Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in...
-
Upload
marybeth-mclaughlin -
Category
Documents
-
view
222 -
download
3
description
Transcript of Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in...
Department of Computer Sciences
The University of Texas at Austin
Complete Redundancy Detection in Firewalls
Alex X. Liu
Department of Computer SciencesThe University of Texas at Austin
Co-author: Mohamed G. Gouda
Alex X. Liu The University of Texas at Austin 2
Firewall Basics A firewall connects a private network and the outside
Internet such that all incoming and outgoing packets have to pass through it.
Function: maps every packet to a decision.
This function is specified by a sequence of rules.
CISCOSYSTEMSRest ofInternet Private
Network
Firewall
0 1
Alex X. Liu The University of Texas at Austin 3
Firewall Example
Firewall example:
Resolving conflicts: first match Firewalls often have redundant rules.
CISCOSYSTEMS
0 1Internet
Mail Server Host 1 Host 2Firewall
(Gateway Router)
A Private Network
Interface Source IP Dest. IP Dest. Port Protocol Decision
0 malicious hosts
any any any discard
0 any mail server 25 TCP acceptany any any any any accept
Alex X. Liu The University of Texas at Austin 4
Redundant Rules (Upward) A rule in a firewall is redundant iff eliminating the rule does not
change the function of the firewall.
Example:
Rule r3 is redundant (upward redundant).
A rule r in a firewall is upward redundant iff there is no packet whose first matching rule is r.
r1 : F [1, 50] →∈ accept
r2 : F [40, 90] →∈ discard
r3 : F [30, 60] →∈ accept
r4 : F [51,100] →∈ discard
1 5040 90
30 60
51 100
acceptdiscard
discard
accept
Alex X. Liu The University of Texas at Austin 5
Redundant Rules (Downward)
Rule r2 becomes redundant (downward redundant).
A rule r in a firewall is downward redundant iff for each packet whose first matching rule is r, the first matching rule below r has the same decision as r.
r1 : F [1, 50] →∈ accept
r2 : F [40, 90] →∈ discard
r4 : F [51,100] →∈ discard
1 5040 90
51 100
acceptdiscard
discard
Alex X. Liu The University of Texas at Austin 6
Redundant Rules Hurt Firewall Performance
Packet classification algorithms: map a packet to a decision using data structures built from firewall rules
Software based packet classification algorithms needeither O(nd) space and O(log n) timeor O(n) space and O(logd-1n) time(n: #of rules, d: # of fields)
On-chip cache is limited. Hardware based packet classification algorithms (TCAM:
Ternary Content Addressable Memory) need O(n) space and constant time
TCAM consumes too much power as n increases.
Alex X. Liu The University of Texas at Austin 7
Matching Set vs. Resolving SetLet f be any firewall that consists of n rules 〈 r1, r2,…, rn 〉 . The matching set M(ri) of rule ri is set of all packets that match ri. The resolving set R(ri, f) of rule ri in f is set of all packets that
match ri, but do not match any rule listed before ri in f.r1 : F [1, 50] →∈ accept
M(r1)=R(r1, f)=[1,50]
r2 : F [40, 90] →∈ discard
M(r1)=[40,90], R(r1, f)=[40,90]-[1,50]=[51,90]
r3 : F [30, 60] →∈ accept
M(r1)=[30,60], R(r1, f)=[30,60]-[40,90]-[1,50]= Ø
r4 : F [51,100] →∈ discard
M(r1)=[51,100], R(r1, f)=[51,100]-[30,60]-[40,90]-[1,50]= [91,100]
1 50
40 90
accept
discard
30 60
51 100discard
accept
Alex X. Liu The University of Texas at Austin 8
Redundancy Theorem A rule ri is redundant in f iff:
(1) R(ri, f)=Ø, or
(2) R(ri, f)≠Ø, and for any packet p in R(ri, f),
〈 ri+1, ri+2,…, rn 〉 (p) yields the same decision as that of ri.
ri is upward redundant iff (1)
ri is downward redundant iff (2)
We need to calculate R(ri, f) – Firewall Decision Trees
Alex X. Liu The University of Texas at Austin 9
Firewall Decision Trees (FDTs)F1
F2
d
[1,19]
[1,100]
F2
d a
[1,34] [35,65]
[20,50][51,100]
[66,100]
Consistency: for any two outgoing edges of a
node, their labels are non-overlapping
Completeness:the union of the labels of all the outgoing edges of a node is the domain of the label of that node
A decision path in an FDT defines a rule Example: F1 [1,19]∈ ∪[51,100] ∧ F2 [1,100] →∈ d
Alex X. Liu The University of Texas at Austin 10
Calculate Resolving Set Calculate R(ri, f) for each rule ri while constructing an equivalent FDT.
Definition: A set of rules {e1, e2,…, ek} is called an effective rule set of ri if :(1) every ej
has the same decision as r ,
(2) .
