Abstract
Firewalls are crucial elements in network security, and have been widely deployed in most businesses and institutions for securing private networks. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on a sequence of rules. Because a firewall may have a large number of rules and the rules often conflict, understanding and analyzing the function of a firewall have been known to be notoriously difficult. An effective way to assist humans in understanding and analyzing the function of a firewall is by issuing firewall queries. An example of a firewall query is “Which computers in the private network can receive packets from a known malicious host in the outside Internet?”. Two problems need to be solved in order to make firewall queries practically useful: how to describe a firewall query and how to process a firewall query. In this paper, we first introduce a simple and effective SQL-like query language, called the Structured Firewall Query Language (SFQL), for describing firewall queries. Second, we present a theorem, called the Firewall Query Theorem, as a foundation for developing firewall query processing algorithms. Third, we present an efficient firewall query processing algorithm, which uses firewall decision trees as its core data structure. Experimental results show that our firewall query processing algorithm is very efficient: it takes less than 10 milliseconds to process a query over a firewall that has up to 10,000 rules.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM (March 2004)
Baboescu, F., Singh, S., Varghese, G.: Packet classification for core routers: Is there an alternative to cams? In: Proc. of IEEE INFOCOM (2003)
Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: Proc. of the 10th IEEE International Conference on Network Protocols (2002)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. Technical Report EES2003-1, Dept. of Electrical Engineering Systems, Tel Aviv University (2003)
CERT. Test the firewall system, http://www.cert.org/security-improvement/practices/p060.html
CERT Coordination Center, http://www.cert.org/advisories/ca-2003-20.html
Moore, D., et al.: http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Eppstein, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Symp. on Discrete Algorithms, pp. 827–835 (2001)
Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proc. of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107 (2001)
Farmer, D., Venema, W.: Improving the security of your site by breaking into it (1993), http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html
Frantzen, M., Kerschbaum, F., Schultz, E., Fahmy, S.: A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals. Computers and Security 20(3), 263–270 (2001)
Freiss, M.: Protecting Networks with SATAN. O’Reilly & Associates, Inc., Sebastopol (1998)
Gouda, M.G., Liu, A.X.: Firewall design: consistency, completeness and compactness. In: Proc. of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS 2004), pp. 320–327 (2004)
Gupta, P.: Algorithms for Routing Lookups and Packet Classification. PhD thesis, Stanford University (2000)
Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Network 15(2), 24–32 (2001)
Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proc. of IEEE Symp. on Security and Privacy, pp. 120–129 (1997)
Hari, A., Suri, S., Parulkar, G.M.: Detecting and resolving packet filter conflicts. In: Proc. of IEEE INFOCOM, pp. 1203–1212 (2000)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Proc. of the International Conference on Dependable Systems and Networks (DSN 2000), pp. 576–585 (2000)
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Computers and Security 22(3), 214–232 (2003)
Liu, A.X., Gouda, M.G.: Diverse firewall design. In: Proc. of the International Conference on Dependable Systems and Networks (DSN 2004), pp. 595–604 (June 2004)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proc. of IEEE Symp. on Security and Privacy, pp. 177–187 (2000)
Moffett, J.D., Sloman, M.S.: Policy conflict analysis in distributed system management. Journal of Organizational Computing 4(1), 1–22 (1994)
Nessus (March 2004), http://www.nessus.org/
Rubin, A.D., Geer, D., Ranum, M.J.: Web Security Sourcebook, 1st edn. Wiley Computer Publishing, Chichester (1997)
Wool, A.: Architecting the lumeta firewall analyzer. In: Proc. of the 10th USENIX Security Symposium, pp. 85–97 (August 2001)
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, A.X., Gouda, M.G., Ma, H.H., Ngu, A.H. (2005). Firewall Queries. In: Higashino, T. (eds) Principles of Distributed Systems. OPODIS 2004. Lecture Notes in Computer Science, vol 3544. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11516798_15
Download citation
DOI: https://doi.org/10.1007/11516798_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-27324-0
Online ISBN: 978-3-540-31584-1
eBook Packages: Computer ScienceComputer Science (R0)