Firewall Design: Consistency, Completeness, and Compactness

Transcription

1 C IS COS YS TE MS Firewall Design: Consistency, Completeness, an Compactness Mohame G. Goua an Xiang-Yang Alex Liu Department of Computer Sciences The University of Texas at Austin Austin, Texas , U.S.A. {goua, Abstract A firewall is often place at the entrance of each private network in the Internet. The function of a firewall is to examine each packet that passes through the entrance an ecie whether to accept the packet an allow it to procee or to iscar the packet. A firewall is usually esigne as a sequence of rules. To make a ecision concerning some packets, the firewall rules are compare, one by one, with the packet until one rule is foun to be satisfie by the packet: this rule etermines the fate of the packet. In this paper, we present the first ever metho for esigning the sequence of rules in a firewall to be consistent, complete, an compact. Consistency means that the rules are orere correctly, completeness means that every packet satisfies at least one rule in the firewall, an compactness means that the firewall has no reunant rules. Our metho starts by esigning a firewall ecision iagram (FDD, for short) whose consistency an completeness can be checke systematically (by an algorithm). We then apply a sequence of five algorithms to this FDD to generate, reuce an simplify the target firewall rules while maintaining the consistency an completeness of the original FDD. To perform its function, a firewall consists of a sequence of rules; each rule is of the form preicate where the preicate is a boolean expression over the ifferent fiels of a packet, an the ecision is either a (for accept) or (for iscar). To reach a ecision concerning a packet, the rules in the sequence are examine one by one until the first rule, whose preicate is satisfie by the packet fiels, is foun. The ecision of this rule is applie to the packet. Designing the sequence of rules for a firewall is not any easy task. In fact, the sequence of rules for any firewall nees to be consistent, complete, an compact as we illustrate by the next (amittely simple) example. Example: Figure 1 shows a private network that contains a mail server s an a host h. The private network is connecte to the firewall via interface 1, whereas the rest of the Internet is connecte to the firewall via interface 0. The rest of the Internet has a malicious host m. Internet 0 1 Mail Server Host Host 1. Introuction A firewall is often place at each entry point of private network in the Internet. The function of this firewall is to provie secure access to an from the private network. In particular, any packet that attempts to enter or leave the private at some entry point is first examine by the firewall locate at that point, an epening on the ifferent fiels of the packet, the firewall ecies either to accept the packet an allow it to procee in its way, or to iscar the packet. Figure 1. A firewall in a simple network In this example, we assume that each packet has five fiels name as follows: I is the interface on which the packet reaches the firewall S is the original source of the packet D is the ultimate estination of the packet P is the transport protocol of the packet

2 T is the estination port of the packet The firewall in this example consists of the following sequence ( I = 0 S = any D = s P = tcp T = 25 a, I = 0 S = any D = s P = any T = any, I = 0 S = m D = any P = any T = any, I = 1 S = h D = any P = any T = any a, I = 1 S = any D = any P = any T = any a) We refer to these five rules as r 0 through r 4, respectively. Rule r 0 accepts each incoming SMTP packet whose ultimate estination is a mail server s. Rule r 1 iscars each incoming non-smtp packet whose ultimate estination is s. Rule r 2 iscars each incoming packet whose original source is a malicious host m. Rule r 3 accepts each outgoing packet whose original source is a host h. Rule r 4 accepts each outgoing packet. Next, we argue that this sequence of five rules suffers from three types of errors: consistency errors, completeness errors, an compactness errors. The two rules r 0 an r 2 are conflicting because there are packets whose fiels satisfy the preicates of both r 0 an r 2 (for example, a packet where I = 0, S = m, D = s, P = tcp, an T = 25 satisfies the preicates of both r 0 an r 2 ) an these two rules have ifferent ecisions. Therefore, the relative orer of these two rules with respect to one another in the sequence of rules becomes very critical. For example, by placing rule r 2 behin rule r 0 in the above rule sequence, the