See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/224235724

Firewall modules and modular firewalls

Conference Paper · November 2010

DOI: 10.1109/ICNP.2010.5762766 · Source: IEEE Xplore

CITATIONS READS
13 1,055

3 authors, including:

Hrishikesh Bhatt Acharya

University of Texas at Austin
30 PUBLICATIONS 166 CITATIONS

SEE PROFILE

All content following this page was uploaded by Hrishikesh Bhatt Acharya on 11 July 2014.

The user has requested enhancement of the downloaded file.

 Firewall Modules and Modular Firewalls
H. B. Acharya Aditya Joshi M. G. Gouda
University of Texas at Austin University of Texas at Austin National Science Foundation
[email protected] [email protected] [email protected]

Abstract—A firewall is a packet filter placed at an entry Note that F employs a ”first-match” criterion to determine
point of a network in the Internet. Each packet that goes which rule (in its sequence of rules) should be applied to which
through this entry point is checked by the firewall to determine packet. This first-match criterion allows the rules in the rule
whether to accept or discard the packet. The firewall makes
this determination based on a specified sequence of overlapping sequence to be “overlapping”. This can be both advantageous
rules. The firewall uses the first-match criterion to determine and disadvantageous.
which rule in the sequence should be applied to which packet. The advantage of making the rules in the rule sequence
Thus, to compute the set of packets to which a rule is applied, overlapping is that it reduces the number of rules in the rule
the firewall designer needs to consider all the rules that precede sequence, sometimes dramatically.
this rule in the sequence. This “rule dependency” complicates
the task of designing firewalls (especially those with thousands The disadvantage of making the rules in the rule sequence
of rules), and makes firewalls hard to understand. In this paper, overlapping is that it creates many dependencies between the
we present a metric, called the dependency metric, for measuring rules in the rule sequence. This, in turn, complicates the task of
the complexity of firewalls. This metric, though accurate, does designing and understanding the rule sequence. For instance,
not seem to suggest ways to design firewalls whose dependency if the firewall designer needs to compute the set of packets to
metrics are small. Thus, we present another metric, called the in-
version metric, and develop methods for designing firewalls with which a rule r (in the rule sequence) applies, then the designer
small inversion metrics. We show that the dependency metric and needs to consider not only rule r but also all the rules that
the inversion metric are correlated for some classes of firewalls. precede r in the rule sequence.
So by aiming to design firewalls with small inversion metrics, the In this paper, we introduce a metric, called the “dependency
designer may end up with firewalls whose dependency metrics metric”, that measures the complexity of firewalls. The more
are small as well. We present a method for designing modular
firewalls whose inversion metrics are very small. Each modular the value of the metric for a given firewall, the more complex
firewall consists of several components, called firewall modules. the firewall is and the harder it is to design and understand.
The inversion metric of each firewall module is very small - in Unfortunately, the dependency metric, though accurate, does
fact, 1 or 2. Thus, we conclude that modular firewalls are easy not seem to suggest methods for designing firewalls for
to design and easy to understand. which the values of the metric are small. Thus, we introduce
another complexity metric, called the “inversion metric”, for
I. I NTRODUCTION measuring the complexity of firewalls.
A firewall is a packet filter that is placed at an entry point We show, below, that the dependency metric and the inver-
of a network in the Internet. The function of a firewall is to sion metric are correlated (at least for a rich class of firewalls
check each packet that goes through the entry point (at which called “uniform firewalls”). This result allows us to use the
the firewall is located) and determine whether to accept the inversion metric as a good approximation of the dependency
packet and allow it to proceed on its way or to discard the metric.
packet. Then, we identify three classes of firewalls, namely “simple
The firewall perform its function based on a specified firewalls”, “partitioned firewalls”, and “modular firewalls”, for
sequence of rules. Each rule is of the form which the values of the inversion metric are small. (This
implies that these classes of firewalls are easier to design and
< predicate >→< decision > understand.) We also describe methods for designing firewalls
in these three classes.
where < predicate > is a function that assigns to each packet Of particular interest is the class of modular firewalls. Each
a boolean value, true or false, and < decision > is either modular firewall consists of simple firewall components, called
”accept” or ”discard”. When a packet p reaches a firewall F , “firewall modules”. The value of the inversion metric for each
F performs two steps: firewall module is 1 or 2. This causes the value of the inversion
1) F identifies the first rule r (in its sequence of rules) metric for the full firewall to be 1 or 2. (Note that the smallest
whose < predicate > assigns the value true to packet possible value of the inversion metric is 1.)
p. We present an algorithm that takes as input any firewall
2) If the < decision > of rule r is accept (or discard, F whose inversion metric is large and computes as output an
respectively) then F accepts (or discards, respectively) equivalent modular firewall M F whose inversion metric is (by
packet p. definition) 1 or 2. The complexity of this algorithm is O(n2 )
where n is the number of rules in the input firewall F . The Because the last rule in a firewall is either an accept-all rule
existence of this algorithm indicates that designing a modular or a discard-all rule, it is straightforward to show that for every
firewall is not harder than designing an equivalent non-modular packet and every firewall F , either the packet is accepted by
firewall. Our simulation results, reported below, show that the F or the packet is discarded by F .
cost and performance of this algorithm are attractive. Two firewalls F and G are said to be equivalent iff F and
G accept the same set of packets (and discard the same set of
II. F IELDS , PACKETS , RULES , AND F IREWALLS packets).
In this section, we define the main terms in this paper -
III. T HE D EPENDENCY M ETRIC OF F IREWALLS
fields, packets, rules, and firewalls.
A field is a variable, whose value is taken from an interval In this section we define a metric that can be used to
of non-negative integers. Examples of fields are source IP measure the complexity of a firewall. If the value of this
address, destination IP address, transport protocol, source port metric is large for one firewall, then this firewall is relatively
number, and destination port number. The domain of values ”hard to understand”. And if the value of this metric is small
of the source IP address field, for example, is the interval for another firewall, then this firewall is relatively ”easy to
[0, 232 − 1]. understand”. We refer to this metric as the dependency metric.
In this paper, we consider d fields, denoted f1 , .. , and fd . But before we can define the dependency metric, we first need
The domain of values of each field fj , denoted D(fj ), is an to introduce several definitions.
interval of non-negative integers. A band of a firewall F is a maximal sequence of consecutive
A packet p is a d-tuple (p.f1 , .., p.fd ), where each p.fj is rules that have the same decision, whether accept or discard,
an element from the domain D(fj ) of field fj . in F . If (all) the rules in a band have accept decisions, then
A rule r is of the form: the band is called an accept band. Similarly, if (all) the rules
in a band have discard decisions, then the band is called a
f1 ∈ R1 ∧ ... ∧ fd ∈ Rd →< r.decision > discard band.

