Firewall Modules and Modular Firewalls

Transcription

1 Firewall Modules ad Modular Firewalls H. B. Acharya Uiversity of Texas at Austi Aditya Joshi Uiversity of Texas at Austi M. G. Gouda Natioal Sciece Foudatio Abstract A firewall is a packet filter placed at a etry poit of a etwork i the Iteret. Each packet that goes through this etry poit is checked by the firewall to determie whether to accept or discard the packet. The firewall makes this determiatio based o a specified sequece of overlappig rules. The firewall uses the first-match criterio to determie which rule i the sequece should be applied to which packet. Thus, to compute the set of packets to which a rule is applied, the firewall desiger eeds to cosider all the rules that precede this rule i the sequece. This rule depedecy complicates the task of desigig firewalls (especially those with thousads of rules), ad makes firewalls hard to uderstad. I this paper, we preset a metric, called the depedecy metric, for measurig the complexity of firewalls. This metric, though accurate, does ot seem to suggest ways to desig firewalls whose depedecy metrics are small. Thus, we preset aother metric, called the iversio metric, ad develop methods for desigig firewalls with small iversio metrics. We show that the depedecy metric ad the iversio metric are correlated for some classes of firewalls. So by aimig to desig firewalls with small iversio metrics, the desiger may ed up with firewalls whose depedecy metrics are small as well. We preset a method for desigig modular firewalls whose iversio metrics are very small. Each modular firewall cosists of several compoets, called firewall modules. The iversio metric of each firewall module is very small - i fact, 1 or 2. Thus, we coclude that modular firewalls are easy to desig ad easy to uderstad. I. INTRODUCTION A firewall is a packet filter that is placed at a etry poit of a etwork i the Iteret. The fuctio of a firewall is to check each packet that goes through the etry poit (at which the firewall is located) ad determie whether to accept the packet ad allow it to proceed o its way or to discard the packet. The firewall perform its fuctio based o a specified sequece of rules. Each rule is of the form < predicate > < decisio > where < predicate > is a fuctio that assigs to each packet a boolea value, true or false, ad < decisio > is either accept or discard. Whe a packet p reaches a firewall F, F performs two steps: 1) F idetifies the first rule r (i its sequece of rules) whose < predicate > assigs the value true to packet p. 2) If the < decisio > of rule r is accept (or discard, respectively) the F accepts (or discards, respectively) packet p. Note that F employs a first-match criterio to determie which rule (i its sequece of rules) should be applied to which packet. This first-match criterio allows the rules i the rule sequece to be overlappig. This ca be both advatageous ad disadvatageous. The advatage of makig the rules i the rule sequece overlappig is that it reduces the umber of rules i the rule sequece, sometimes dramatically. The disadvatage of makig the rules i the rule sequece overlappig is that it creates may depedecies betwee the rules i the rule sequece. This, i tur, complicates the task of desigig ad uderstadig the rule sequece. For istace, if the firewall desiger eeds to compute the set of packets to which a rule r (i the rule sequece) applies, the the desiger eeds to cosider ot oly rule r but also all the rules that precede r i the rule sequece. I this paper, we itroduce a metric, called the depedecy metric, that measures the complexity of firewalls. The more the value of the metric for a give firewall, the more complex the firewall is ad the harder it is to desig ad uderstad. Ufortuately, the depedecy metric, though accurate, does ot seem to suggest methods for desigig firewalls for which the values of the metric are small. Thus, we itroduce aother complexity metric, called the iversio metric, for measurig the complexity of firewalls. We show, below, that the depedecy metric ad the iversio metric are correlated (at least for a rich class of firewalls called uiform firewalls ). This result allows us to use the iversio metric as a good approximatio of the depedecy metric. The, we idetify three classes of firewalls, amely simple firewalls, partitioed firewalls, ad modular firewalls, for which the values of the iversio metric are small. (This implies that these classes of firewalls are easier to desig ad uderstad.) We also describe methods for desigig firewalls i these three classes. Of particular iterest is the class of modular firewalls. Each modular firewall cosists of simple firewall compoets, called firewall modules. The value of the iversio metric for each firewall module is 1 or 2. This causes the value of the iversio metric for the full firewall to be 1 or 2. (Note that the smallest possible value of the iversio metric is 1.) We preset a algorithm that takes as iput ay firewall F whose iversio metric is large ad computes as output a equivalet modular firewall MF whose iversio metric is (by defiitio) 1 or 2. The complexity of this algorithm is O( 2 )