firewall accepts all incoming SMTP packets even those that originate at the malicious host m. This relative orer of rules r 0 an r 2 is likely a consistency error. This error can be correcte by placing rule r 2 at the beginning of the sequence of rules ahea of rule r 1. This correction will cause the firewall to iscar all incoming packets, incluing SMTP packets, that originate at the malicious host m. The secon error in the above rule sequence is that any packet where I = 0, S m, an D s oes not satisfy the preicate of any of the five rules r 0 through r 5. We refer to such an error as a completeness error. This error can be correcte by aing the following new rule immeiately before rule r 3 I = 0 S = any D = any P = any T = any a The thir error in the above rule sequence is that rule r 3 is reunant; i.e., this rule can be remove without affecting the set of all packets accepte by the rule sequence an without affecting the set of all packets iscare by the rule sequence. We refer to such an error as a compactness error. This error can be correcte by removing rule r 3 from the above rule sequence. After we preform these corrections, we en up with the following sequence of rules. ( I = 0 S = m D = any P = any T = any, I = 0 S = any D = s P = tcp T = 25 a, I = 0 S = any D = s P = any T = any, I = 0 S = any D = any P = any T = any a, I = 1 S = any D = any P = any T = any a) In this paper, we present a metho for esigning the sequence of rules of a firewall to be consistent, complete, an compact. Accoring to this metho, a firewall esigner starts by specifying what we call a firewall ecision iagram whose consistency an completeness can be checke systematically (by an algorithm). Then, the esigner applies a sequence of five algorithm to this firewall ecision iagram to generate a compact sequence of firewall rules while maintaining the consistency an completeness of the original iagram. 2. Relate Work Design errors in existing firewalls have been reporte in [3]. Yet, most of the research in the area of firewalls an packet classifiers was not eicate to the problem of how to esign correct firewalls. Rather, most of the research in this area was eicate to eveloping efficient ata structures that can spee up the checking of firewall rules when a new packet reaches a firewall. Examples of such ata structures are the trie ata structures in [12], area-base quatrees [6], fat inverte segment trees [8]. A goo survey of these ata structures is presente in [9]. Another research irection in the area of firewall esign has been eicate to the evelopment of high-level specification languages that can be use in specifying firewall rules. Examples of such languages are the simple moel efinition language in [3], the Lisp-like language in [10], the eclarative preicate language in [4], an the high level firewall language in [1]. However, none of these specification languages is able to simplify the task of ensuring consistency, completeness, an compactness of the firewalls being specifie. Perhaps the research irection that is closest to the spirit of the current papers is reporte in [11], [7], [2]. This research irection is eicate to etecting every pair of conflicting rules in a firewall. Each etecte pair of conflicting rules is then presente to the firewall esigner who ecies whether the two rules nee to be swappe or a new rule nee to be ae. However, these methos o not eal with the completeness an compactness errors of a firewall. Accoring to the firewall esign metho in the current paper, firewalls are first specifie as firewall ecision iagrams. These ecision iagrams are similar, but not ientical, to other types of ecision iagrams such as the Binary Decision Diagrams in [5] an the Interval Decision Diagrams in [13].

3 3. Firewall Decision Diagrams (FDDs) [4,5] A fiel F i is a variable whose value is taken from a preefine interval of nonnegative integers, calle the omain [6,7] F of F i an enote by D(F i ). [2,3] 1 F [0,1] [2,3] 1 PSfrag replacements[5,7] [4,4] [5,7] A packet over the fiels F 0,, F n 1 is an n-tuple (p 0,, p n 1 ) where each p i is taken from the omain a a D(F i ) of the corresponing fiel F i. A firewall ecision iagram f (or FDD f, for short) over the fiels F 0,, F n 1 is an acyclic an irecte graph that satisfies the following five conitions: 1. f has exactly one noe that has no incoming eges, calle the root of f, an has two or more noes that have no outgoing eges, calle the terminal noes of f. 2. Each nonterminal noe v in f is labelle with a fiel, enote by F (v), taken from the set of fiels F 0,, F n 1. Each terminal noe v in f is labelle with a ecision that is either accept (or a for short) or iscar (or for short). 