[ about | people | publications | reports ]

---

Project Overview

As the Internet becomes an essential part of our everyday computing and communication infrastructure, it has also grown to be a complex distributed system that is hard to characterize. There have been numerous studies on network topology, IP-reachability, and routing dynamics to analyze end-to-end packet forwarding performance. However, there is very little systematic investigation into the influence of other packet transformations that happen along the path, e.g., firewalls, packet filtering, and quality-of-service mapping. Among these, firewalls are ubiquitous as they become indispensable security defense mechanisms used in business and enterprise networks. Just as router mis-configurations can lead to unpredictable routing problems, misconfigured firewalls may fail to enforce the intended security policies, or may incur high packet processing delay. Unfortunately, firewall configuration for a large, complex enterprise network is a demanding and error-prone task, even for experienced administrators. Firewalls can be distributed in many parts of the network or across layers (IP-layer filtering versus application-layer solutions) to cooperatively achieve a global, network-wide policy. As distributed firewall rules are concatenated, it becomes extremely difficult to predict the resulting end-to-end behavior and whether it meets the higher-level security policy.

Fireman: Firewall Modeling and Analysis

As part of this project, we propose to develop a unified framework for policy-checking, optimization, and auto-reconfiguration of distributed firewalls. This research will provide novel analysis, design techniques, and tools to better protect our critical information infrastructures from attacks. We target at providing consistent and efficient security protection for an enterprise that may have geographically distributed business networks served by different local Internet Service Providers. We adopt an inter-disciplinary technical approach that leverages multiway communications among the three PIs with expertise in networking, security, and programming languages and compilers areas to design an integrated solution. In particular, we propose a systematic treatment of the problem by casting it as a static program analysis question, exploiting well-established and rigorous techniques from the area of programming languages and compilers.

People

Faculty C-N. Chuah H. Chen Z. Su

Graduate Students Ghassan Misherghi, CS Lihua Yuan, ECE

Publications

• L. Yuan, J. Mai, Z. Su, H. Chen, C-N. Chuah, and P. Mohapatra, "FIREMAN: A Toolkit for Firewall Modeling and Analysis," to appear in IEEE Symposium on Security and Privacy, May 2006. [pdf]

Acknowlegements

This material is based upon work supported by the National Science Foundation NeTS-NBD Grant No. 0520320 (2005-08). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Related Research Activities & Publications

In addition to firewalls, we have also analyzed security vulnerability of Domain Name Service and explored the use of collaborative overlays to detect DNS cache poisoning attacks. This work is done in collaboration with Prof. P. Mohapatra (UC Davis) and Dr. K. Kant (Intel).

• L. Yuan, K. Kant, P. Mohapatra, and C-N. Chuah, "A Proxy View of Quality of Domain Name Service," to appear in IEEE INFOCOM 2007.

• L. Yuan, K. Kant, P. Mohapatra, and C-N. Chuah, "Dox: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks," IEEE ICC, June 2006. [pdf]

---

[ RUBINET Home Page]