1 [30,40] ∈ ∧ F2 [1,14]∈ ∪[66,100] → d, F1 [10,19]∈ ∪[51,60] ∧ F2 [1,14]∈ ∪[46,100] → d}

r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] ∈ → ar2 : F1 [10, 60] ∈ ∧ F2 [15, 45] ∈ → dr3 : F1 [30, 40] ∈ ∧ F2 [25, 55] ∈ → ar4 : F1 [1, 100] ∈ ∧ F2 [1, 100] ∈ → d

F1

F2

a

[35,65]

[20,50]

F2

d

[15,45]

d

[15,34]

[10,19]

[51,60]

Alex X. Liu The University of Texas at Austin 12

Detecting Downward Redundant Rules Consider a rule r and a non-overlapping firewall 〈 r1, r2,…,

rn 〉 . If r does not conflict with any rule ri , then

〈 r, r1, r2,…, rn ≡ 〉 〈 r1, r2,…, rn 〉 .

Example:

r : F [20, 40] ∈ → accept

r1 : F [1, 50] ∈ → acceptr2 : F [51,100] ∈ → discard

1 50

51 100accept

discard

20 40accept

Alex X. Liu The University of Texas at Austin 13

Detecting Downward Redundant Rules (cont.)

To test whether ri is downward redundant:

(1) calculate effective rule set {e1, e2,…, ek},

(2) convert firewall 〈 ri+1, ri+2,…, rn 〉 to non-overlapping firewall,

(3) ri is downward redundant iff ej and rm do not conflict

for any 1≤j≤k and i+1≤m≤n.

To convert firewall 〈 ri+1, ri+2,…, rn 〉 to non-overlapping firewall, we construct an equivalent FDT.

Alex X. Liu The University of Texas at Austin 14

Detecting Downward Redundant Rules (cont.)

Rule r2 is downward redundant.

r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a

r2 : F1 [10, 60] ∈ ∧ F2 [15, 45] →∈ d

r3 : F1 [1, 100] ∈ ∧ F2 [1, 100] →∈ d

E2={ F1 [10, 19]∈ ∪[51, 60] ∧ F2 [15, 45] →∈ d,

F1 [20, 50] ∈ ∧ F2 [15, 34] →∈ d},

F1

F2

d

[1,100]

[1,100]

Alex X. Liu The University of Texas at Austin 15

Summarize Detect upward redundant rules

(1) Calculate effective rule set for every rule while constructing FDT top down,(2) Rule whose effective rule set is empty is upward redundant.

Detect downward redundant rules(1) Construct FDT bottom up,(2) Check whether a rule is downward redundant by comparing the rule’s effective rule set and the FDT.

Alex X. Liu The University of Texas at Austin 16

Previous Work [Gupta 2000] identified two special types of redundant rules:

backward redundant rules and forward redundant rules Backward redundant rules: A rule r in a firewall is backward

redundant iff there exists another rule r’ list above r such that all packets that match r also match r’.

Backward redundant rules ⊆ Upward redundant rules

r1 : F1 [1, 50] ∈ → acceptr2 : F1 [40, 90] ∈ → discardr3 : F1 [30, 60] ∈ → acceptr4 : F1 [51,100] ∈ → discard

1 5040 90

30 60

51 100

acceptdiscard

discard

accept

Alex X. Liu The University of Texas at Austin 17

Previous Work (cont.) Forward redundant rules: A rule r in a firewall is forward

redundant iff there exists another rule r’ listed below r such that the following three conditions hold:(1) all packets that match r also match r’,(2) r and r’ have the same decision,(3) for each rule r’’ listed between r and r’, either r and r’’ have the same decision or no packet matches both r and r’’.

Forward redundant rules ⊆ Downward redundant rules

r1 : F1 [1, 50] ∈ → acceptr2 : F1 [40, 90] ∈ → discardr4 : F1 [51,100] ∈ → discard

1 5040 90

51 100

acceptdiscard

discard

Alex X. Liu The University of Texas at Austin 18

Our Contribution Solve the problem of detecting all redundant rules

─ We give a necessary and sufficient condition for identifying all redundant rules.

─ We present algorithms for detecting all redundant rules.