Modeling, Validation, and Optimization of Distributed Firewalls (2005-09)
Project Overview
As the Internet becomes an essential part of our everyday computing and communication infrastructure, it has also grown to be a complex distributed system that is hard to characterize. There have been numerous studies on network topology, IP-reachability, and routing dynamics to analyze end-to-end packet forwarding performance. However, there is very little systematic investigation into the influence of other packet transformations that happen along the path, e.g., firewalls, packet filtering, and quality-of-service mapping. Among these, firewalls are ubiquitous as they become indispensable security defense mechanisms used in business and enterprise networks. Just as router mis-configurations can lead to unpredictable routing problems, misconfigured firewalls may fail to enforce the intended security policies, or may incur high packet processing delay. Unfortunately, firewall configuration for a large, complex enterprise network is a demanding and error-prone task, even for experienced administrators. Firewalls can be distributed in many parts of the network or across layers (IP-layer filtering versus application-layer solutions) to cooperatively achieve a global, network-wide policy. As distributed firewall rules are concatenated, it becomes extremely difficult to predict the resulting end-to-end behavior and whether it meets the higher-level security policy.
Fireman: Firewall Modeling and Analysis
As part of this project, we propose to develop a unified framework for policy-checking, optimization, and auto-reconfiguration of distributed firewalls. This research will provide novel analysis, design techniques, and tools to better protect our critical information infrastructures from attacks. We target at providing consistent and efficient security protection for an enterprise that may have geographically distributed business networks served by different local Internet Service Providers. We adopt an inter-disciplinary technical approach that leverages multiway communications among the three PIs with expertise in networking, security, and programming languages and compilers areas to design an integrated solution. In particular, we propose a systematic treatment of the problem by casting it as a static program analysis question, exploiting well-established and rigorous techniques from the area of programming languages and compilers.
L. Yuan, C-N. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network MEasurement," ACM SIGCOMM, August 2007. [pdf]
F. Khan, L. Yuan, C-N. Chuah, and S. Ghiasi, "Programmable and
Real-time Network Traffic Measurements," ACM/IEEE Symposium on
Architectures for Networking and Communications Systems, November
2008. [pdf]
G. Misgherghi, L. Yuan, Z. Su, C-N. Chuah, and H. Chen, "A
General, Framework for Benchmarking Firewall Optimization
Techniques," IEEE Transactions on Network and Service
Management, vol. 5, no. 4, pp. 227-238, December 2008. [pdf]
Code
The FIREMAN parser and checker available here
under GPL
license. The tool currently can NOT handle stateful firewalls. Our
goal is to share the code with researchers and network administrators
who are interested in our techniques. However, we will not be able to
support future development of the code.
This material is based upon work supported by the National Science Foundation NeTS-NBD Grant No. 0520320 (2005-08). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