3. A irecte path from the root to a terminal noe in f is calle a ecision path. No two noes on a ecision path in f have the same label. 4. Each ege e, that is outgoing of a noe v in f, is labelle with an integer set I(e), where I(e) is a subset of the omain of fiel F (v). 5. Let v be any terminal noe in f. The set E(v) of all outgoing eges of noe v satisfies the following two conitions: (a) Consistency: For any istinct e i an e j in E(v), I(e i ) I(e j ) = (b) Completeness: e E(v) I(e) = D(F (v)) where is the empty set an D(F (v)) is the omain of the fiel F (v). Figure 2 shows an FDD over two fiels F 0 an F 1. The omain of each fiel is the interval [0, 9]. Each ege in this FDD is labelle with a set of integers that is represente by one or more non-overlapping intervals (that cover the set of integers). For example, one outgoing ege of the root is labelle with the two intervals [0, 3] an [8, 9] that represent the set {0, 1, 2, 3, 8, 9}. Let f be an FDD over the fiels F 0,, F n 1. A ecision path in f is enote (v 0 e 0 v k 1 e k 1 v k ) where v 0 is the root noe in f, v k is a terminal noe in f, an each e i is a irecte ege from noe v i to noe v i+1 in f. Each ecision path (v 0 e 0 v k 1 e k 1 v k ) in an FDD f over the packet fiels F 0,, F n 1 can be represente as a rule of the form: F 0 [0,1] [4,4] Figure 2. An FDD [0,3] F 1 [0,4] [5,9] where ecision is the label of the terminal noe v k in the ecision path an each fiel F i satisfies one of the following two conitions: 1. No noe in the ecision path is labelle with fiel F i an S i is the omain of F i. 2. There is one noe v j in the ecision path that is labelle with fiel F i an S i is the label of ege e j in the ecision path. An FDD f over the fiels F 0,, F n 1 can be represente by a sequence of rules, each of them is of the form such that the following two conitions hol. First, each rule in the sequence represents a istinct ecision path in f. Secon, each ecision path in f is represente by a istinct rule in the sequence. Note that the orer of the rules in the sequence is immaterial. We refer to a sequence of rules that represents an FDD f as a firewall of f. A packet (p 0,, p n 1 ) over the fiels F 0,, F n 1 is sai to be accepte by an FDD f over the same fiels iff a firewall of f has a rule accept such that the conition p 0 S 0 p n 1 S n 1 hols. Similarly, a packet (p 0,, p n 1 ) over the fiels F 0,, F n 1 is sai to be iscare by an FDD f over the same fiels iff a firewall of f has a rule iscar such that the conition p 0 S 0 p n 1 S n 1 hols. Let Σ enote the set of all packets over the fiels F 0,, F n 1, an let f be an FDD over the same fiels. The accept set of f, enote f.accept, is the subset of Σ that contains all the packets accepte by f. Similarly, the iscar set of f, enote f.iscar, is the subset of Σ that contains all the packets iscare by f. Theorem 1 (Theorem of FDDs) For any FDD f over the fiels F 0,, F n 1,

4 1. f.accept f.iscar =, an 2. f.accept f.iscar = Σ where is the empty set an Σ is the set of all packets over the fiels F 0,, F n 1. Two FDDs f an f over the same fiels are sai to be equivalent iff they have ientical accepts sets an ientical iscar sets, i.e., 4. Reuction of FDDs f.accept = f.accept, an f.iscar= f.iscar. As iscusse in the precious section, the number of rules in a firewall of an FDD f equals the number of ecision paths in f. Thus, it is avantageous to reuce the number of ecision paths in an FDD without changing its semantics, i.e., without changing its accept an iscar sets. The proceure for reucing the number of ecision paths in an FDD without changing its accept an iscar sets is calle a reuction of this FDD. This proceure is iscusse in this section. But before we introuce the concept of a reuce FDD, we nee to introuce the concept of isomorphic noes in an FDD. Two noes v 0 an v 1 in an FDD f are calle isomorphic in f iff v 0 an v 1 satisfy one of the following two conitions: 1. Both v 0 an v 1 are terminal noes with ientical labels in f. 2. Both v 0 an v 1 are nonterminal noes an there is a one-to-one corresponence between the outgoing eges of v 0 an the outgoing eges of v 1 such that every pair of corresponing eges have ientical labels an are incoming of the same noe in f. An FDD f is calle reuce iff it satisfies the following three conitions: 1. f has no noe with exactly one outgoing ege. 2. f has no two eges that are outgoing of one noe an are incoming of another noe. 3. f has no two istinct isomorphic noes. The reuction proceure of FDDs is presente next. Algorithm 1: (Reuction of FDDs) input : an FDD f output: a reuce FDD that is equivalent to f Repeately apply the following three reuctions to f until none of them can be applie any further. 