where each Rj is a non-empty interval of non-negative in- Theorem 1. If the rules in a band in a firewall F are reordered
tegers taken from the domain D(fj ) of field fj , and the in any way, then the resulting firewall is equivalent to F .
< r.decision > is either accept or discard. A rule whose Proof: Assume that the rules in a band B in F are
decision is accept is called an accept rule, and a rule whose reordered in any way. Let p be a packet that is resolved by
decision is discard is called a discard rule. a rule r in B before the reorder. And assume that packet p
A packet (p.f1 , .., p.fd ) is said to match a rule r of the is resolved by another rule s after the reorder. Thus, rule s
form: belongs to band B, and has moved ahead of rule r as a result
f1 ∈ R1 ∧ ... ∧ fd ∈ Rd →< r.decision > of the reorder.
Because both rules r and s belong to the same band B, they
iff the predicate (p.f1 ∈ R1 ∧ ... ∧ p.fd ∈ Rd ) holds. have the same decision. Therefore, rule s will resolve packet
A rule of the form p after the reorder in the same way that rule r has resolved
packet p before the reorder.
f1 ∈ D(f1 ) ∧ ... ∧ fd ∈ D(fd ) → accept Every packet that is accepted before the reorder is also
is called an accept-all rule, and a rule of the form accepted after the reorder, and every packet that is discarded
before the reorder is also discarded after the reorder. Hence
f1 ∈ D(f1 ) ∧ ... ∧ fd ∈ D(fd ) → discard the firewall that results from the reorder is equivalent to the
original firewall F before the reorder.
is called a discard-all rule. If all the rules in a firewall have the same decision, then
A firewall F is a nonempty sequence of rules, where the this firewall consists of only one band. But such a firewall is
last rule is either an accept-all rule or a discard all rule. not very useful in practice. Thus, from now on, we consider
A packet (p.f1 , .., p.fd ) is said to be accepted by a firewall only firewalls that consist of two or more bands.
F iff F has an accept rule r such that the following two A packet p is said to be resolved by a rule r in a firewall
conditions hold. F iff the following two conditions hold:
1) (p.f1 , .., p.fd ) matches r. 1) p matches rule r.
2) (p.f1 , .., p.fd ) does not match any rule that precedes r 2) p does not match any rule s, where s precedes r in F
in F . and r and s occur in different bands in F .
A packet (p.f1 , .., p.fd ) is said to be discarded by a firewall The dependency set of a rule r in a firewall F is the set
F iff F has a discard rule r such that the following two containing every rule s, where s precedes r in F , and r and
conditions hold. s occur in different bands in F .
1) (p.f1 , .., p.fd ) matches r. From the last two definitions, we conclude that to determine
2) (p.f1 , .., p.fd ) does not match any rule that precedes r whether a packet p is resolved by a rule r in a firewall F , one
in F . needs to test packet p against rule r and against every rule in
the dependency set of r. Clearly, the complexity of these tests as the inversion metric. We show that the inversion metric
are proportional to the number of rules in the dependency set satisfies two nice properties. First, we show, in this section,
of r. If the cardinality of the dependency set of r is large, that the value of the inversion metric of a firewall is correlated
then determining whether a given packet is resolved by r is to the value of the dependency metric of the same firewall
relatively hard. And one can claim, in this case, that rule r (when the firewall is uniform). This result allows us to use the
is hard to understand. On the other hand, if the cardinality of inversion metric as a good approximation of the dependency
the dependency set of r is small, then determining whether a metric. Second, we demonstrate, in Section 7 below, that one
given packet is resolved by r is relatively easy. And one can can develop methods for designing firewalls whose inversion
claim, in this case, that rule r is easy to understand. metrics are very small. In particular, we give an algorithm
It follows from this discussion that the complexity of that takes as input any firewall, whose inversion metric value
understanding a rule r in a firewall F can be measured by is large, and produces an equivalent firewall, whose inversion
the cardinality of the dependency set of r in F . Therefore, the metric value is no more than 2, a small value.
complexity of understanding firewall F can be measured by The inversion metric of a firewall F is the number of pairs
the average cardinality of a dependency set of a rule in F . of adjacent rules that have different decisions in F .
The dependency metric of a firewall F is the average
Theorem 3. Let F be a firewall that has n rules.
cardinality of a dependency set of a rule in F .
1) The smallest possible value of the inversion metric of F
Theorem 2. Let F be any firewall that has n rules. is 1.
1) The smallest possible value of the dependency metric of 2) The largest possible value of the inversion metric of F
F is (n−1)
n .
is n − 1.
2) The largest possible value of the dependency metric of Proof: Because, as mentioned in Section 3, we consider
F is (n−1)
2 . only firewalls that have two or more bands, the smallest
Proof: possible value of the inversion metric of a firewall is 1. Also,
1) The dependency metric of F has its smallest value when for a firewall that has n rules, the largest possible value of the
F consists of only two bands. The first band consists of inversion metric is n − 1.
the top n − 1 rules in F , and the second band consists A firewall F is called uniform iff each band in F has the
of the last rule in F . In this case, the dependency set same number of rules.
