firewall queries alex x. liu, mohamed g. gouda, the university of texas at austin, u.s.a. huibo...

Firewall Queries

Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A.

Huibo Heidi Ma, Anne HH. NguTexas State University, U.S.A.

December 16, 2004

Alex X. Liu The University of Texas at Austin 2

Firewall It is a sequence of rules to decide to accept or discard any packet.

Example: packet(S, D)

Firewalls are hard to understand and analyze

acceptDSr

discardDSr

acceptDSr

}10..1{}10..1{:

}9..2{}8..3{:

}8..6{}7..4{:

3

2

1


Firewall Queries Examples:

- “Which outside computers are not allowed to send emails to the inside email server?”

- “Which inside computers can receive BOOTP packets from outside?”

Such queries are useful for firewall analysis, understanding, testing …

Two questions remain:- How to describe a firewall query?

- How to process a firewall query?


Structured Firewall Query Language Example: select field S

from firewall f

where (S {3..6})∈ (D∧ {1})∈ (decision=accept}∧ Find all packets that satisfy the condition, and then project them into the

selected field

Meaning of the query:- Which source computers whose addresses are in {3..6} can send packets to

a destination whose address is 1?


Consistent Firewalls Two rules in a firewall are said to conflict iff they have different decisions

and there is at least one packet that matches both rules.

A firewall is consistent iff it has no two rules conflict.

Example: the following firewall is inconsistent because r1 and r2 conflict.

acceptDSr

discardDSr

acceptDSr

}10..1{}10..1{:

}9..2{}8..3{:

}8..6{}7..4{:

3

2

1


Query Processing Processing a query for a consistent firewall can be carried out on

the rules of the firewall directly. (Algorithm in paper)

Processing a query for a consistent or inconsistent firewall can be carried out on a “firewall decision diagram” that is equivalent to the firewall (Algorithm in paper)

We discuss an example next.


Firewall Decision Diagram Firewall:

Firewall Decision Diagram:

Algorithm to construct an equivalent firewall decision diagram from a firewall is in Liu and Gouda’s “Diverse Firewall Design”, DSN 2004.

S

DD

a a a

{1,2,9,10}

{4..7}

{1..10}{2..5, 9}

{6..8} D

d a

{2..9}

d

{3,8}

{1,10}{1,10}

acceptDSr

discardDSr

acceptDSr

}10..1{}10..1{:

}9..2{}8..3{:

}8..6{}7..4{:

3

2

1


First Step of Query Processing

Example: select field S

from firewall f

where (S∈{3..6}) (D∧ {1})∈ (decision=accept}∧ First Step:

S

D D

{1,2,9,10} ∩{3..6}=Φ

{4..7}∩{3..6}={4,5,6}

D

{3,8} ∩{3..6}={3}

continue continuestop


Second Step of Query Processing Example: select field S

from firewall f

where (S {3..6})∈ (D∧ ∈{1}) (decision=accept}∧ Second Step:

S

D

{1,2,9,10} ∩{3..6}=Φ

{4..7}∩{3..6}={4,5,6}

D

{3,8} ∩{3..6}={3}

continuestop

D

{2..5, 9}∩{1}= Φ

{6..8}∩{1}= Φ {1,10} ∩{1}={1}

stop stop continue


Third Step of Query Processing Example: select field S

from firewall f

where (S {3..6})∈ (D∧ ∈{1}) (decision=accept}∧ Third Step:

S

D

{1,2,9,10} ∩{3..6}=Φ

{4..7}∩{3..6}={4,5,6}{3,8} ∩{3..6}={3}

stop

D

{2..5, 9}∩{1}= Φ

{6..8}∩{1}= Φ {1,10} ∩{1}={1}

stop stop continue

D{2..9} ∩{1}= Φ {1,10} ∩{1}= {1}

stop continue


Fourth Step of Query Processing Example: select field S

from firewall f

where (S {3..6}) (D {1})∈ ∧ ∈ (∧ decision=accept} Fourth Step: S

D

{1,2,9,10} ∩{3..6}=Φ

{4..7}∩{3..6}={4,5,6}{3,8} ∩{3..6}={3}

stop

D

{2..5, 9}∩{1}= Φ

{6..8}∩{1}= Φ {1,10} ∩{1}={1}

stop stopcontinue

D{2..9} ∩{1}= Φ {1,10} ∩{1}= {1}

stopcontinue

a a=accept

a a=accept


Fifth Step of Query Processing Example: select field S from firewall f where (S {3..6}) (D {1}) (decision=accept}∈ ∧ ∈ ∧

Fifth Step:

Find the values of field S that results from the intersection in every “continue” path.

In first red path, S1={4, 5, 6}. In second red path, S2={3}.

So the result of this query = S1 ∪S2 = {3, 4, 5, 6}

S

D

{1,2,9,10} ∩{3..6}=Φ

{4..7}∩{3..6}={4,5,6}{3,8} ∩{3..6}={3}

stop

D

{2..5, 9}∩{1}= Φ

{6..8}∩{1}= Φ {1,10} ∩{1}={1}

stop stopcontinue

D{2..9} ∩{1}= Φ {1,10} ∩{1}= {1}

stopcontinue

a a=accept

a a=accept


Experimental Results Implemented in Java JDK 1.4

Experiments carried out on SunBlade 2000

(OS: Solaris 9, CPU:1Ghz , Memory: 1 GB)

It takes less than 10 milliseconds to process a query over a firewall that has up 10,000 rules.


Conclusion Contributions:

- Introduce simple and effective SQL-like firewall query language

- Present Firewall Query Theorem as foundation for query processing

- Present efficient query processing algorithm using Firewall Decision Diagram

firewall queries alex x. liu, mohamed g. gouda, the university of texas at austin, u.s.a. huibo...

Documents