2 where is the umber of rules i the iput firewall F. The existece of this algorithm idicates that desigig a modular firewall is ot harder tha desigig a equivalet o-modular firewall. Our simulatio results, reported below, show that the cost ad performace of this algorithm are attractive. II. FIELDS, PACKETS, RULES, AND FIREWALLS I this sectio, we defie the mai terms i this paper - fields, packets, rules, ad firewalls. A field is a variable, whose value is take from a iterval of o-egative itegers. Examples of fields are source IP address, destiatio IP address, trasport protocol, source port umber, ad destiatio port umber. The domai of values of the source IP address field, for example, is the iterval [0, ]. I this paper, we cosider d fields, deoted f 1,.., ad f d. The domai of values of each field f j, deoted D(f j ), is a iterval of o-egative itegers. A packet p is a d-tuple (p.f 1,.., p.f d ), where each p.f j is a elemet from the domai D(f j ) of field f j. A rule r is of the form: f 1 R 1... f d R d < r.decisio > where each R j is a o-empty iterval of o-egative itegers take from the domai D(f j ) of field f j, ad the < r.decisio > is either accept or discard. A rule whose decisio is accept is called a accept rule, ad a rule whose decisio is discard is called a discard rule. A packet (p.f 1,.., p.f d ) is said to match a rule r of the form: f 1 R 1... f d R d < r.decisio > iff the predicate (p.f 1 R 1... p.f d R d ) holds. A rule of the form f 1 D(f 1 )... f d D(f d ) accept is called a accept-all rule, ad a rule of the form f 1 D(f 1 )... f d D(f d ) discard is called a discard-all rule. A firewall F is a oempty sequece of rules, where the last rule is either a accept-all rule or a discard all rule. A packet (p.f 1,.., p.f d ) is said to be accepted by a firewall F iff F has a accept rule r such that the followig two coditios hold. 1) (p.f 1,.., p.f d ) matches r. 2) (p.f 1,.., p.f d ) does ot match ay rule that precedes r i F. A packet (p.f 1,.., p.f d ) is said to be discarded by a firewall F iff F has a discard rule r such that the followig two coditios hold. 1) (p.f 1,.., p.f d ) matches r. 2) (p.f 1,.., p.f d ) does ot match ay rule that precedes r i F. Because the last rule i a firewall is either a accept-all rule or a discard-all rule, it is straightforward to show that for every packet ad every firewall F, either the packet is accepted by F or the packet is discarded by F. Two firewalls F ad G are said to be equivalet iff F ad G accept the same set of packets (ad discard the same set of packets). III. THE DEPENDENCY METRIC OF FIREWALLS I this sectio we defie a metric that ca be used to measure the complexity of a firewall. If the value of this metric is large for oe firewall, the this firewall is relatively hard to uderstad. Ad if the value of this metric is small for aother firewall, the this firewall is relatively easy to uderstad. We refer to this metric as the depedecy metric. But before we ca defie the depedecy metric, we first eed to itroduce several defiitios. A bad of a firewall F is a maximal sequece of cosecutive rules that have the same decisio, whether accept or discard, i F. If (all) the rules i a bad have accept decisios, the the bad is called a accept bad. Similarly, if (all) the rules i a bad have discard decisios, the the bad is called a discard bad. Theorem 1. If the rules i a bad i a firewall F are reordered i ay way, the the resultig firewall is equivalet to F. Proof: Assume that the rules i a bad B i F are reordered i ay way. Let p be a packet that is resolved by a rule r i B before the reorder. Ad assume that packet p is resolved by aother rule s after the reorder. Thus, rule s belogs to bad B, ad has moved ahead of rule r as a result of the reorder. Because both rules r ad s belog to the same bad B, they have the same decisio. Therefore, rule s will resolve packet p after the reorder i the same way that rule r has resolved packet p before the reorder. Every packet that is accepted before the reorder is also accepted after the reorder, ad every packet that is discarded before the reorder is also discarded after the reorder. Hece the firewall that results from the reorder is equivalet to the origial firewall F before the reorder. If all the rules i a firewall have the same decisio, the this firewall cosists of oly oe bad. But such a firewall is ot very useful i practice. Thus, from ow o, we cosider oly firewalls that cosist of two or more bads. A packet p is said to be resolved by a rule r i a firewall F iff the followig two coditios hold: 1) p matches rule r. 2) p does ot match ay rule s, where s precedes r i F ad r ad s occur i differet bads i F. The depedecy set of a rule r i a firewall F is the set cotaiig every rule s, where s precedes r i F, ad r ad s occur i differet bads i F. From the last two defiitios, we coclude that to determie whether a packet p is resolved by a rule r i a firewall F, oe eeds to test packet p agaist rule r ad agaist every rule i