of each one of the top n − 1 rules is empty, and the Thus, if a uniform firewall F has n rules and k bands, then
dependency set of the last rule has n − 1 rules. Thus, each band in F has nk rules.
the average cardinality of a dependency set of a rule in Theorem 4. Let F be a uniform firewall that has n rules.
F is n−1
n . Also, let dm be the value of the dependency metric of F , and
2) The dependency metric of F has its largest value when im be the value of the inversion metric of F .
F consists of n bands. And each band consists of only
n ∗ im
one rule. In this case, dm =
the dependency set of the first rule in F has 0 rules, 2 ∗ (im + 1)
the dependency set of the second rule in F has 1 rule, Proof: Since im is the inversion metric of firewall F , F
..., has im + 1 bands, and because F is uniform, each band in F
n
the dependency set of the n-th rule in F has n − 1 rules. has im+1 rules.
Thus, the average cardinality of a dependency set of a The cardinality of the dependency set of each rule in the
rule in F is n−1
2 . i-th band in F , where i is in the range 1..(im + 1), is (i−1)∗n
(im+1) .
Thus, the average cardinality dm of the dependency set of
The problem of the dependency metric is that this metric a rule in F can be computed as follows:
does not seem to suggest methods for designing firewalls im+1 n (i−1)∗n
X im+1 ∗ im+1
whose dependency metrics are small. dm =
This problem compels us to look for another complexity i=1
n
metric of firewalls. This new complexity metric needs to n
im+1
X
satisfy two requirements. First, this new metric needs to be = ∗ i−1
(im + 1)2 i=1
correlated to the dependency metric (at least for some classes
im
of firewalls). Second, it should be easy to design firewalls for n X
which the new metric has a small value. We present such a = 2
∗ i
(im + 1) i=0
metric in the next section.
n im ∗ (im + 1)
= ∗
IV. T HE I NVERSION M ETRIC OF F IREWALLS (im + 1)2 2
In this section we introduce a second metric that can be used n ∗ im
=
to measure the complexity of firewalls. We refer to this metric 2 ∗ (im + 1)
 3) Rule s is in band B1 and there is another rule r in B1
This theorem shows that when the value of the inversion where r covers s.
metric im (of a uniform firewall) is n − 1, the value of the Now we argue that if an irrelevant rule s is removed from
dependency metric dm (of the same firewall) is (n−1)/2. Both its simple firewall F , then any packet that could have been
these values are the largest possible values for their metrics. resolved (i.e., accepted or discarded) by rule s can still be
Also, when the value of the inversion metric im is reduced to resolved in the same way after s is removed. Because the
1, the value of the dependency metric is reduced to n/4. Both removed rule s is irrelevant, rule s must have satisfied one of
these values are small values for their metrics. In other words, three conditions 1, 2, or 3 (in the above definition), before it
there is some correlation between the value of the inversion is removed.
metric im and the value of the dependency metric dm. Thus First, if s satisfied condition 1 before it is removed, then
one can use the inversion metric (which is easy to deal with) any packet that is discarded by s, before s is removed, will
as a good approximation of the dependency metric (which is still be discarded at least by rule r, after s is removed.
hard to deal with). Second, if s satisfied condition 2 before it is removed, then
In the next two sections, we present two classes of firewalls, any packet that is discarded by s, before s is removed, will
namely simple firewalls and partitioned firewalls, whose inver- still be discarded at least by the discard-all rule in F , after s
sion metrics are small. is removed.
Third, if s satisfied condition 3 before it is removed, then
V. S IMPLE F IREWALLS any packet that is accepted by s, before s is removed, will
A firewall F is called simple iff F is a sequence of three still be accepted at least by rule r, after s is removed.
bands, B0 followed by B1 followed by B2 , such that the The algorithm for removing irrelevant rules from any simple
following three conditions are satisfied: firewall is detailed in Algorithm 1. Note that the time com-
plexity for executing Algorithm 1 is O(n2 ), where n is the
1) Band B0 consists of zero or more discard rules. (Note number of rules in the input firewall F .
that if B0 has zero discard rules, then band B0 does not
exist in F and, in this case, F is a sequence of only two Algorithm 1 Removing Irrelevant Rules
bands, B1 followed by B2 .) Input: A simple firewall F that is a sequence of three bands
2) Band B1 consists of one or more accept rules. B0 followed by B1 followed by B2
3) Band B2 consists of only one discard-all rule. Output: A simple firewall G that is equivalent to F and has
Simple firewalls are interesting because the values of their no irrelevant rules
inversion metrics are small (and so they are easy to understand) for every rule r in B0 do
as follows. If band B0 exists in a simple firewall F , then the if there is another rule s in B0 such that r covers s or
inversion metric of F is 2. Otherwise, the inversion metric of there is no rule s in B1 such that r overlaps s then
F is 1. Remove rule r from B0
Below we describe how to identify “irrelevant rules” in any end if
simple firewall F and argue that removing these rules from F end for
yields a firewall G that is both equivalent to F and simple. for every rule r in B1 do
But first we need to present some definitions. if there is another rule s in B1 such that r covers s then
Let F be a simple firewall and let r and s be two distinct then remove rule r from B1
rules in F where end if
end for
r : f1 ∈ R1 ∧ .. ∧ fd ∈ Rd →< r.decision > The remaining firewall is G
s : f1 ∈ S1 ∧ .. ∧ fd ∈ Sd →< s.decision >