1. If f has a noe v 0 with only one outgoing ege e an if e is incoming of another noe v 1, then remove v 0 an e from f an make the incoming eges of v 0 incoming of v If f has two eges e 0 an e 1 that are outgoing of noe v 0 an incoming of noe v 1, then remove e 0 an make the label of e 1 be the integer set I(e 0 ) I(e 1 ), where I(e 0 ) an I(e 1 ) are the integer sets that labelle eges e 0 an e 1 respectively. 3. If f has two isomorphic noes v 0 an v 1, then remove noe v 1 an its outgoing eges, an make the incoming eges of v 0 incoming of v 1. Applying Algorithm 1 to the FDD in Figure 2 yiels the reuce FDD in Figure 3. Note that a firewall of the FDD in Figure 2 consists of six rules, whereas a firewall of the FDD in Figure 3 consists of three rules. PSfrag replacements [2,3] [5,7] 5. Marking of FDDs a F 0 [4,7] [0,3] [0,1] F 1 [4,4] Figure 3. A reuce FDD In section 8, we escribe an algorithm for replacing each rule in the firewall of a reuce FDD f by a sequence of simple rules. The total number of the resulting simple rules in the firewall equals the egree of a marke version of f. Next, we efine what we mean by a marke version of an FDD an its egree. A marke version f of a reuce FDD f is the same as f except that exactly one outgoing ege of each nonterminal noe in f is marke ALL. We aopt the convention: f.accept = f.accept, an f.iscar= f.iscar. We sometimes refer to f as a marke FDD. Figure 4 shows two marke versions f an f of the reuce FDD in Figure 3. In f, the ege labelle [4, 7] an the ege labelle [0, 1][4, 4][8, 9] are both marke ALL. In f, the ege labelle [0, 3][8, 9] an the ege labelle [0, 1][4, 4][8, 9] are both both marke ALL. The egree of a set of integers S, enote eg(s), is the smallest number of non-overlapping integer intervals that cover S. For example, the egree of the set

5 ag replacements [2,3] [5,7] a F 0 F 0 [4,7] [4,7] [0,3] [0,3] ALL [0,1] [0,1] F 1 [4,4] F [2,3] 1 [4,4] ALL [5,7] ALL ALL a (a) f (b) f Figure 4. Two marke FDDs (1) Fin an outgoing ege e j of v whose quantity (eg(e j ) 1) eg(v j ) is larger than or equal to the corresponing quantity of every other outgoing ege of v. (2) Mark ege e j with ALL. (3) Compute the egree of v as follows: eg(v) = k 1 i=0 (eg(e i) eg(v i )) en If Algorithm 2 is applie to the reuce FDD in Figure 3, we obtain the marke FDD in Figure 4(b). {0, 1, 2, 4, 7, 8, 9} is 3 because this set is covere by the three integer intervals [0, 2], [4, 4] an [7, 9]. The egree of an ege e in a marke FDD, enote eg(e), is efine as follows. If e is marke ALL, then eg(e) = 1. If e is not marke ALL, then eg(e) = eg(s) where S is the set of integers that labels ege e. The egree of a noe v in a marke FDD, enote eg(v), is efine recursively as follows. If v is a terminal noe, then eg(v) = 1. If v is a nonterminal noe with k outgoing eges e 0,, e k 1 that are incoming of noes v 0,, v k 1 respectively, then k 1 eg(v) = eg(e i ) eg(v i ) i=0 The egree of a marke FDD f, enote eg(f), equals the egree of the root noe of f. For example, eg(f ) = 5 where f is the marke FDD in Figure 4(a), an eg(f ) = 4 where f is the marke FDD in Figure 4(b). From the above examples, a reuce FDD may have many marke versions, an each marke version may have a ifferent egree. As mentione earlier, the number of simple rules in the firewall of a marke FDD equals the egree of the marke FDD. Thus, it is avantageous, when generating a marke version of a reuce firewall, to generate the marke version with the smallest possible egree. This is achieve by the following algorithm. Algorithm 2: (Marking of FDDs) input : a reuce FDD f output: a marke version f of f such that for every marke version f of f, eg(f ) eg(f ) 1. Compute the egree of each terminal noe v in f as follows: eg(v) = 1 2. while f has a noe v whose egree has not yet been compute an v has k outgoing eges e 0,, e k 1 that are incoming of the noes v 0,, v k 1, respectively, whose egrees have alreay been compute o 6. Firewall Generation In this section, we present an algorithm, Algorithm 3, for generating a firewall of a marke FDD f, which is generate by Algorithm 2 in section 5. The generate firewall is a sequence of rules where each rule correspons to a ecision path in the marke FDD f. Algorithm 3 computes for each rule in the generate firewall a binary number, calle rank of the rule, an two preicates, calle exhibite an original preicates of the rule. The rule ranks are