3 the depedecy set of r. Clearly, the complexity of these tests are proportioal to the umber of rules i the depedecy set of r. If the cardiality of the depedecy set of r is large, the determiig whether a give packet is resolved by r is relatively hard. Ad oe ca claim, i this case, that rule r is hard to uderstad. O the other had, if the cardiality of the depedecy set of r is small, the determiig whether a give packet is resolved by r is relatively easy. Ad oe ca claim, i this case, that rule r is easy to uderstad. It follows from this discussio that the complexity of uderstadig a rule r i a firewall F ca be measured by the cardiality of the depedecy set of r i F. Therefore, the complexity of uderstadig firewall F ca be measured by the average cardiality of a depedecy set of a rule i F. The depedecy metric of a firewall F is the average cardiality of a depedecy set of a rule i F. Theorem 2. Let F be ay firewall that has rules. 1) The smallest possible value of the depedecy metric of F is ( 1). 2) The largest possible value of the depedecy metric of F is ( 1) 2. Proof: 1) The depedecy metric of F has its smallest value whe F cosists of oly two bads. The first bad cosists of the top 1 rules i F, ad the secod bad cosists of the last rule i F. I this case, the depedecy set of each oe of the top 1 rules is empty, ad the depedecy set of the last rule has 1 rules. Thus, the average cardiality of a depedecy set of a rule i F is 1. 2) The depedecy metric of F has its largest value whe F cosists of bads. Ad each bad cosists of oly oe rule. I this case, the depedecy set of the first rule i F has 0 rules, the depedecy set of the secod rule i F has 1 rule,..., the depedecy set of the -th rule i F has 1 rules. Thus, the average cardiality of a depedecy set of a rule i F is 1 2. The problem of the depedecy metric is that this metric does ot seem to suggest methods for desigig firewalls whose depedecy metrics are small. This problem compels us to look for aother complexity metric of firewalls. This ew complexity metric eeds to satisfy two requiremets. First, this ew metric eeds to be correlated to the depedecy metric (at least for some classes of firewalls). Secod, it should be easy to desig firewalls for which the ew metric has a small value. We preset such a metric i the ext sectio. IV. THE INVERSION METRIC OF FIREWALLS I this sectio we itroduce a secod metric that ca be used to measure the complexity of firewalls. We refer to this metric as the iversio metric. We show that the iversio metric satisfies two ice properties. First, we show, i this sectio, that the value of the iversio metric of a firewall is correlated to the value of the depedecy metric of the same firewall (whe the firewall is uiform). This result allows us to use the iversio metric as a good approximatio of the depedecy metric. Secod, we demostrate, i Sectio 7 below, that oe ca develop methods for desigig firewalls whose iversio metrics are very small. I particular, we give a algorithm that takes as iput ay firewall, whose iversio metric value is large, ad produces a equivalet firewall, whose iversio metric value is o more tha 2, a small value. The iversio metric of a firewall F is the umber of pairs of adjacet rules that have differet decisios i F. Theorem 3. Let F be a firewall that has rules. 1) The smallest possible value of the iversio metric of F is 1. 2) The largest possible value of the iversio metric of F is 1. Proof: Because, as metioed i Sectio 3, we cosider oly firewalls that have two or more bads, the smallest possible value of the iversio metric of a firewall is 1. Also, for a firewall that has rules, the largest possible value of the iversio metric is 1. A firewall F is called uiform iff each bad i F has the same umber of rules. Thus, if a uiform firewall F has rules ad k bads, the each bad i F has k rules. Theorem 4. Let F be a uiform firewall that has rules. Also, let dm be the value of the depedecy metric of F, ad im be the value of the iversio metric of F. dm = im 2 (im + 1) Proof: Sice im is the iversio metric of firewall F, F has im + 1 bads, ad because F is uiform, each bad i F has im+1 rules. The cardiality of the depedecy set of each rule i the i-th bad i F, where i is i the rage 1..(im+1), is (i 1) (im+1). Thus, the average cardiality dm of the depedecy set of a rule i F ca be computed as follows: dm = im+1 i=1 im+1 (i 1) im+1 im+1 = (im + 1) 2 i 1 i=1 im = (im + 1) 2 i i=0 im (im + 1) = (im + 1) 2 2 im = 2 (im + 1)