Rule r is said to cover rule s iff every interval Rj in r VI. PARTITIONED F IREWALLS
contains the corresponding interval Sj in s. A partitioned firewall P F is a nonempty set {P F1 , .., P Fr }
Rule r is said to overlap rule s iff every intersection of an of firewalls, such that the following oneness condition holds.
interval Rj in r with the corresponding interval Sj in s is Every packet is accepted by at most one firewall, say P Fk , in
nonempty. PF.
Rule s is called irrelevant in the simple firewall F iff s If a packet is accepted by one (and so only one) firewall in a
satisfies the following three conditions (Recall that, since F is partitioned firewall P F , then this packet is said to be accepted
simple, F is a sequence of three bands, B0 followed by B1 , by P F . Otherwise, the packet is discarded by every firewall
followed by B2 ): in P F and, in this case, the packet is said to be discarded by
1) Rule s is in band B0 and there is another rule r in B0 PF.
where r covers s. If a partitioned firewall P F is the set {P F1 , .., P Fr }, then
2) Rule s is in band B0 and there is no rule r in B1 where each firewall P Fk in this set is called a component of the
r overlaps s. partitioned firewall P F .
 Note that one can view a monolithic firewall F as a As an example, assume that we wish to design a partitioned
partitioned firewall that consists of only one component F . firewall with five components P F1 through P F5 . First, we
A monolithic firewall F and a partitioned firewall P F are partition the set of all packets into the five overlapping classes
said to be equivalent iff F and P F accept the same set of P C1 through P C5 :
packets (and discard the same set of packets). • P C1 : All outgoing packets
There are three advantages of partitioned firewalls over • P C2 : All incoming, TCP, email packets
monolithic ones: • P C3 : All incoming, TCP, web packets
(a) Parallel processing of packets • P C4 : All incoming, TCP packets that are neither email
(b) Ease of design and update nor web.
(c) Small inversion metrics • P C5 : All incoming, non-TCP packets
We discuss these three advantages , one by one, in order. Second, each firewall component P Fk is designed to accept
only some (or all) of the packets that belong to the correspond-
A. Parallel Processing of Packets
ing packet class P Ck . For instance, P F1 is designed to accept
Each component P Fk of a partitioned firewall P F can be only some (or all) of the outgoing packets, and so on.
implemented as a distinct thread [1] that is executed on a In other words, once the packet classes are all identified,
distinct core in a multicore architecture [2]. the firewall components can be designed independently of one
When a packet p arrives at the multicore architecture hosting another. This makes the design of a partitioned firewall easier
the partitioned firewall P F , a copy of p is forwarded to than that of a monolithic firewall.
each core, as shown in Figure 1. Each core then proceeds Moreover, because each firewall component P Fk is de-
independently to determine whether or not to accept packet p signed to accept only some (or all) of the packets that belong
and allow it to proceed. to the packet class P Ck , only component P Fk needs to be
updated whenever the set of accepted packets, that belong to
Fig. 1. Parallel Processing of Packets the packet class P Ck , needs to be updated.
In other words, any update of a partitioned firewall can be
realized by updating only one component in the firewall. This
makes the update of a partitioned firewall easier than that of
a monolithic one.
C. Small Inversion Metric
The inversion metric of a partitioned firewall
{P F1 , .., P Fr } is the value
(MAX over k, k is in the range 1..r, im.k)
where each im.k denotes the inversion metric of the firewall
component P Fk .
Because the inversion metric of a partitioned firewall is the
maximum, rather than say the sum, of the inversion metrics of
Note that each core makes its determination (of whether the firewall components, the inversion metric of a partitioned
or not to accept its copy of p) independently from the firewall tends to be smaller than the inversion metric of an
determinations made by the other cores. In other words, the equivalent monolithic firewall. In other words, understanding
cores do not need to synchronize in any way, and yet, thanks a partitioned firewall tends to be easier than understanding an
to oneness condition, at most one copy of packet p is accepted equivalent monolithic firewall.
and allowed to proceed by one core while all the other copies We end this section by stating (and verifying) a sufficient
of p are discarded by the other cores. condition for ensuring that two monolithic firewalls can be
As shown in our experimental results below, this multicore components in the same partitioned firewall.
