The Community for Technology Leaders
RSS Icon
Issue No.06 - June (2009 vol.20)
pp: 766-777
Alex X. Liu , Michigan State University, East Lansing
Mohamed G. Gouda , University of Texas at Austin, Austin
Firewalls are crucial elements in network security, and have been widely deployed in most businesses and institutions for securing private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy. Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences. Because a firewall may have a large number of rules and the rules often conflict, understanding and analyzing the function of a firewall has been known to be notoriously difficult. An effective way to assist firewall administrators to understand and analyze the function of their firewalls is by issuing queries. An example of a firewall query is "Which computers in the private network can receive packets from a known malicious host in the outside Internet?” Two problems need to be solved in order to make firewall queries practically useful: how to describe a firewall query and how to process a firewall query. In this paper, we first introduce a simple and effective SQL-like query language, called the Structured Firewall Query Language (SFQL), for describing firewall queries. Second, we give a theorem, called the Firewall Query Theorem, as the foundation for developing firewall query processing algorithms. Third, we present an efficient firewall query processing algorithm, which uses decision diagrams as its core data structure. Fourth, we propose methods for optimizing firewall query results. Finally, we present methods for performing the union, intersect, and minus operations on firewall query results. Our experimental results show that our firewall query processing algorithm is very efficient: it takes less than 10 milliseconds to process a query over a firewall that has up to 10,000 rules.
Network security, firewall queries, firewall testing, firewall correctness.
Alex X. Liu, Mohamed G. Gouda, "Firewall Policy Queries", IEEE Transactions on Parallel & Distributed Systems, vol.20, no. 6, pp. 766-777, June 2009, doi:10.1109/TPDS.2008.263
[1] ipchains,, 2009.
[2] E. Al Shaer and H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” Proc. IEEE INFOCOM '04, Mar. 2004.
[3] F. Baboescu, S. Singh, and G. Varghese, “Packet Classification for Core Routers: Is There an Alternative to CAMs?” Proc. IEEE INFOCOM, 2003.
[4] F. Baboescu and G. Varghese, “Fast and Scalable Conflict Detection for Packet Classifiers,” Proc. 10th IEEE Int'l Conf. Network Protocols, 2002.
[5] Y. Bartal, A.J. Mayer, K. Nissim, and A. Wool, “Firmato: A Novel Firewall Management Toolkit,” Proc. IEEE Symp. Security and Privacy, pp.17-31, 1999.
[6] Y. Bartal, A.J. Mayer, K. Nissim, and A. Wool, “Firmato: A Novel Firewall Management Toolkit,” ACM Trans. Computer Systems, vol. 22, no. 4, pp.381-420, 2004.
[7] CERT, Test the Firewall System, practicesp060.html, 2009.
[8] CERT Coordination Center,, Aug. 2003.
[9] CheckPoint FireWall-1, http:/, Mar. 2005.
[10] Cisco PIX 500 Series Firewalls, ps2030/, Nov. 2003.
[11] D. Moore etal., sapphiresapphire.html, 2003.
[12] D. Dobkin and R.J. Lipton, “Multidimensional Searching Problems,” SIAM J. Computing, vol. 5, no. 2, pp.181-186.
[13] D. Eastlake and P. Jones, “Us Secure Hash Algorithm 1 (SHA-1),” RFC 3174, 2001.
[14] D. Eppstein and S. Muthukrishnan, “Internet Packet Filter Management and Rectangle Geometry,” Proc. Symp. Discrete Algorithms, pp.827-835, 2001.
[15] P. Eronen and J. Zitting, “An Expert System for Analyzing Firewall Rules,” Proc. Sixth Nordic Workshop Secure IT Systems (NordSec '01), pp.100-107, 2001.
[16] D. Farmer and W. Venema, Improving the Security of Your Site by Breaking into It, , 1993.
[17] M. Frantzen, F. Kerschbaum, E. Schultz, and S. Fahmy, “A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals,” Computers and Security, vol. 20, no. 3, pp.263-270, 2001.
[18] M. Freiss, Protecting Networks with SATAN. O'Reilly & Assoc., Inc., 1998.
[19] M. Gouda, A.X. Liu , and M. Jafry, “Verification of Distributed Firewalls,” Proc. IEEE GLOBECOM, 2008.
[20] M.G. Gouda and A.X. Liu, “Firewall Design: Consistency, Completeness and Compactness,” Proc. 24th IEEE Int'l Conf. Distributed Computing Systems (ICDCS '04), pp.320-327, 2004.