4 This theorem shows that whe the value of the iversio metric im (of a uiform firewall) is 1, the value of the depedecy metric dm (of the same firewall) is ( 1)/2. Both these values are the largest possible values for their metrics. Also, whe the value of the iversio metric im is reduced to 1, the value of the depedecy metric is reduced to /4. Both these values are small values for their metrics. I other words, there is some correlatio betwee the value of the iversio metric im ad the value of the depedecy metric dm. Thus oe ca use the iversio metric (which is easy to deal with) as a good approximatio of the depedecy metric (which is hard to deal with). I the ext two sectios, we preset two classes of firewalls, amely simple firewalls ad partitioed firewalls, whose iversio metrics are small. V. SIMPLE FIREWALLS A firewall F is called simple iff F is a sequece of three bads, B 0 followed by B 1 followed by B 2, such that the followig three coditios are satisfied: 1) Bad B 0 cosists of zero or more discard rules. (Note that if B 0 has zero discard rules, the bad B 0 does ot exist i F ad, i this case, F is a sequece of oly two bads, B 1 followed by B 2.) 2) Bad B 1 cosists of oe or more accept rules. 3) Bad B 2 cosists of oly oe discard-all rule. Simple firewalls are iterestig because the values of their iversio metrics are small (ad so they are easy to uderstad) as follows. If bad B 0 exists i a simple firewall F, the the iversio metric of F is 2. Otherwise, the iversio metric of F is 1. Below we describe how to idetify irrelevat rules i ay simple firewall F ad argue that removig these rules from F yields a firewall G that is both equivalet to F ad simple. But first we eed to preset some defiitios. Let F be a simple firewall ad let r ad s be two distict rules i F where r : f 1 R 1.. f d R d < r.decisio > s : f 1 S 1.. f d S d < s.decisio > Rule r is said to cover rule s iff every iterval R j i r cotais the correspodig iterval S j i s. Rule r is said to overlap rule s iff every itersectio of a iterval R j i r with the correspodig iterval S j i s is oempty. Rule s is called irrelevat i the simple firewall F iff s satisfies the followig three coditios (Recall that, sice F is simple, F is a sequece of three bads, B 0 followed by B 1, followed by B 2 ): 1) Rule s is i bad B 0 ad there is aother rule r i B 0 where r covers s. 2) Rule s is i bad B 0 ad there is o rule r i B 1 where r overlaps s. 3) Rule s is i bad B 1 ad there is aother rule r i B 1 where r covers s. Now we argue that if a irrelevat rule s is removed from its simple firewall F, the ay packet that could have bee resolved (i.e., accepted or discarded) by rule s ca still be resolved i the same way after s is removed. Because the removed rule s is irrelevat, rule s must have satisfied oe of three coditios 1, 2, or 3 (i the above defiitio), before it is removed. First, if s satisfied coditio 1 before it is removed, the ay packet that is discarded by s, before s is removed, will still be discarded at least by rule r, after s is removed. Secod, if s satisfied coditio 2 before it is removed, the ay packet that is discarded by s, before s is removed, will still be discarded at least by the discard-all rule i F, after s is removed. Third, if s satisfied coditio 3 before it is removed, the ay packet that is accepted by s, before s is removed, will still be accepted at least by rule r, after s is removed. The algorithm for removig irrelevat rules from ay simple firewall is detailed i Algorithm 1. Note that the time complexity for executig Algorithm 1 is O( 2 ), where is the umber of rules i the iput firewall F. Algorithm 1 Removig Irrelevat Rules Iput: A simple firewall F that is a sequece of three bads B 0 followed by B 1 followed by B 2 Output: A simple firewall G that is equivalet to F ad has o irrelevat rules for every rule r i B 0 do if there is aother rule s i B 0 such that r covers s or there is o rule s i B 1 such that r overlaps s the Remove rule r from B 0 ed if ed for for every rule r i B 1 do if there is aother rule s i B 1 such that r covers s the the remove rule r from B 1 ed if ed for The remaiig firewall is G VI. PARTITIONED FIREWALLS A partitioed firewall P F is a oempty set {P F 1,.., P F r } of firewalls, such that the followig oeess coditio holds. Every packet is accepted by at most oe firewall, say P F k, i P F. If a packet is accepted by oe (ad so oly oe) firewall i a partitioed firewall P F, the this packet is said to be accepted by P F. Otherwise, the packet is discarded by every firewall i P F ad, i this case, the packet is said to be discarded by P F. If a partitioed firewall P F is the set {P F 1,.., P F r }, the each firewall P F k i this set is called a compoet of the partitioed firewall P F.

