Issue No.02 - February (2010 vol.59)
pp: 218-230
Shigang Chen , University of Florida, Gainesville
MyungKeun Yoon , University of Florida, Gainesville
A firewall's complexity is known to increase with the size of its rule set. Empirical studies show that as the rule set grows larger, the number of configuration errors on a firewall increases sharply, while the performance of the firewall degrades. When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. This paper studies the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation such that the maximum firewall rule set can be minimized. These problems have not been studied adequately despite their importance. We have two major contributions. First, we prove that the problems are NP-complete. Second, we propose a heuristic solution and demonstrate the effectiveness of the algorithm by simulations. The results show that the proposed algorithm reduces the maximum firewall rule set by 2-5 times when comparing with other algorithms.
Firewall configuration, access control rules, network security.
Shigang Chen, MyungKeun Yoon, "Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls", IEEE Transactions on Computers, vol.59, no. 2, pp. 218-230, February 2010, doi:10.1109/TC.2009.172
[1] A. Rubin, D. Geer, and M. Ranum, Web Security Sourcebook. Wiley Computer Publishing, 1997.
[2] S. Hinrichs and S. Chen, “Network Management Based on Policies,” Proc. SPIE Multimedia Computing and Networking Conf., Jan. 2000.
[3] J. Wack, K. Cutler, and J. Pole, Guidelines on Firewalls and Firewall Policy. Nat'l Inst. of Standards and Tech nology, Jan. 2002.
[4] Y. Bartal, A. Mayer, K. Nissim, and A. Wool, “Firmato: A Novel Firewall Management Toolkit,” ACM Trans. Computer Systems, vol. 22, no. 4, pp. 381-420, Nov. 2004.
[5] A. Wool, “A Quantitative Study of Firewall Configuration Errors,” Computer, vol. 37, no. 6, pp. 62-67, June 2004.
[6] H. Court, Knutsford, and Cheshire, “High-Availability: Technology Brief Firewall Load Balancing,” High-Availability.Com, http:/www.High-Availability.Com, 2003.
[7] “Firewall Load Balancing,” Nortel Networks,, 2009.
[8] “Check Point Firewall-1 Guide,” Check Point, www.checkpoint. com, 2009.
[9] T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein, Introduction to Algorithms. MIT Press, 2003.
[10] M.G. Gouda and A.X. Liu, “Firewall Design: Consistency, Completeness and Compactness,” Proc. Int'l Conf. Distributed Computing Systems (ICDCS '04), pp. 320-327, Mar. 2004.
[11] A.X. Liu and M.G. Gouda, “Diverse Firewall Design,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN '04), pp. 595-604, June 2004.
[12] M.G. Gouda and A.X. Liu, “A Model of Stateful Firewalls and Its Properties,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN), June 2005.
[13] A.X. Liu, M.G. Gouda, H.H. Ma, and A.H.H. Ngu, “Firewall Queries,” Proc. Eighth Int'l Conf. Principles of Distributed Systems (OPODIS), Dec. 2004.
[14] A.X. Liu, “Change Impact Analysis of Firewall Policies,” Proc. 12th European Symp. Research Computer Security (ESORICS), Sept. 2007.
[15] A.X. Liu, “Formal Verification of Firewall Policies,” Proc. IEEE Int'l Conf. Comm. (ICC), May 2008.
[16] A.X. Liu, E. Torng, and C. Meiners, “Firewall Compressor: An Algorithm for Minimizing Firewall Policies,” Proc. IEEE INFOCOM '08, Apr. 2008.
[17] A. Wool, “The Use and Usability of Direction-Based Filtering in Firewalls,” Computers and Security, vol. 23, no. 6, pp. 459-468, 2004.
[18] E.W. Fulp, “Optimization of Network Firewall Policies Using Ordered Sets and Directed Acyclical Graphs,” Proc. IEEE Internet Management Conf., 2005.
[19] E.S. Al-Shaer and H.H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” Proc. IEEE INFOCOM '04, Mar. 2004.
[20] R.N. Smith, Y. Chen, and S. Bhattacharya, “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Trans. Knowledge and Data Eng., vol. 15, no. 5, pp. 1307-1315, Sept./Oct. 2003.
[21] R.N. Smith and S. Bhattacharya, “Firewall Placement in a Large Network Topology,” Proc. IEEE CS Workshop Future Trends Distributed Computing Systems (FTDCS '97), 1997.
[22] H. Hamed, A. El-Atawy, and E. Al-Shaer, “On Dynamic Optimization of Packet Matching in High Speed Firewalls,” IEEE J. Selected Areas in Comm., vol. 24, no. 10, pp. 1817-1830, Oct. 2006.
[23] A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li, “On Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance,” Proc. IEEE INFOCOM '07, May 2007.
[24] P. Gupta and N. McKeown, “Algorithms for Packet Classification,” IEEE Network, vol. 15, no. 2, pp. 24-32, Mar. 2001.
[25] P. Gupta and N. McKeown, “Packet Classification on Multiple Fields,” Proc. ACM SIGCOMM '99, 1999.
[26] T. Lakshman and D. Stiliadis, “High-Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching,” Proc. ACM SIGCOMM '98, 1998.
[27] A. Hari, S. Suri, and G. Parulkar, “Detecting and Resolving Packet Filter Conflicts,” Proc. IEEE INFOCOM '00, Mar. 2000.
[28] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, “Fast and Scalable Layer Four Switching,” Proc. ACM SIGCOMM '98, 1998.
[29] P. Gupta, “Algorithms for Routing Lookups and Packet Classification,” PhD thesis, Stanford Univ., 2000.
[30] A.X. Liu and M.G. Gouda, “Removing Redundancy from Packet Classifiers,” Proc. Ann. IFIP Conf. Data and Applications Security, Aug. 2005.
[31] C.R. Meiners, A.X. Liu, and E. Torng, “TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs,” Proc. IEEE Int'l Conf. Network Protocols (ICNP), Oct. 2007.
[32] A.X. Liu, C.R. Meiners, and Y. Zhou, “All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs,” Proc. IEEE INFOCOM, Apr. 2008.