Firewall design: consistency, completeness, and compactness

24th International Conference on Distributed Computing Systems, 2004. Proceedings. Pub Date : 2004-03-24 DOI:10.1109/ICDCS.2004.1281597

M. Gouda, A. Liu

{"title":"Firewall design: consistency, completeness, and compactness","authors":"M. Gouda, A. Liu","doi":"10.1109/ICDCS.2004.1281597","DOIUrl":null,"url":null,"abstract":"A firewall is often placed at the entrance of each private network in the Internet. The function of a firewall is to examine each packet that passes through the entrance and decide whether to accept the packet and allow it to proceed or to discard the packet. A firewall is usually designed as a sequence of rules. To make a decision concerning some packets, the firewall rules are compared, one by one, with the packet until one rule is found to be satisfied by the packet: this rule determines the fate of the packet. We present the first ever method for designing the sequence of rules in a firewall to be consistent, complete, and compact. Consistency means that the rules are ordered correctly, completeness means that every packet satisfies at least one rule in the firewall, and compactness means that the firewall has no redundant rules. Our method starts by designing a firewall decision diagram (FDD, for short) whose consistency and completeness can be checked systematically (by an algorithm). We then apply a sequence of five algorithms to this FDD to generate, reduce and simplify the target firewall rules while maintaining the consistency and completeness of the original FDD.","PeriodicalId":348300,"journal":{"name":"24th International Conference on Distributed Computing Systems, 2004. Proceedings.","volume":"18 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"223","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"24th International Conference on Distributed Computing Systems, 2004. Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDCS.2004.1281597","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 223

Abstract

A firewall is often placed at the entrance of each private network in the Internet. The function of a firewall is to examine each packet that passes through the entrance and decide whether to accept the packet and allow it to proceed or to discard the packet. A firewall is usually designed as a sequence of rules. To make a decision concerning some packets, the firewall rules are compared, one by one, with the packet until one rule is found to be satisfied by the packet: this rule determines the fate of the packet. We present the first ever method for designing the sequence of rules in a firewall to be consistent, complete, and compact. Consistency means that the rules are ordered correctly, completeness means that every packet satisfies at least one rule in the firewall, and compactness means that the firewall has no redundant rules. Our method starts by designing a firewall decision diagram (FDD, for short) whose consistency and completeness can be checked systematically (by an algorithm). We then apply a sequence of five algorithms to this FDD to generate, reduce and simplify the target firewall rules while maintaining the consistency and completeness of the original FDD.

查看原文本刊更多论文

防火墙设计:一致性、完整性和紧凑性

防火墙通常位于Internet中每个专用网络的入口。防火墙的功能是检查通过入口的每个数据包，并决定是接受数据包并允许其继续进行还是丢弃数据包。防火墙通常被设计成一系列规则。为了对某些数据包做出决定，防火墙规则会与数据包逐一进行比较，直到找到一条符合该数据包的规则:该规则决定了数据包的命运。我们提出了有史以来第一个设计防火墙规则序列的方法，使其一致、完整和紧凑。一致性是指规则的顺序正确;完整性是指每个数据包至少满足防火墙中的一条规则;紧凑性是指防火墙中没有冗余规则。我们的方法从设计一个防火墙决策图(简称FDD)开始，它的一致性和完整性可以被系统地检查(通过算法)。然后，我们将五种算法的序列应用于该FDD，以生成，减少和简化目标防火墙规则，同时保持原始FDD的一致性和完整性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

24th International Conference on Distributed Computing Systems, 2004. Proceedings.

自引率

0.00%

发文量