Modeling, Validation, and Optimization of Distributed Firewalls (2003-08)

Project Overview

Modeling, Validation, and Optimization of Distributed Firewalls (2003-08)As the Internet becomes an essential part of our everyday computing and communication infrastructure, it has also grown to be a complex distributed system that is hard to characterize. There have been numerous studies on network topology, IP-reachability, and routing dynamics to analyze end-to-end packet forwarding performance. However, there is very little systematic investigation into the influence of other packet transformations that happen along the path, e.g., firewalls, packet filtering, and quality-of-service mapping. Among these, firewalls are ubiquitous as they become indispensable security defense mechanisms used in business and enterprise networks. Just as router mis-configurations can lead to unpredictable routing problems, misconfigured firewalls may fail to enforce the intended security policies, or may incur high packet processing delay. Unfortunately, firewall configuration for a large, complex enterprise network is a demanding and error-prone task, even for experienced administrators. Firewalls can be distributed in many parts of the network or across layers (IP-layer filtering versus application-layer solutions) to cooperatively achieve a global, network-wide policy. As distributed firewall rules are concatenated, it becomes extremely difficult to predict the resulting end-to-end behavior and whether it meets the higher-level security policy.

Fireman: Firewall Modeling and Analysis

As part of this project, we propose to develop a unified framework for policy-checking, optimization, and auto-reconfiguration of distributed firewalls. This research will provide novel analysis, design techniques, and tools to better protect our critical information infrastructures from attacks. We target at providing consistent and efficient security protection for an enterprise that may have geographically distributed business networks served by different local Internet Service Providers. We adopt an inter-disciplinary technical approach that leverages multiway communications among the three PIs with expertise in networking, security, and programming languages and compilers areas to design an integrated solution. In particular, we propose a systematic treatment of the problem by casting it as a static program analysis question, exploiting well-established and rigorous techniques from the area of programming languages and compilers.



Graduate Students and Alumni

  • Ghassan Misherghi, CS (MS)
  • Lihua Yuan, ECE (PhD, 2008)


G. Misgherghi, L. Yuan, Z. Su, C-N. Chuah, and H. Chen, "A General, Formal Framework for Evaluating Firewall Optimization Techniques," IEEE Transactions on Network and Service Management, vol. 5, no. 4, pp. 227-238, December 2008. [pdf]

F. Khan, L. Yuan, C-N. Chuah, and S. Ghiasi, "Programmable and Real-time Network Traffic Measurements," ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 2008. [pdf]

L. Yuan, C-N. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network MEasurement," ACM SIGCOMM, August 2007. [pdf]

L. Yuan, J. Mai, Z. Su, H. Chen, C-N. Chuah, and P. Mohapatra, "FIREMAN: A Toolkit for Firewall Modeling and Analysis," IEEE Symposium on Security and Privacy, May 2006. [pdf]


The FIREMAN parser and checker can be downloaded from here (it currently can NOT handle stateful firewalls). Our goal is to share the code with researchers and network administrators who are interested in our techniques. However, we will not be able to support future development of the code.


"Network Measurements, Anomaly Detection, and Firewalls," Hewlett Packard Labs-Palo Alto, CA, April 2007 and Intel Santa Clara, May 2007.

"Measuring and Managing Distributed Networked Systems," Fall 2006 Complex Systems Seminars, Computational Science and Engineering, UC Davis, December 2006.

"Validating System Behavior of Large-Scale Networked Computers," NSF Workshop on Theory of Networked Computation, March 2006. [pdf]


This material is based upon work supported by the National Science Foundation NeTS-NBD Grant No. 0520320 (2005-08). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.