[21] M.G. Gouda and A.X. Liu, “A Model of Stateful Firewalls and its Properties,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN '05), pp.320-327, June 2005.
[22] M.G. Gouda and A.X. Liu, “Structured Firewall Design,” Computer Networks J., vol. 51, no. 4 pp.1106-1120, Mar. 2007.
[23] P. Gupta, “Algorithms for Routing Lookups and Packet Classification,” PhD thesis, Stanford Univ., 2000.
[24] J.D. Guttman, “Filtering Postures: Local Enforcement for Global Policies,” Proc. IEEE Symp. Security and Privacy, pp.120-129, 1997.
[25] A. Hari, S. Suri, and G.M. Parulkar, “Detecting and Resolving Packet Filter Conflicts,” Proc. IEEE INFOCOM '00, pp.1203-1212, 2000.
[26] S. Hazelhurst, A. Attar, and R. Sinnappan, “Algorithms for Improving the Dependability of Firewall and Filter Rule Lists,” Proc. Int'l Conf. Dependable Systems and Networks (DSN '00), pp.576-585, 2000.
[27] J. Hwang, T. Xie, F. Chen, and A.X. Liu, “Systematic Structural Testing of Firewall Policies,” Proc. 27th IEEE Int'l Symp. Reliable Distributed Systems (SRDS), 2008.
[28] S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen, “Analysis of Vulnerabilities in Internet Firewalls,” Computers and Security, vol. 22, no. 3, pp.214-232, 2003.
[29] A.X. Liu, “Change-Impact Analysis of Firewall Policies,” Proc. 12th European Symp. Research Computer Security (ESORICS '07), pp.155-170, Sept. 2007.
[30] A.X. Liu, “Firewall Policy Verification and Troubleshooting,” Proc. IEEE Int'l Conf. Comm. (ICC '08), May 2008.
[31] A.X. Liu and M.G. Gouda, “Complete Redundancy Detection in Firewalls,” Proc. 19th Ann. IFIP Conf. Data and Applications Security, pp.196-209, Aug. 2005.
[32] A.X. Liu and M.G. Gouda, “Diverse Firewall Design,” IEEE Trans. Parallel and Distributed Systems, to be published.
[33] A.X. Liu, C.R. Meiners, and E. Torng, “TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs,” IEEE/ACM Trans. Networking, to be published.
[34] A. Mayer, A. Wool, and E. Ziskind, “Fang: A Firewall Analysis Engine,” Proc. IEEE Symp. Security and Privacy, pp.177-187, 2000.
[35] A. Mayer, A. Wool, and E. Ziskind, “Offline Firewall Analysis,” Int'l J. Information Security, vol. 5, no. 3, pp.125-144, 2005.
[36] J.D. Moffett and M.S. Sloman, “Policy Conflict Analysis in Distributed System Management,” J. Organizational Computing, vol. 4, no. 1, pp.1-22, 1994.
[37] D.R. Morrison, “Patricia Practical Algorithm to Retrieve Information Coded in Alphanumeric,” J. ACM, vol. 15, no. 4, pp.514-534, 1968.
[38] Nessus, http:/, Mar. 2004.
[39] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1321, 1992.
[40] D. Rovniagin and A. Wool, “The Geometric Efficient Matching Algorithm for Firewalls,” Proc. 23rd IEEE Convention of Electrical and Electronics Eng. in Israel (IEEEI), pp.153-156, , 2004.
[41] A.D. Rubin, D. Geer, and M.J. Ranum, Web Security Sourcebook, first ed. Wiley Computer Publishing, 1997.
[42] A. Wool, “Architecting the Lumeta Firewall Analyzer,” Proc. 10th USENIX Security Symp., pp.85-97, Aug. 2001.
[43] A. Wool, “A Quantitative Study of Firewall Configuration Errors,” Computer, vol. 37, no. 6, pp.62-67, June 2004.
[44] A. Wool, “The Use and Usability of Direction-Based Filtering in Firewalls,” Computers & Security, vol. 23, no. 6, pp.459-468, 2004.
[45] J. Xu and M. Singhal, “Design and Evaluation of a High-Performance ATM Firewall Switch and Its Applications,” IEEE J. Selected Areas in Comm., vol. 17, no. 6, pp.1190-1200, 1999.
[46] J. Xu and M. Singhal, “Design of a High-Performance ATM Firewall,” ACM Trans. Information and System Security, vol. 2, no. 3, pp.269-294, 1999.
[47] L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra, “Fireman: A Toolkit for Firewall Modeling and Analysis,” Proc. IEEE Symp. Security and Privacy, May 2006.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool