Abstract
Firewalls are safety-critical systems that secure most private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet. This decision is made according to a sequence of rules, where some rules may be redundant. Redundant rules significantly degrade the performance of firewalls. Previous work detects only two special types of redundant rules. In this paper, we solve the problem of how to detect all redundant rules. First, we give a necessary and sufficient condition for identifying all redundant rules. Based on this condition, we categorize redundant rules into upward redundant rules and downward redundant rules. Second, we present methods for detecting the two types of redundant rules respectively. Our methods make use of a tree representation of firewalls, which is called firewall decision trees.
Chapter PDF
References
Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly detection and rule editing. In: IEEE/IFIP Integrated Management IM 2003, March 2003, pp. 17–30 (2003)
Al-Shaer, E., Hamed, H.: Management and translation of filtering security policies. In: IEEE International Conference on Communications, May 2003, pp. 256–260 (2003)
Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM 2004, March 2004, pp. 2605–2616 (2004)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: Proceeding of the IEEE Symposium on Security and Privacy, pp. 17–31 (1999)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. Technical Report EES2003-1, Dept. of Electrical Engineering Systems, Tel Aviv University (2003)
Frantzen, M., Kerschbaum, F., Schultz, E., Fahmy, S.: A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Computers and Security 20(3), 263–270 (2001)
Gouda, M.G., Liu, A.X.: Firewall design: consistency, completeness and compactness. In: Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS 2004), pp. 320–327 (2004)
Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD thesis, Stanford University (2000)
Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of IEEE Symp. on Security and Privacy, pp. 120–129 (1997)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2000), pp. 576–585 (2000)
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers and Security 22(3), 214–232 (2003)
Liu, A.X., Gouda, M.G.: Diverse firewall design. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2004), June 2004, pp. 595–604 (2004)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symp. on Security and Privacy, pp. 177–187 (2000)
Overmars, M.H., van der Stappen, A.F.: Range searching and point location among fat objects. Journal of Algorithms 21(3), 629–656
Wool, A.: Architecting the lumeta firewall analyzer. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85–97 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, A.X., Gouda, M.G. (2005). Complete Redundancy Detection in Firewalls. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_15
Download citation
DOI: https://doi.org/10.1007/11535706_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28138-2
Online ISBN: 978-3-540-31937-5
eBook Packages: Computer ScienceComputer Science (R0)