use to orer the compute rules in the generate firewall. The exhibite an original preicates of the rules are use in the next section to make the generate firewall compact. A firewall r over the fiels F 0,, F n 1 is a sequence of rules r 0,, r m 1 where each rule is of the form Each S i is either the mark ALL or a nonempty set of integers taken from the omain of fiel F i (which is an interval of consecutive nonnegative integers). The ecision is either a (for accept) or (for iscar). The last rule, r m 1, in firewall r is of the form: where each S i is either the mark ALL or the entire omain of fiel F i. A packet (p 0,, p n 1 ) over the fiels F 0,, F n 1 is sai to match a rule r i in a firewall over the same fiels iff rule r i is of the form an the preicate (p 0 S 0 p n 1 S n 1 ) hols. A packet over the fiels F 0,, F n 1 is sai to be accepte by a firewall r over the same fiels iff r has a rule r i that satisfies the following three conitions: 1. The packet matches r i. 2. The packet oes not match any rule that precees r i. 3. The ecision of r i is a.

6 Similarly, a packet over the fiels F 0,, F n 1 is sai to be iscare by a firewall r over the same fiels iff r has a rule r i that satisfies the following three conitions: 1. The packet matches r i. 2. The packet oes not match any rule that precees r i. 3. The ecision of r i is. Let r be a firewall over the fiels F 0,, F n 1. The set of all packets accepte by r is enote r.accept, an the set of all packets iscare by r is enote r.iscar. The next theorem follows from these efinitions. Theorem 2 (Theorem of Firewalls) For any over the fiels F 0,, F n 1, 1. r.accept r.iscar =, an 2. r.accept r.iscar = Σ firewall r where is the empty set an Σ is the set of all packets over the fiels F 0,, F n 1. Algorithm 3: (Firewall Generation) input : a marke FDD f over the fiels F 0,, F n 1 an assume that along each irecte path in f, if a fiel F i appears before fiel F j then i < j. output: a firewall r over the same fiels such that r.accept = f.accept, an r.accept = f.accept an for each rule r i in r, the algorithm computes a binary number of n bits, calle the rank of r i, an two preicates, calle the exhibite an original preicates of r i. 1. For each ecision path in f, compute a rule r i, its rank, its exhibite preicate ep i an its original preicate op i as follows: rank = b 0 b n 1 ep i = ( ) op i = (F 0 T 0 F n 1 T n 1 ) where each b i, S i, an T i is compute accoring to the following three cases: Case 1:(The ecision path has no noes labelle F i ) b i = 0 S i =the omain [a i, b i ] of F i T i =the omain [a i, b i ] of F i Case 2:(The ecision path has a noe labelle F i, an its outgoing ege e has no mark) b i = 0 S i =the integer set that labels e T i =the integer set that labels e Case 3:(The ecision path has a noe labelle F i, an its outgoing ege e has an ALL mark) b i = 1 S i =ALL T i =the integer set that labels e 2. After computing all the rules an their ranks, orer the rules in r in an ascening orer of their ranks. As an example, if Algorithm 3 is applie to the marke FDD in Figure 4(b), we obtain the firewall in Figure 5. Associate with each of the three rules in this firewall are a rank, an an exhibite an original preicates. In particular, associate with the first rules are rank =00, exhibite preicate =(F 0 [4, 7] F 1 [2, 3] [5, 7]), original preicate =exhibite preicate. Associate with the secon rule are: rank =01, exhibite preicate =(F 0 [4, 7] F 1 ALL), original preicate =(F 0 [4, 7] F 1 [0, 1] [4, 4] [8, 9]). Associate with the thir rule are: rank =10, exhibite preicate =(F 0 ALL F 1 [0, 9]), original preicate =(F 0 [0, 3] [8, 9] F 1 [0, 9]). Note that the three rules are place in the firewall in ascening orer of their ranks. r = ( F 0 [4, 7] F 1 [2, 3] [5, 7] a, F 0 [4, 7] F 1 ALL, F 0 ALL F 1 [0, 9], ) Figure 5. A generate firewall 7. Firewall Compactness Firewalls that are generate by Algorithm 3 in the last section can have reunant rules, i.e., rules that can be remove from their firewalls without affecting the accept or iscar sets of these firewalls. For example, the secon rule in firewall r in Figure 5 is reunant. Thus, removing this rule from r yiels the equivalent in Figure 6. The two firewalls are equivalent since r.accept = r.accept, an r.accept = r.accept A firewall is calle compact iff it has no reunant rules. It is straightforwar to argue that the firewall in Figure 6 is compact. In this section, we present an algorithm, Algorithm 4, for etecting an removing all reunant rules from the firewalls generate by Algorithm 3. Algorithm 4 is base on the following theorem.