5 Note that oe ca view a moolithic firewall F as a partitioed firewall that cosists of oly oe compoet F. A moolithic firewall F ad a partitioed firewall P F are said to be equivalet iff F ad P F accept the same set of packets (ad discard the same set of packets). There are three advatages of partitioed firewalls over moolithic oes: (a) Parallel processig of packets (b) Ease of desig ad update (c) Small iversio metrics We discuss these three advatages, oe by oe, i order. A. Parallel Processig of Packets Each compoet P F k of a partitioed firewall P F ca be implemeted as a distict thread [1] that is executed o a distict core i a multicore architecture [2]. Whe a packet p arrives at the multicore architecture hostig the partitioed firewall P F, a copy of p is forwarded to each core, as show i Figure 1. Each core the proceeds idepedetly to determie whether or ot to accept packet p ad allow it to proceed. Fig. 1. Parallel Processig of Packets Note that each core makes its determiatio (of whether or ot to accept its copy of p) idepedetly from the determiatios made by the other cores. I other words, the cores do ot eed to sychroize i ay way, ad yet, thaks to oeess coditio, at most oe copy of packet p is accepted ad allowed to proceed by oe core while all the other copies of p are discarded by the other cores. As show i our experimetal results below, this multicore architecture of a partitioed firewall ca process up to 2.5 times as may packets per secod as the traditioal oe core architecture of a moolithic firewall. B. Ease of Desig ad Update A partitioed firewall {P F 1,.., P F r } ca be desiged i two steps as follows. 1) The set of all packets is partitioed ito r ooverlappig classes: P C 1,.., P C r. 2) Each compoet P F k i the partitioed firewall is desiged to accept some (or all) of the packets that belog to the packet class P C k. As a example, assume that we wish to desig a partitioed firewall with five compoets P F 1 through P F 5. First, we partitio the set of all packets ito the five overlappig classes P C 1 through P C 5 : P C 1 : All outgoig packets P C 2 : All icomig, TCP, packets P C 3 : All icomig, TCP, web packets P C 4 : All icomig, TCP packets that are either or web. P C 5 : All icomig, o-tcp packets Secod, each firewall compoet P F k is desiged to accept oly some (or all) of the packets that belog to the correspodig packet class P C k. For istace, P F 1 is desiged to accept oly some (or all) of the outgoig packets, ad so o. I other words, oce the packet classes are all idetified, the firewall compoets ca be desiged idepedetly of oe aother. This makes the desig of a partitioed firewall easier tha that of a moolithic firewall. Moreover, because each firewall compoet P F k is desiged to accept oly some (or all) of the packets that belog to the packet class P C k, oly compoet P F k eeds to be updated wheever the set of accepted packets, that belog to the packet class P C k, eeds to be updated. I other words, ay update of a partitioed firewall ca be realized by updatig oly oe compoet i the firewall. This makes the update of a partitioed firewall easier tha that of a moolithic oe. C. Small Iversio Metric The iversio metric of a partitioed firewall {P F 1,.., P F r } is the value (MAX over k, k is i the rage 1..r, im.k) where each im.k deotes the iversio metric of the firewall compoet P F k. Because the iversio metric of a partitioed firewall is the maximum, rather tha say the sum, of the iversio metrics of the firewall compoets, the iversio metric of a partitioed firewall teds to be smaller tha the iversio metric of a equivalet moolithic firewall. I other words, uderstadig a partitioed firewall teds to be easier tha uderstadig a equivalet moolithic firewall. We ed this sectio by statig (ad verifyig) a sufficiet coditio for esurig that two moolithic firewalls ca be compoets i the same partitioed firewall. Theorem 5. Let F ad G be two (moolithic) firewalls. If for every accept rule r i F ad every accept rule s i G, r does ot overlap s, the F ad G ca be compoets i the same partitioed firewall. Proof: Assume that for every accept rule r i F ad every accept rule s i G, r does ot overlap s. Thus, for every accept rule r i F ad every accept rule s i G, there is o packet that matches both r ad s. I other words, the set of packets that match accept rules i F is disjoit from the set of packets that match accept rules i G. Moreover, because the set of packets that are accepted by a firewall is a subset of the set of packets