architecture of a partitioned firewall can process up to 2.5
Theorem 5. Let F and G be two (monolithic) firewalls. If for
times as many packets per second as the traditional one core
every accept rule r in F and every accept rule s in G, r does
architecture of a monolithic firewall.
not overlap s, then F and G can be components in the same
B. Ease of Design and Update partitioned firewall.
A partitioned firewall {P F1 , .., P Fr } can be designed in Proof: Assume that for every accept rule r in F and every
two steps as follows. accept rule s in G, r does not overlap s. Thus, for every accept
1) The set of all packets is partitioned into r non- rule r in F and every accept rule s in G, there is no packet that
overlapping classes: P C1 , .., P Cr . matches both r and s. In other words, the set of packets that
2) Each component P Fk in the partitioned firewall is match accept rules in F is disjoint from the set of packets that
designed to accept some (or all) of the packets that match accept rules in G. Moreover, because the set of packets
belong to the packet class P Ck . that are accepted by a firewall is a subset of the set of packets
that match accept rules in the firewall, we conclude that the Algorithm 2 Modularizing Monolithic Firewalls
set of packets that are accepted by F is disjoint from the set Input: A monolithic firewall F with r accept bands (r is at
of packets that are accepted by G. Therefore F and G satisfy least 1)
the oneness condition and they can be firewall components in Output: A modular firewall M F with r modules
the same partitioned firewall. {M F1 , .., M Fr } such that F and M F are equivalent.
Note that any two components of a partitioned firewall, that Let the r accept bands of firewall F be AB1 , .., ABr in
is designed using the method outlined at the beginning of this order.
section, do satisfy the sufficient condition in Theorem 4. for every accept band ABk in F do
Design the three bands B0 , B1 , and B2 of module M Fk
VII. M ODULAR F IREWALLS as follows.
In the previous two sections, we presented two classes of • B0 is the sequence of all rules that precedes ABk in
firewalls, namely simple firewalls and partitioned firewalls, F after modifying their decisions to become ”discard”
whose inversion metrics are small. In this section, we present • B1 is the sequence of all (accept) rules in ABk
a class of firewalls, called modular firewalls, that have similar • B2 is the discard-all rule;
characteristics to those of simple and partitioned firewalls.
Apply Algorithm 1 to remove the irrelevant rules from
Therefore, the inversion metrics of modular firewalls are also
M Fk
small.
end for
A modular firewall M F is a partitioned firewall
{M F1 , .., M Fr } where each component M Fk , called a fire-
wall module, is a simple firewall. It follows that the inversion
metric of each firewall module M Fk is 1 or 2 and the inversion that is accepted by (band B1 in) firewall M Fk is discarded
metric of the modular firewall M F is 1 or 2. by (band B2 in) firewall M Fi . In other words, no packet is
A modular firewall {M F1 , .., M Fr } can be designed in two accepted by both M Fi and M Fk .
steps as follows. Theorem 7. Assume that Algorithm 2 is applied to a mono-
1) The set of all packets is partitioned into r non- lithic firewall F and produced a modular firewall M F that
overlapping classes: P C1 , .., P Cr . consists of the modules {M F1 , .., M Fk }.
2) Each module M Fk in the modular firewall is designed 1) Each packet, that is accepted by F , is also accepted by
to accept some (or all) of the packets that belong to the MF
packet class P Ck under the restriction that M Fk , being 2) Each packet, that is accepted by M F , is also accepted
a simple firewall, must consist of three bands: a discard by F
band B0 , followed by a accept band B1 , followed by a
band B2 that consists of a discard-all rule (These two statements indicate that F and M F are equiva-
lent.)
The main thesis of this paper is that designing a modular
firewall is easier than designing an equivalent monolithic Proof:
firewall. To give some evidence to this thesis, we discuss next 1) Assume that a packet p is accepted by F . Thus p is
an algorithm that can take, as input, a monolithic firewall F resolved by a rule in some accept band ABk of F .
and produce, as output, an equivalent modular firewall M F . This indicates that p is also resolved by a rule in the
Because the time complexity of this algorithm is small O(n2 ), accept band B1 in module M Fk in M F . Therefore p is
where n is the number of rules in the input firewall F , one accepted by M F .
concludes that designing a modular firewall is not harder than 2) Assume that a packet p is accepted by a module M Fk
designing an equivalent monolithic firewall. in M F . Thus p is resolved by a rule in band B1 of
