Subscribe

Issue No.02 - February (2010 vol.59)

pp: 218-230

MyungKeun Yoon , University of Florida, Gainesville

Shigang Chen , University of Florida, Gainesville

Zhan Zhang , Cisco Systems, San Jose

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2009.172

ABSTRACT

A firewall's complexity is known to increase with the size of its rule set. Empirical studies show that as the rule set grows larger, the number of configuration errors on a firewall increases sharply, while the performance of the firewall degrades. When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. This paper studies the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation such that the maximum firewall rule set can be minimized. These problems have not been studied adequately despite their importance. We have two major contributions. First, we prove that the problems are NP-complete. Second, we propose a heuristic solution and demonstrate the effectiveness of the algorithm by simulations. The results show that the proposed algorithm reduces the maximum firewall rule set by 2-5 times when comparing with other algorithms.

INDEX TERMS

Firewall configuration, access control rules, network security.

CITATION

MyungKeun Yoon, Shigang Chen, Zhan Zhang, "Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls",

*IEEE Transactions on Computers*, vol.59, no. 2, pp. 218-230, February 2010, doi:10.1109/TC.2009.172REFERENCES

- [1] A. Rubin, D. Geer, and M. Ranum,
Web Security Sourcebook. Wiley Computer Publishing, 1997.- [2] S. Hinrichs and S. Chen, “Network Management Based on Policies,”
Proc. SPIE Multimedia Computing and Networking Conf., Jan. 2000.- [3] J. Wack, K. Cutler, and J. Pole,
Guidelines on Firewalls and Firewall Policy. Nat'l Inst. of Standards and Tech nology, Jan. 2002.- [4] Y. Bartal, A. Mayer, K. Nissim, and A. Wool, “Firmato: A Novel Firewall Management Toolkit,”
ACM Trans. Computer Systems, vol. 22, no. 4, pp. 381-420, Nov. 2004.- [6] H. Court, Knutsford, and Cheshire, “High-Availability: Technology Brief Firewall Load Balancing,” High-Availability.Com, http:/www.High-Availability.Com, 2003.
- [7] “Firewall Load Balancing,” Nortel Networks, www.nortel.com, 2009.
- [8] “Check Point Firewall-1 Guide,” Check Point, www.checkpoint. com, 2009.
- [9] T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein,
Introduction to Algorithms. MIT Press, 2003.- [10] M.G. Gouda and A.X. Liu, “Firewall Design: Consistency, Completeness and Compactness,”
Proc. Int'l Conf. Distributed Computing Systems (ICDCS '04), pp. 320-327, Mar. 2004.- [11] A.X. Liu and M.G. Gouda, “Diverse Firewall Design,”
Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN '04), pp. 595-604, June 2004.- [12] M.G. Gouda and A.X. Liu, “A Model of Stateful Firewalls and Its Properties,”
Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN), June 2005.- [13] A.X. Liu, M.G. Gouda, H.H. Ma, and A.H.H. Ngu, “Firewall Queries,”
Proc. Eighth Int'l Conf. Principles of Distributed Systems (OPODIS), Dec. 2004.- [14] A.X. Liu, “Change Impact Analysis of Firewall Policies,”
Proc. 12th European Symp. Research Computer Security (ESORICS), Sept. 2007.- [15] A.X. Liu, “Formal Verification of Firewall Policies,”
Proc. IEEE Int'l Conf. Comm. (ICC), May 2008.- [16] A.X. Liu, E. Torng, and C. Meiners, “Firewall Compressor: An Algorithm for Minimizing Firewall Policies,”
Proc. IEEE INFOCOM '08, Apr. 2008.- [18] E.W. Fulp, “Optimization of Network Firewall Policies Using Ordered Sets and Directed Acyclical Graphs,”
Proc. IEEE Internet Management Conf., 2005.- [19] E.S. Al-Shaer and H.H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,”
Proc. IEEE INFOCOM '04, Mar. 2004.- [21] R.N. Smith and S. Bhattacharya, “Firewall Placement in a Large Network Topology,”
Proc. IEEE CS Workshop Future Trends Distributed Computing Systems (FTDCS '97), 1997.- [23] A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li, “On Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance,”
Proc. IEEE INFOCOM '07, May 2007.- [25] P. Gupta and N. McKeown, “Packet Classification on Multiple Fields,”
Proc. ACM SIGCOMM '99, 1999.- [26] T. Lakshman and D. Stiliadis, “High-Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching,”
Proc. ACM SIGCOMM '98, 1998.- [27] A. Hari, S. Suri, and G. Parulkar, “Detecting and Resolving Packet Filter Conflicts,”
Proc. IEEE INFOCOM '00, Mar. 2000.- [28] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, “Fast and Scalable Layer Four Switching,”
Proc. ACM SIGCOMM '98, 1998.- [29] P. Gupta, “Algorithms for Routing Lookups and Packet Classification,” PhD thesis, Stanford Univ., 2000.
- [30] A.X. Liu and M.G. Gouda, “Removing Redundancy from Packet Classifiers,”
Proc. Ann. IFIP Conf. Data and Applications Security, Aug. 2005.- [31] C.R. Meiners, A.X. Liu, and E. Torng, “TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs,”
Proc. IEEE Int'l Conf. Network Protocols (ICNP), Oct. 2007.- [32] A.X. Liu, C.R. Meiners, and Y. Zhou, “All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs,”
Proc. IEEE INFOCOM, Apr. 2008. |