6 that match accept rules i the firewall, we coclude that the set of packets that are accepted by F is disjoit from the set of packets that are accepted by G. Therefore F ad G satisfy the oeess coditio ad they ca be firewall compoets i the same partitioed firewall. Note that ay two compoets of a partitioed firewall, that is desiged usig the method outlied at the begiig of this sectio, do satisfy the sufficiet coditio i Theorem 4. VII. MODULAR FIREWALLS I the previous two sectios, we preseted two classes of firewalls, amely simple firewalls ad partitioed firewalls, whose iversio metrics are small. I this sectio, we preset a class of firewalls, called modular firewalls, that have similar characteristics to those of simple ad partitioed firewalls. Therefore, the iversio metrics of modular firewalls are also small. A modular firewall M F is a partitioed firewall {MF 1,.., MF r } where each compoet MF k, called a firewall module, is a simple firewall. It follows that the iversio metric of each firewall module MF k is 1 or 2 ad the iversio metric of the modular firewall MF is 1 or 2. A modular firewall {MF 1,.., MF r } ca be desiged i two steps as follows. 1) The set of all packets is partitioed ito r ooverlappig classes: P C 1,.., P C r. 2) Each module MF k i the modular firewall is desiged to accept some (or all) of the packets that belog to the packet class P C k uder the restrictio that MF k, beig a simple firewall, must cosist of three bads: a discard bad B 0, followed by a accept bad B 1, followed by a bad B 2 that cosists of a discard-all rule The mai thesis of this paper is that desigig a modular firewall is easier tha desigig a equivalet moolithic firewall. To give some evidece to this thesis, we discuss ext a algorithm that ca take, as iput, a moolithic firewall F ad produce, as output, a equivalet modular firewall MF. Because the time complexity of this algorithm is small O( 2 ), where is the umber of rules i the iput firewall F, oe cocludes that desigig a modular firewall is ot harder tha desigig a equivalet moolithic firewall. The algorithm for modularizig a moolithic firewall is show i Algorithm 2. The correctess of Algorithm 2 follows from the followig two theorems. Theorem 6. Assume that Algorithm 2 is applied to a moolithic firewall F ad produced the simple firewalls {MF 1,.., MF r }. The o two distict firewalls MF i ad MF k accept the same packet (idicatig that the produced simple firewalls satisfy the oeess coditio). Proof: Without loss of geerality, assume that i is less tha k. This meas that the accept rules i bad B 1 of firewall MF i occur as discard rules i bad B 0 of firewall MF k. Thus, each packet that is accepted by (bad B 1 i) firewall MF i is discarded by (bad B 0 i) firewall MF k. Also, each packet Algorithm 2 Modularizig Moolithic Firewalls Iput: A moolithic firewall F with r accept bads (r is at least 1) Output: A modular firewall M F with r modules {MF 1,.., MF r } such that F ad MF are equivalet. Let the r accept bads of firewall F be AB 1,.., AB r i order. for every accept bad AB k i F do Desig the three bads B 0, B 1, ad B 2 of module MF k as follows. B 0 is the sequece of all rules that precedes AB k i F after modifyig their decisios to become discard B 1 is the sequece of all (accept) rules i AB k B 2 is the discard-all rule; Apply Algorithm 1 to remove the irrelevat rules from MF k ed for that is accepted by (bad B 1 i) firewall MF k is discarded by (bad B 2 i) firewall MF i. I other words, o packet is accepted by both MF i ad MF k. Theorem 7. Assume that Algorithm 2 is applied to a moolithic firewall F ad produced a modular firewall M F that cosists of the modules {MF 1,.., MF k }. 1) Each packet, that is accepted by F, is also accepted by MF 2) Each packet, that is accepted by MF, is also accepted by F (These two statemets idicate that F ad M F are equivalet.) Proof: 1) Assume that a packet p is accepted by F. Thus p is resolved by a rule i some accept bad AB k of F. This idicates that p is also resolved by a rule i the accept bad B 1 i module MF k i MF. Therefore p is accepted by MF. 2) Assume that a packet p is accepted by a module MF k i MF. Thus p is resolved by a rule i bad B 1 of module MF k. This idicates that p is also resolved by a rule i the accept bad AB k i firewall F. Therefore p is accepted by F. VIII. SIMULATION RESULTS I this paper, we preseted two algorithms: Algorithm 1 for removig irrelevat rules from simple firewalls, ad Algorithm 2 for modularizig moolithic firewalls. I fact, the importat role of Algorithm 1 is to be ivoked from withi Algorithm 2 to remove the irrelevat rules from the firewall modules i the computed modular firewall. I this sectio, we report the results of several simulatios that we carried out to measure the cost ad performace of Algorithm 2. (The cost ad

7 performace of Algorithm 1 cotribute to those of Algorithm 2.) Figure 2 shows the executio time of Algorithm 2, whe applied to modularize a moolithic firewall F, as a fuctio of the umber of rules i F. From this figure, the executio time of Algorithm 2 is very small, less tha half a secod, eve whe the firewall beig modularized has up to 2000 rules. Figure 3 shows the average umber of firewall modules, that result from applyig Algorithm 2 to modularize a moolithic firewall F, as a fuctio of the umber of rules i F. From this figure, a moolithic firewall that has 2000 rules ca be coverted ito a modular firewall with about 22 modules o average. Figure 4 shows the average umber of rules i a firewall module, that results from applyig Algorithm 2 to modularize a moolithic firewall F, as a fuctio of the umber of rules i F. From this figure, a moolithic firewall that has 2000 rules ca be coverted ito a modular firewall where a firewall module has 800 rules o average. Cosider the case where Algorithm 2 is applied to a moolithic firewall F to produce a equivalet modular firewall MF. As discussed i Sectio 6, F ca be implemeted as a sigle thread o a sigle core architecture, whereas the firewall modules i M F ca be implemeted o a multicore architecture. Let RF deote