7 r = ( F 0 [4, 7] F 1 [2, 3] [5, 7] a, F 0 ALL F 1 [0, 9], ) Figure 6. A compact firewall Theorem 3 (Reunancy of Firewall Rules) Let (r 0,, r m 1 ) be a firewall over the fiels F 0,, F n 1 generate by Algorithm 3 in the last section. A rule r i in this firewall, i < m 1, is reunant iff for each j, i < j m 1, at least one of the following two conitions hols: 1. ecision of r j = ecision of r i. 2. No packet over the fiels F 0,, F n 1 satisfies the preicate r i.op ( r i+1.ep r j 1.ep) r j.ep where r i.op enotes the original preicate of r i an r j.ep enotes the exhibite preicate of r j. Algorithm 4: (Firewall Compaction) input : a firewall r with m rules (r 0,, r m 1 ) over the fiels F 0,, F n 1 generate by Algorithm 3 output: a compact firewall r such that r.accept = r.accept, an r.accept = r.accept variables i : 0..m 2; j : 0..m; reunant : array [0..m 1] of boolean; np : name of a preicate; 1. reunant[m 1] := false; 2. for i = m 2 to 0 o j := i + 1; let r i.op be name np; reunant[i] := true while reunant[i] j m 1 o if reunant[j] then j := j + 1; else if ( ecision of r i = ecision of r j ) (no packet over the fiels F 0,, F n 1 satisfies np r j.ep) then let np r j.ep be name np; j := j + 1; else reunant[i] := false; 3. Remove from r every rule r i where reunant[i] := true. If we apply Algorithm 4 to the firewall in Figure 5, we obtain the compact firewall in Figure Firewall Simplification A firewall rule of the form is calle simple iff every S i in the rule is either the ALL mark or an interval of consecutive nonnegative integers. A firewall is calle simple off all its rules are simple. The following algorithm can be use to simplify any firewall generate by Algorithm 3 or Algorithm 4. Algorithm 5: (Firewall Simplification) input : a firewall r generate by Algorithm 3 or Algorithm 4 output: a simple firewall r such that r.accept = r.accept, an r.accept = r.accept while r has a rule of the form F 0 S 0 F i S [a, b] F n 1 S n 1 where S is a nonempty set of nonnegative integers that has neither a 1 nor b + 1 o replace this rule by two consecutive rules of the form: F 0 S 0 F i S F n 1 S n 1, F 0 S 0 F i [a, b] F n 1 S n 1 en If we apply Algorithm 5 to the compact firewall r in Figure 6, we obtain the simple firewall r in Figure 7. Note r = ( F 0 [4, 7] F 1 [2, 3] a, F 0 [4, 7] F 1 [5, 7], F 0 ALL F 1 [0, 9], ) Figure 7. A simple firewall that our firewall running example, illustrate in the Figure 2 through 7, starte by the FDD in Figure 2. If we irectly generate an simplifie our firewall from this FDD, ignoring Algorithm 1, 2, an 4, then we woul have ene up with a firewall consists of 14 simple rules. Thus the role of Algorithms 1, 2, an 4 is to reuce the number of simple rules in the final firewall from 14 to mere 3. A big saving! 9. Summary of Firewall Design It is useful to summarize our firewall esign metho in this section, Figure 8 shows the ifferent steps of our fire-

8 wall esign metho. PSfrag replacements Algorithm 6 A user specifie FDD f Algorithm 1 A reuce FDD f Algorithm 2 A marke FDD f Algorithm 3 A generate firewall r Algorithm 4 A compact firewall r Algorithm 5 A simple firewall r Figure 8. Steps of our firewall esign metho The metho starts by some user specifying an FDD f. The consistency an completeness properties of f can be verifie systematically, possibly using a computer program. Although f guarantees that the final firewall is both consistent an complete, f shoul not be use to irectly generate an simplify this final firewall (otherwise, the number of simple rules in the final firewall woul be very large). Instea, f is first reuce (using Algorithm 