Firewall Compressor: An Algorithm for Minimizing Firewall Policies

Firewall Compressor: An Algorithm for Minimizing Firewall Policies Alex Liu, Eric Torng, Chad Meiners Department of Computer Science Michigan State University {alexliu,torng,meinersc}@cse.msu.edu

Introduction Internet Software Based ACL ` Packet 1.2.3.123 192.168.0.1 6500 65535 TCP Rule SIP DIP S Port D Port Protocol Action 1 1.2.3.0/24 192.168.0.1 0 * * discard 2 1.2.3.0/24 192.168.0.1 65535 * * discard 3 1.2.3.0/24 192.168.0.1 * 0 * discard 4 1.2.3.0/24 192.168.0.1 * 65535 * discard 5 1.2.3.0/24 192.168.0.1 [0,65535] [0,65535] TCP accept 6 * * * * * discard 2/20

Firewall Minimization Problem Given a firewall f1 as a sequence of rules Generate smallest equivalent firewall f2 r 1 20-40 30-50 accept r 2 20-40 1-29 discard r 3 20-40 51-100 discard r 4 60-80 30-50 accept r 5 60-80 1-29 discard r 6 60-80 51-100 discard r 7 1-19 1-100 discard r 8 41-59 1-100 discard Firewall Compressor r 1 41-59 1-100 discard r 2 20-80 30-50 accept r 3 1-100 1-100 discard Rule order will change (r 1 is a discard) Rules will be merged (r 1 -r 4 => r 1 -r 2 ) 3/20

Motivation Improve performance by reducing per-packet delay Use cheaper hardware NetScreen-100 has a hard limit of 733 rules r 1 20-40 30-50 accept r 2 20-40 1-29 discard r 3 20-40 51-100 discard r 4 60-80 30-50 accept r 5 60-80 1-29 discard r 6 60-80 51-100 discard r 7 1-19 1-100 discard r 8 41-59 1-100 discard Firewall Compressor r 1 41-59 1-100 discard r 2 20-80 30-50 accept r 3 1-100 1-100 discard 4/20

Solution Solve Firewall minimization problem for single field firewalls Optimal solution Generalize single field solution to multiple field firewalls Greedy non-optimal solution Related Work TCAM Based Solution TCAM Razor [ICNP 2007] Dong et. al. [SIGMETRICS 2006] Faster software classifiers Trade memory for speed Require specific classification algorithm 5/20

Single Field Firewalls decompose rescheduling (A) (B) (C) 41 60 21 55 45 80 1 65 75 100 41 60 21 40 61 80 1 20 81 100 41 60 21 80 1 100 A. Our input is a series of intervals rules Each color is a decision B. Decompose rules into atomic intervals Rules can be any order now C. Reschedule intervals to merge them effectively Last rule is always the entire interval 6/20

Key Observation Possible Last Rules We can safely assume that the leftmost (or rightmost) interval is part of the last rule in an optimal rule list 7/20

Problem Decomposition We find a minimal list by discovering where the leftmost interval is paid for in the sub-solution(s) We have two cases to consider This can be done in polynomial time with DP Decisions can be weighted 8/20

Case 1 Leftmost interval is the only interval that is uniquely covered by the last rule The minimal rule list is the size of the of the minimal sub-solution plus the leftmost interval 9/20

Case 2 Leftmost interval is not the only interval that is uniquely covered by the last rule We need to find the sub-solution that cost shares with the leftmost interval We extend the correct sub-solution to cost share 10/20

From Single to Multiple Dimensions Break the problem into sub problems Decompose into 1-D problems Firewall Decision Diagrams Provides Decomposition hierarchy 20-40 60-80 F 1 v 1 1-19 41-59 81-100 v 2 v 3 30-50 F 2 F 2 1-29 51-100 1-100 a d d 11/20

Multi-Field Minimization Work from the bottom up Expand rules as we go r 1 41-50 v 1-100 3 discard r 21 20-80 v30-50 2 accept v 2 r 322 20-80 1-100 v1-100 3 discard v 3 r 3 1-100 1-100 discard v 3 F r 1 30-50 accept 1-19 20-40 r 41-59 2 1-100 discard r 60-80 1 1-100 discard 81-100 v 2 v 3 30-50 1 F 2 F 2 1-29 51-100 v 1 1-100 a d d 12/20

Redundancy Removal We apply redundancy removal to finish r11 41-50 1-100 discard r21 20-80 30-50 accept r22 20-80 1-100 discard r31 1-100 1-100 discard r11 41-50 1-100 discard r21 20-80 30-50 accept r31 1-100 1-100 discard 13/20

Experimental Results Real-life Packet Classifiers 17 structurally distinct classifiers 42 actual classifiers A few rules to hundreds of rules Synthetic Packet Classifiers Test scalability Randomly generated set of field ranges Cross product of sets 14/20

Experimental Metrics For a set of classifiers S Average Compression ratio over S f S (FC(f)/ f ) / S Total Compression ratio over S f S (FC(f)) / f S ( f ) FC(f) is the number of rule produced by running firewall compression on f 15/20

Experimental Factors Field Ordering FDD field order results in a substantial difference 5! = 120 permutations Fortunately there are good permutations 20-40 60-80 F 1 v 1 1-19 41-59 81-100 v 2 v 3 30-50 F 2 F 2 1-29 51-100 1-100 a d d 16/20

Results for Real Classifiers For most classifiers FC has significant compression FDD ordering is DIP, SIP, DP, SP, Protocol 17/20

Compression Ratio Distribution Real Classifiers Average compression 52.3% Total Compression 69.4% Synthetic Classifiers Average Compression 32.2% Total Compression 7.4% 18/20

Concluding Remarks Firewall Compressor is not optimal Better algorithms are future work Firewall Compression can result in a significant reduction in policy size Average 47.7% reduction in policy rules No hardware modification Can be used to improve existing hardware 19/20

Questions? Thank you for your attention 20/20