the rate (i packets per secod) of processig packets by the sigle core architecture, ad RM F deote the rate (i packets per secod) of processig packets by the multicore architecture. The RM F/RF is called the speed-up ratio. Figure 5 shows the speed-up ratio as a fuctio of the umber of rules i F. From this figure, the speed-up rages from 1.7 (whe the umber of rules i F is small) to 2.6 (whe the umber of rules i F is large). IX. RELATED WORK Firewalls are a critical lie of defece i cybersecurity, but ted to be very hard to uderstad. As firewall correctess is a hard but importat problem, there has bee extesive research i the field, followig four mai approaches: 1) Firewall Testig: To test a give firewall F, oe geerates may packets for which the expected decisios of F, accept or discard, are kow a priori. The geerated packets are the set to F, ad the actual decisios of F for these packets are observed. If the expected decisio for each geerated packet is the same as the actual decisio for the packet, oe cocludes that the give firewall F is correct. Otherwise, the give firewall F has errors. Differet methods of firewall testig differ i how the testig packets are geerated. For istace, the test packets ca be had-geerated by domai experts to target specific vulerabilities i the give firewall F, or geerated from the formal specificatios of the security policy of the give firewall F, as i [3]. A scheme for targetig test packets for better fault coverage is give i [4] ad [5]. Blowtorch [6] is a framework to geerate packets for testig. 2) Firewall Aalysis: To aalyze a give firewall F, oe applies a algorithm to idetify (some or all of the) vulerabilities, coflicts, aomalies, ad redudacies i the give firewall F. A systematic method for aalyzig firewalls is preseted i [7]. The cocept of coflicts betwee rules i a firewall is due to [8] ad [9]. A classificatio of aomalies, as well as algorithms to detect them, may be foud i [10] ad [11]. (This aalysis works for verifyig the security policies i IPsec ad VPN as well [12].) A framework for uderstadig the vulerabilities i a sigle firewall is outlied i [13], ad a aalysis of these vulerabilities preseted i [14]. [15] is a quatitative study of cofiguratio errors for a firewall. A example of a efficiet firewall aalysis algorithm is give i FIREMAN [16]. 3) Firewall Verificatio: To verify a give firewall F agaist a give property R, oe applies a algorithm to verify whether or ot F satisfies R. The questio of how to query a give firewall ad obtai the aswer (whether or ot it satisfies a give property) is discussed i [17] ad [18]. The time ad space complexity of these algorithms are proved to be O( d ) i [19]. I [20], a probabilistic verificatio algorithm is provided ad show to have a time ad space complexity of O(d). I [21], we provide a elegat algorithm for firewall verificatio whose space complexity is O(d), ad whose time complexity is order O( d ). 4) Firewall Desig: To esure a firewall does ot have vulerabilities or other problems, it ca be desiged from the outset usig structured algorithms. Such algorithms, that ca geerate a firewall from its specificatio, are provided i [22]. I this paper, we preset two ew metrics for the complexity of a firewall, ad show that these metrics are related. Further, we give a ew algorithm for implemetig firewalls such that the iversio metric of the firewall is small; this algorithm ca be cosidered a firewall desig algorithm to produce easy-touderstad firewalls. Our algorithm has the advatage that it eed ot be applied at the outset whe desigig a firewall; ay pre-existig firewall may be coverted to a modular firewall i O( 2 ) time. The advatage of a modular firewall is the cleaess of the desig; the low iversio metric makes such firewalls relatively easy to uderstad, ad permits modificatio with o uexpected side effects. A side beefit is that modular firewalls, beig iheretly parallel, also process packets faster tha equivalet covetioal firewalls. I this paper, we have dealt with modular firewalls located at a sigle iterface betwee two computer etworks. However, we do ot see ay reaso why modular firewalls caot be used for distributed firewalls, where firewall policies are distributed across may systems located at multiple poits i the etwork [11], [10], [19]. We pla to study the possibility of developig modular distributed firewalls i future work.

8 Fig. 2. Executio Time to Modularize a Moolithic Firewall Fig. 3. Average Number of Modules Produced Fig. 4. Average Number of Rules per Module Fig. 5. Speed-up Ratio