1), an some of its eges are marke with the ALL mark (using Algorithm 2), then the firewall is generate from the marke FDD (using Algorithm 3). Note that although marking some of the eges in an FDD introuces conflicts into the FDD, the marking algorithm, Algorithm 3, maintains the consistency an completeness conitions of the original FDD. Unfortunately, the generate firewall can still have some reunant rules (even though this firewall is generate after applying the reuction algorithm, Algorithm 1, go get ri of many reunant rules). Thus, Algorithm 4 is use to etect an remove all the remaining reunant rules from the generate firewall. Finally, Algorithm 5 is use to simplify the rules in the generate firewall. Note that the marking algorithm, Algorithm 2, guarantees that the number of simple rules in the generate firewall is kept to a minimum. 10. Concluing Remarks Our contribution in this paper is two-fol. First, we propose to use firewall ecision iagrams to specify firewalls at the early stage of firewall esign. The main avantages of these iagrams is that their consistency an completeness can be checke systematically. Secon, we evelope a sequence of five algorithms that can be applie to a firewall ecision iagram to generate a compact sequence of firewall rules while maintaining the consistency an completeness of the original firewall iagram. In our firewall esign metho, we assume that to each encountere packet, a firewall assigns one of two ecisions: accept or iscar. Nevertheless, this esign metho can be easily extene to allow a firewall to select one of any number ecisions. For example, the extene metho can be use to esign a firewall that assigns to each encountere packet a ecision taken from the following four ecisions: accept, accept-an-log, iscar, an iscar-an-log. The esign metho iscusse in this paper is not restricte to esigning firewalls. Rather, this metho can also be applie to the esign of general packet classifiers. References [1] High level firewall language, [2] F. Baboescu an G. Varghese. Fast an scalable conflict etection for packet classifiers. In Proc. of the 10th IEEE International Conference on Network Protocols, [3] Y. Bartal, A. J. Mayer, K. Nissim, an A. Wool. Firmato: A novel firewall management toolkit. In Proc. of IEEE Symp. on Security an Privacy, pages 17 31, [4] A. Begel, S. McCanne, an S. L. Graham. BPF+: Exploiting global ata-flow optimization in a generalize packet filter architecture. In Proc. of ACM SIGCOMM 99, [5] R. E. Bryant. Graph-base algorithms for boolean function manipulation. IEEE Trans. on Computers, 35(8): , [6] M. M. Buhikot, S. Suri, an M. Walvogel. Space ecomposition techniques for fast Layer-4 switching. In Proc. of PHSN, Aug [7] D. Eppstein an S. Muthukrishnan. Internet packet filter management an rectangle geometry. In Symp. on Discrete Algorithms, pages , [8] A. Felmann an S. Muthukrishnan. Traeoffs for packet classification. In Proc. of 19th IEEE INFOCOM, Mar [9] P. Gupta an N. McKeown. Algorithms for packet classification. IEEE Network, 15(2):24 32, [10] J. D. Guttman. Filtering postures: Local enforcement for global policies. In Proc. of IEEE Symp. on Security an Privacy, pages , [11] A. Hari, S. Suri, an G. M. Parulkar. Detecting an resolving packet filter conflicts. In Proc. of IEEE Infocom, pages , [12] V. Srinivasan, G. Varghese, S. Suri, an M. Walvogel. Fast an scalable layer four switching. In Proc. of ACM SIG- COMM, pages , [13] K. Strehl an L. Thiele. Interval iagrams for efficient symbolic verification of process networks. IEEE Trans. on Computer-Aie Design of Integrate Circuits an Systems, 19(8): , 2000.