E1={F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a}
r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] ∈ → ar2 : F1 [10, 60] ∈ ∧ F2 [15, 45] ∈ → dr3 : F1 [30, 40] ∈ ∧ F2 [25, 55] ∈ → ar4 : F1 [1, 100] ∈ ∧ F2 [1, 100] ∈ → d
F1
F2
a
[35,65]
[20,50])(),(1
k
jji eMfrR
Alex X. Liu The University of Texas at Austin 11
Detecting Upward Redundant Rules
E1={F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a},E2={F1 [10, 19]∈ ∪[51, 60] ∧ F2 [15, 45] →∈ d,
F1 [20, 50] ∈ ∧ F2 [15, 34] →∈ d},Similarly, we get E3=Ø, E4={F1 [1,9]∈ ∪[61,100] ∧ F2 [1,100] →∈ d,
F1 [20,29]∈ ∪[41,50] ∧ F2 [1,14]∈ ∪[66,100] → d, F1 [30,40] ∈ ∧ F2 [1,14]∈ ∪[66,100] → d, F1 [10,19]∈ ∪[51,60] ∧ F2 [1,14]∈ ∪[46,100] → d}
r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] ∈ → ar2 : F1 [10, 60] ∈ ∧ F2 [15, 45] ∈ → dr3 : F1 [30, 40] ∈ ∧ F2 [25, 55] ∈ → ar4 : F1 [1, 100] ∈ ∧ F2 [1, 100] ∈ → d
F1
F2
a
[35,65]
[20,50]
F2
d
[15,45]
d
[15,34]
[10,19]
[51,60]
Alex X. Liu The University of Texas at Austin 12
Detecting Downward Redundant Rules Consider a rule r and a non-overlapping firewall 〈 r1, r2,…,
rn 〉 . If r does not conflict with any rule ri , then
〈 r, r1, r2,…, rn ≡ 〉 〈 r1, r2,…, rn 〉 .
Example:
r : F [20, 40] ∈ → accept
r1 : F [1, 50] ∈ → acceptr2 : F [51,100] ∈ → discard
1 50
51 100accept
discard
20 40accept
Alex X. Liu The University of Texas at Austin 13
Detecting Downward Redundant Rules (cont.)
To test whether ri is downward redundant:
(1) calculate effective rule set {e1, e2,…, ek},
(2) convert firewall 〈 ri+1, ri+2,…, rn 〉 to non-overlapping firewall,
(3) ri is downward redundant iff ej and rm do not conflict
for any 1≤j≤k and i+1≤m≤n.
To convert firewall 〈 ri+1, ri+2,…, rn 〉 to non-overlapping firewall, we construct an equivalent FDT.
Alex X. Liu The University of Texas at Austin 14
Detecting Downward Redundant Rules (cont.)
Rule r2 is downward redundant.
r1 : F1 [20, 50] ∈ ∧ F2 [35, 65] →∈ a
r2 : F1 [10, 60] ∈ ∧ F2 [15, 45] →∈ d
r3 : F1 [1, 100] ∈ ∧ F2 [1, 100] →∈ d
E2={ F1 [10, 19]∈ ∪[51, 60] ∧ F2 [15, 45] →∈ d,
F1 [20, 50] ∈ ∧ F2 [15, 34] →∈ d},
F1
F2
d
[1,100]
[1,100]
Alex X. Liu The University of Texas at Austin 15
Summarize Detect upward redundant rules
(1) Calculate effective rule set for every rule while constructing FDT top down,(2) Rule whose effective rule set is empty is upward redundant.
Detect downward redundant rules(1) Construct FDT bottom up,(2) Check whether a rule is downward redundant by comparing the rule’s effective rule set and the FDT.
Alex X. Liu The University of Texas at Austin 16
Previous Work [Gupta 2000] identified two special types of redundant rules:
backward redundant rules and forward redundant rules Backward redundant rules: A rule r in a firewall is backward
redundant iff there exists another rule r’ list above r such that all packets that match r also match r’.
Backward redundant rules ⊆ Upward redundant rules
r1 : F1 [1, 50] ∈ → acceptr2 : F1 [40, 90] ∈ → discardr3 : F1 [30, 60] ∈ → acceptr4 : F1 [51,100] ∈ → discard
1 5040 90
30 60
51 100
acceptdiscard
discard
accept
Alex X. Liu The University of Texas at Austin 17
Previous Work (cont.) Forward redundant rules: A rule r in a firewall is forward
redundant iff there exists another rule r’ listed below r such that the following three conditions hold:(1) all packets that match r also match r’,(2) r and r’ have the same decision,(3) for each rule r’’ listed between r and r’, either r and r’’ have the same decision or no packet matches both r and r’’.
Forward redundant rules ⊆ Downward redundant rules
r1 : F1 [1, 50] ∈ → acceptr2 : F1 [40, 90] ∈ → discardr4 : F1 [51,100] ∈ → discard
1 5040 90
51 100
acceptdiscard
discard
Alex X. Liu The University of Texas at Austin 18
Our Contribution Solve the problem of detecting all redundant rules
─ We give a necessary and sufficient condition for identifying all redundant rules.
─ We present algorithms for detecting all redundant rules.