Firewall Design Methods
University of Texas, Austin
Place: 3105 Engineering
Host: Sandeep Kulkarni
Abstract: Firewalls are crucial elements of network security. The current practice of designing a firewall by a sequence of conflicting rules is highly error-prone. An error in a firewall may open doors to intrusions or disrupt normal business, and quantitative studies
have shown that most firewalls on the Internet are poorly designed and have many errors. In this talk, I will present two new firewall design methods, structured firewall design and diverse firewall design, both of which aim to rigorously and systematically reduce or remove firewall design errors.
The structured firewall design method is motivated by our observation that using the traditional design method, it is difficult to achieve consistency (i.e., correct ordering of the rules), completeness (i.e., thorough consideration for all types of traffic), and compactness (i.e., small number of rules). This method consists of two steps. First, one designs a firewall using a Firewall Decision Diagram (FDD) instead of a sequence of often conflicting rules. Second, the FDD is automatically converted into a compact, yet functionally equivalent, sequence of rules. Consistency and completeness are achieved by the syntactic requirements of the FDD. Compactness is addressed by a series of
three algorithms, FDD reduction, FDD marking, and redundancy removal.
The diversity method is inspired by the well-known techniques of N-version programming that has been used in building safety-critical systems. This method consists of two steps. First, the same specification of a firewall is given to multiple teams to design independently. Second, the resulting firewalls are compared with each other to identify all the discrepancies among them. The major technical challenge in this method is how to identify all the discrepancies between two given firewalls. We use a series of
three algorithms, FDD construction, FDD shaping, and FDD comparison, to solve this problem.
Biography: Alex X. Liu is currently a Ph.D. candidate in the department of computer sciences at the University of Texas at Austin. His main research interest is computer and network security. He is also interested in dependable computing, distributed computing, computer networks and operating systems. He has published thirteen refereed conference and journal papers on a variety of network security topics. Alex Liu was the recipient of the 2004 IEEE&IFIP William C. Carter Award for his paper "Diverse Firewall Design"
(coauthored with Mohamed G. Gouda), the 2004 National Outstanding Overseas Students Award sponsored by the Ministry of Education of China, the 2005 George H. Mitchell Award for Excellence in Graduate Research in the University of Texas at Austin, and the
2005 James C. Browne Outstanding Graduate Student Fellowship in the University of Texas at Austin.