The algorithm for modularizing a monolithic firewall is module M Fk . This indicates that p is also resolved by
shown in Algorithm 2. a rule in the accept band ABk in firewall F . Therefore
The correctness of Algorithm 2 follows from the following p is accepted by F .
two theorems.
Theorem 6. Assume that Algorithm 2 is applied to a
monolithic firewall F and produced the simple firewalls VIII. S IMULATION R ESULTS
{M F1 , .., M Fr }. Then no two distinct firewalls M Fi and
In this paper, we presented two algorithms: Algorithm 1 for
M Fk accept the same packet (indicating that the produced
removing irrelevant rules from simple firewalls, and Algorithm
simple firewalls satisfy the oneness condition).
2 for modularizing monolithic firewalls. In fact, the important
Proof: Without loss of generality, assume that i is less role of Algorithm 1 is to be invoked from within Algorithm
than k. This means that the accept rules in band B1 of firewall 2 to remove the irrelevant rules from the firewall modules in
M Fi occur as discard rules in band B0 of firewall M Fk . Thus, the computed modular firewall. In this section, we report the
each packet that is accepted by (band B1 in) firewall M Fi is results of several simulations that we carried out to measure
discarded by (band B0 in) firewall M Fk . Also, each packet the cost and performance of Algorithm 2. (The cost and
performance of Algorithm 1 contribute to those of Algorithm 2) Firewall Analysis: To analyze a given firewall F , one
2.) applies an algorithm to identify (some or all of the)
Figure 2 shows the execution time of Algorithm 2, when vulnerabilities, conflicts, anomalies, and redundancies in
applied to modularize a monolithic firewall F , as a function the given firewall F . A systematic method for analyzing
of the number of rules in F . From this figure, the execution firewalls is presented in [7]. The concept of conflicts
time of Algorithm 2 is very small, less than half a second, even between rules in a firewall is due to [8] and [9]. A
when the firewall being modularized has up to 2000 rules. classification of anomalies, as well as algorithms to
Figure 3 shows the average number of firewall modules, that detect them, may be found in [10] and [11]. (This
result from applying Algorithm 2 to modularize a monolithic analysis works for verifying the security policies in IPsec
firewall F , as a function of the number of rules in F . From and VPN as well [12].) A framework for understanding
this figure, a monolithic firewall that has 2000 rules can be the vulnerabilities in a single firewall is outlined in [13],
converted into a modular firewall with about 22 modules on and an analysis of these vulnerabilities presented in [14].
average. [15] is a quantitative study of configuration errors for
Figure 4 shows the average number of rules in a firewall a firewall. An example of an efficient firewall analysis
module, that results from applying Algorithm 2 to modularize algorithm is given in FIREMAN [16].
a monolithic firewall F , as a function of the number of rules 3) Firewall Verification: To verify a given firewall F against
in F . From this figure, a monolithic firewall that has 2000 a given property R, one applies an algorithm to verify
rules can be converted into a modular firewall where a firewall whether or not F satisfies R. The question of how to
module has 800 rules on average. query a given firewall and obtain the answer (whether or
Consider the case where Algorithm 2 is applied to a mono- not it satisfies a given property) is discussed in [17] and
lithic firewall F to produce an equivalent modular firewall [18]. The time and space complexity of these algorithms
M F . As discussed in Section 6, F can be implemented as are proved to be O(nd ) in [19]. In [20], a probabilistic
a single thread on a single core architecture, whereas the verification algorithm is provided and shown to have
firewall modules in M F can be implemented on a multicore a time and space complexity of O(nd). In [21], we
architecture. Let RF denote the rate (in packets per second) of provide an elegant algorithm for firewall verification
processing packets by the single core architecture, and RM F whose space complexity is O(nd), and whose time
denote the rate (in packets per second) of processing packets complexity is order O(nd ).
by the multicore architecture. Then RM F/RF is called the 4) Firewall Design: To ensure a firewall does not have vul-
speed-up ratio. Figure 5 shows the speed-up ratio as a function nerabilities or other problems, it can be designed from
of the number of rules in F . From this figure, the speed-up the outset using structured algorithms. Such algorithms,
ranges from 1.7 (when the number of rules in F is small) to that can generate a firewall from its specification, are
2.6 (when the number of rules in F is large). provided in [22].