9 X. CONCLUDING REMARKS Firewalls are a very importat compoet of system security, but, ufortuately, curret firewalls are mostly desiged ad modified ad hoc; this makes them very difficult to uderstad, so it is ot ucommo for a large firewall with thousads of rules to have may vulerabilities. I this paper, we make three importat cotributios to the theory of firewalls ad firewall complexity. Our first cotributio is that we defie two metrics for the complexity of a firewall, called the depedecy metric ad the iversio metric. We also demostrate that the two are correlated, so desigig a firewall with a small value of iversio metric is likely to yield a firewall with a small value of depedecy metric as well. For our secod cotributio, we preset several classes of firewalls with a small iversio metric, as well as a method for desigig such firewalls. Our fial cotributio is that we show that the class of modular firewalls, which have a low iversio metric (1 2), is sufficietly powerful to describe ay firewall. Algorithm 2, preseted i this paper, ca take as iput ay firewall ad covert it ito a equivalet modular firewall. It may be oted that this paper itroduces two separate cocepts, which are iterestig i their ow right. The first cocept is, of course, firewall metrics - we itroduce the cocept of depedecy ad iversio metrics, ad develop a method to desig firewalls that are easy to uderstad by these measures. The secod, idepedet cocept is that of partitioed firewalls; we show how to decompose ay firewall ito multiple simpler firewalls, that together are equivalet to the origial firewall. By combiig the cocepts of simple firewalls (which have low iversio metrics) ad partitioed firewalls, we develop the cocept of modular firewalls. Our work aturally suggests several rich problems for further study. The depedecy metric ad the iversio metric are ot the oly possible metrics for the complexity of a firewall; it would be a iterestig problem to idetify other such metrics, show how they are related, ad possibly develop further algorithms to miimize the complexity of a firewall. The developmet of alterate algorithms to partitio ad modularize firewalls is aother area for further research. By varyig the algorithm, it is possible to produce modular firewalls with differet properties, such as size, performace, legth of modules, ad so o. For our ow future work, we ote that the method for costructig a partitioed firewall ivolves dividig the packet space ito partitios ad costructig a (simpler) firewall to classify the packets of each partitio idepedetly. By clearly specifyig how to partitio the packet space, ad whe to stop partitioig ad costruct a firewall, we aim to develop a recursive ew algorithm for firewall desig. XI. ACKNOWLEDGEMENTS The authors are grateful to Dr. Ehab Al-Shaer for his help i preparig the fial versio of this paper. REFERENCES [1] D. M. Tullse, S. J. Eggers, ad H. M. Levy, Simultaeous multithreadig: maximizig o-chip parallelism, i ISCA 95: Proceedigs of the 22d aual Iteratioal Symposium o Computer architecture, 1995, pp [2] J. E. Savage ad M. Zubair, A uified model for multicore architectures, i IFMT 08: Proceedigs of the 1st iteratioal forum o Nextgeeratio multicore/maycore techologies, 2008, pp [3] J. Jürjes ad G. Wimmel, Specificatio-based testig of firewalls, i Revised Papers from the 4th Iteratioal Adrei Ershov Memorial Coferece o Perspectives of System Iformatics, 2001, pp [4] A. El-Atawy, K. Ibrahim, H. Hamed, ad E. S. Al-Shaer, Policy segmetatio for itelliget firewall testig, Secure Network Protocols, (NPSec). 1st IEEE ICNP Workshop o, pp , Nov [5] E. Al-Shaer, A. El-Atawy, ad T. Samak, Automated pseudo-live testig of firewall cofiguratio eforcemet, IEEE Joural o Selected Areas i Commuicatio, vol. 27, o. 3, pp , [6] D. Hoffma ad K. Yoo, Blowtorch: a framework for firewall test automatio, i Proceedigs of the 20th IEEE/ACM iteratioal Coferece o Automated software egieerig, 2005, pp [7] A. J. Mayer, A. Wool, ad E. Ziskid, Fag: A firewall aalysis egie, i IEEE Symposium o Security ad Privacy, 2000, pp [8] H. Adiseshu, S. Suri, ad G. M. Parulkar, Detectig ad resolvig packet filter coflicts, i INFOCOM, 2000, pp [9] D. Eppstei ad S. Muthukrisha, Iteret packet filter maagemet ad rectagle geometry, i SODA, 2001, pp [10] E. S. Al-Shaer ad H. H. Hamed, Discovery of policy aomalies i distributed firewalls, i INFOCOM, [11] E. S. Al-Shaer, H. Hamed, R. Boutaba, ad M. Hasa, Coflict classificatio ad aalysis of distributed firewall policies, IEEE Joural o Selected Areas i Commuicatios, vol. 23, o. 10, pp , [12] H. H. Hamed, E. S. Al-Shaer, ad W. Marrero, Modelig ad verificatio of ipsec ad vp security policies, i ICNP, 2005, pp [13] M. Fratze, F. Kerschbaum, E. E. Schultz, ad S. Fahmy, A framework for uderstadig vulerabilities i firewalls usig a dataflow model of firewall iterals, Computers & Security, vol. 20, o. 3, pp , [14] S. Kamara, S. Fahmy, E. E. Schultz, F. Kerschbaum, ad M. Fratze, Aalysis of vulerabilities i iteret firewalls, Computers & Security, vol. 22, o. 3, pp , [15] A. Wool, A quatitative study of firewall cofiguratio errors, IEEE Computer, vol. 37, o. 6, pp , [16] L. Yua, J. Mai, Z. Su, H. Che, C.-N. Chuah, ad P. Mohapatra, Firema: A toolkit for firewall modelig ad aalysis, Security ad Privacy, IEEE Symposium o, vol. 0, pp , [17] A. X. Liu ad M. G. Gouda, Diverse firewall desig, IEEE Trasactios o Parallel ad Distributed Systems, vol. 19, o. 9, pp , [18], Firewall policy queries, IEEE Trasactios o Parallel ad Distributed Systems, vol. 20, o. 6, pp , [19] M. G. Gouda, A. X. Liu, ad M. Jafry, Verificatio of distributed firewalls, i Proceedigs of the IEEE Global Commuicatios Coferece (GLOBECOM), [20] H. B. Acharya ad M. G. Gouda, Liear-time verificatio of firewalls, i Proceedigs of the Iteratioal Coferece o Network Protocols, [21], Projectio ad divisio: Liear-space verificatio of firewalls, Distributed Computig Systems, Iteratioal Coferece o, pp , [22] M. G. Gouda ad A. X. Liu, Strucured firewall desig, Computer Networks, vol. 51, pp , 2007.