IX. R ELATED W ORK In this paper, we present two new metrics for the complexity
of a firewall, and show that these metrics are related. Further,
Firewalls are a critical line of defence in cybersecurity, but we give a new algorithm for implementing firewalls such that
tend to be very hard to understand. As firewall correctness is a the inversion metric of the firewall is small; this algorithm can
hard but important problem, there has been extensive research be considered a firewall design algorithm to produce easy-to-
in the field, following four main approaches: understand firewalls. Our algorithm has the advantage that it
1) Firewall Testing: To test a given firewall F , one gener- need not be applied at the outset when designing a firewall; any
ates many packets for which the “expected” decisions of pre-existing firewall may be converted to a modular firewall
F , accept or discard, are known a priori. The generated in O(n2 ) time.
packets are then sent to F , and the actual decisions of F
The advantage of a modular firewall is the cleanness of
for these packets are observed. If the expected decision
the design; the low inversion metric makes such firewalls
for each generated packet is the same as the actual
relatively easy to understand, and permits modification with
decision for the packet, one concludes that the given
no unexpected side effects. A side benefit is that modular
firewall F is correct. Otherwise, the given firewall F
firewalls, being inherently parallel, also process packets faster
has errors. Different methods of firewall testing differ in
than equivalent conventional firewalls.
how the testing packets are generated. For instance, the
test packets can be hand-generated by domain experts to In this paper, we have dealt with modular firewalls located at
target specific vulnerabilities in the given firewall F , or a single interface between two computer networks. However,
generated from the formal specifications of the security we do not see any reason why modular firewalls cannot be used
policy of the given firewall F , as in [3]. A scheme for for distributed firewalls, where firewall policies are distributed
targeting test packets for better fault coverage is given across many systems located at multiple points in the network
in [4] and [5]. Blowtorch [6] is a framework to generate [11], [10], [19]. We plan to study the possibility of developing
packets for testing. modular distributed firewalls in future work.
Fig. 2. Execution Time to Modularize a Monolithic Firewall

Fig. 3. Average Number of Modules Produced

Fig. 4. Average Number of Rules per Module

Fig. 5. Speed-up Ratio

 X. C ONCLUDING R EMARKS R EFERENCES
Firewalls are a very important component of system secu-
rity, but, unfortunately, current firewalls are mostly designed [1] D. M. Tullsen, S. J. Eggers, and H. M. Levy, “Simultaneous multithread-
and modified ad hoc; this makes them very difficult to under- ing: maximizing on-chip parallelism,” in ISCA ’95: Proceedings of the
stand, so it is not uncommon for a large firewall with thousands 22nd annual International Symposium on Computer architecture, 1995,
of rules to have many vulnerabilities. In this paper, we make pp. 392–403.
three important contributions to the theory of firewalls and [2] J. E. Savage and M. Zubair, “A unified model for multicore architec-
tures,” in IFMT ’08: Proceedings of the 1st international forum on Next-
firewall complexity. Our first contribution is that we define two generation multicore/manycore technologies, 2008, pp. 1–12.
metrics for the complexity of a firewall, called the dependency [3] J. Jürjens and G. Wimmel, “Specification-based testing of firewalls,”
metric and the inversion metric. We also demonstrate that in Revised Papers from the 4th International Andrei Ershov Memorial
Conference on Perspectives of System Informatics, 2001, pp. 308–316.
the two are correlated, so designing a firewall with a small
[4] A. El-Atawy, K. Ibrahim, H. Hamed, and E. S. Al-Shaer, “Policy
value of inversion metric is likely to yield a firewall with a segmentation for intelligent firewall testing,” Secure Network Protocols,
small value of dependency metric as well. For our second 2005. (NPSec). 1st IEEE ICNP Workshop on, pp. 67–72, Nov. 2005.
contribution, we present several classes of firewalls with a [5] E. Al-Shaer, A. El-Atawy, and T. Samak, “Automated pseudo-live testing
of firewall configuration enforcement,” IEEE Journal on Selected Areas
small inversion metric, as well as a method for designing such in Communication, vol. 27, no. 3, pp. 302 –314, 2009.
firewalls. Our final contribution is that we show that the class [6] D. Hoffman and K. Yoo, “Blowtorch: a framework for firewall test
of modular firewalls, which have a low inversion metric (1−2), automation,” in Proceedings of the 20th IEEE/ACM international Con-
is sufficiently powerful to describe any firewall. Algorithm 2, ference on Automated software engineering, 2005, pp. 96–103.
[7] A. J. Mayer, A. Wool, and E. Ziskind, “Fang: A firewall analysis engine,”
presented in this paper, can take as input any firewall and in IEEE Symposium on Security and Privacy, 2000, pp. 177–187.
convert it into an equivalent modular firewall. [8] H. Adiseshu, S. Suri, and G. M. Parulkar, “Detecting and resolving
It may be noted that this paper introduces two separate packet filter conflicts,” in INFOCOM, 2000, pp. 1203–1212.
concepts, which are interesting in their own right. The first [9] D. Eppstein and S. Muthukrishnan, “Internet packet filter management
and rectangle geometry,” in SODA, 2001, pp. 827–835.
concept is, of course, firewall metrics - we introduce the
[10] E. S. Al-Shaer and H. H. Hamed, “Discovery of policy anomalies in
concept of dependency and inversion metrics, and develop a distributed firewalls,” in INFOCOM, 2004.
method to design firewalls that are “easy to understand” by [11] E. S. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, “Conflict
these measures. The second, independent concept is that of classification and analysis of distributed firewall policies,” IEEE Journal
on Selected Areas in Communications, vol. 23, no. 10, pp. 2069–2084,
partitioned firewalls; we show how to decompose any firewall 2005.
into multiple simpler firewalls, that together are equivalent to [12] H. H. Hamed, E. S. Al-Shaer, and W. Marrero, “Modeling and verifica-
the original firewall. By combining the concepts of simple tion of ipsec and vpn security policies,” in ICNP, 2005, pp. 259–278.
firewalls (which have low inversion metrics) and partitioned [13] M. Frantzen, F. Kerschbaum, E. E. Schultz, and S. Fahmy, “A framework
for understanding vulnerabilities in firewalls using a dataflow model of
firewalls, we develop the concept of modular firewalls. firewall internals,” Computers & Security, vol. 20, no. 3, pp. 263–270,
Our work naturally suggests several rich problems for 2001.
further study. The dependency metric and the inversion metric [14] S. Kamara, S. Fahmy, E. E. Schultz, F. Kerschbaum, and M. Frantzen,
“Analysis of vulnerabilities in internet firewalls,” Computers & Security,
are not the only possible metrics for the complexity of a vol. 22, no. 3, pp. 214–232, 2003.
firewall; it would be an interesting problem to identify other [15] A. Wool, “A quantitative study of firewall configuration errors,” IEEE
such metrics, show how they are related, and possibly develop Computer, vol. 37, no. 6, pp. 62–67, 2004.
further algorithms to minimize the complexity of a firewall. [16] L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, and P. Mohapatra,
“Fireman: A toolkit for firewall modeling and analysis,” Security and
The development of alternate algorithms to partition and mod- Privacy, IEEE Symposium on, vol. 0, pp. 199–213, 2006.
ularize firewalls is another area for further research. By varying [17] A. X. Liu and M. G. Gouda, “Diverse firewall design,” IEEE Transac-
the algorithm, it is possible to produce modular firewalls tions on Parallel and Distributed Systems, vol. 19, no. 9, pp. 1237–1251,
with different properties, such as size, performance, length of 2008.
[18] ——, “Firewall policy queries,” IEEE Transactions on Parallel and
modules, and so on. For our own future work, we note that the Distributed Systems, vol. 20, no. 6, pp. 766–777, 2009.
method for constructing a partitioned firewall involves dividing [19] M. G. Gouda, A. X. Liu, and M. Jafry, “Verification of distributed fire-
the packet space into partitions and constructing a (simpler) walls,” in Proceedings of the IEEE Global Communications Conference
firewall to classify the packets of each partition independently. (GLOBECOM), 2008.
[20] H. B. Acharya and M. G. Gouda, “Linear-time verification of firewalls,”
By clearly specifying how to partition the packet space, and in Proceedings of the International Conference on Network Protocols,
when to stop partitioning and construct a firewall, we aim to 2009.
develop a recursive new algorithm for firewall design. [21] ——, “Projection and division: Linear-space verification of firewalls,”
Distributed Computing Systems, International Conference on, pp. 736–
XI. ACKNOWLEDGEMENTS 743, 2010.
The authors are grateful to Dr. Ehab Al-Shaer for his help [22] M. G. Gouda and A. X. Liu, “Strucured firewall design,” Computer
Networks, vol. 51, pp. 1106–1120, 2007.
in preparing the final version of this paper.

View publication stats