Firewall Compressor: An Algorithm for Minimizing Firewall Policies

Liu, A. X.; Torng, Eric; Meiners, Chad R.

doi:10.1109/infocom.2007.44

Cited by 29 publications

(51 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This problem is reformulated as a scheduling problem where each single field rule is a task and the goal is to obtain a schedule with the minimum number of tasks [17]. This technique was previously used by Suri to compress the number of entries in a routing table [18].…”

Section: Rule Reduction Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Reducing packet delay through filter merging

Comerford

Davies

Grout

2016

Proceedings of the 9th International Conference on Utility and Cloud Computing

View full text Add to dashboard Cite

Section: Rule Reduction Techniquesmentioning

confidence: 99%

“…If the destination node of the edge only has a single incoming edge, then the node can be safely deleted as it cannot be part of a discard path. Firstly, the node is removed from the node list and its memory is deallocated (lines [17][18]. The process repeats until the stack becomes empty.…”

Section: Fdd Pruningmentioning

confidence: 99%

Reducing packet delay through filter merging

Comerford

Davies

Grout

2016

Proceedings of the 9th International Conference on Utility and Cloud Computing

View full text Add to dashboard Cite

“…Some also compute reachability and determine if firewalls enforce an overall policy. We use BDDs from [16] for efficient rule application which are similar in purpose to Michigan State's Firewall Decision Diagrams (FDDs) [27]- [29].…”

Section: Related Workmentioning

confidence: 99%

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

Ingols

Chu

Lippmann

et al. 2009

2009 Annual Computer Security Applications Conference

157

View full text Add to dashboard Cite

Abstract-By accurately measuring risk for enterprise networks, attack graphs allow network defenders to understand the most critical threats and select the most effective countermeasures. This paper describes substantial enhancements to the NetSPA attack graph system required to model additional present-day threats (zero-day exploits and client-side attacks) and countermeasures (intrusion prevention systems, proxy firewalls, personal firewalls, and host-based vulnerability scans). Point-to-point reachability algorithms and structures were extensively redesigned to support "reverse" reachability computations and personal firewalls. Host-based vulnerability scans are imported and analyzed. Analysis of an operational network with 85 hosts demonstrates that client-side attacks pose a serious threat. Experiments on larger simulated networks demonstrated that NetSPA's previous excellent scaling is maintained. Less than two minutes are required to completely analyze a four-enclave simulated network with more than 40,000 hosts protected by personal firewalls.

show abstract

“…Although TCAM Razor achieves higher compression ratio than using redundancy removal alone, our redundancy removal algorithm can handle classifier updates more efficiently because redundancy removal does not rewrite any rule. In [30], Liu et al presented an algorithm for compressing firewall rules. Although the compression algorithm in [30] can be used to compress general packet classifiers, it compresses rules specified in ranges, not in prefixes.…”

Section: Related Workmentioning

confidence: 99%

“…In [30], Liu et al presented an algorithm for compressing firewall rules. Although the compression algorithm in [30] can be used to compress general packet classifiers, it compresses rules specified in ranges, not in prefixes.…”

Section: Related Workmentioning

confidence: 99%

Complete Redundancy Removal for Packet Classifiers in TCAMs

Liu

Gouda

2010

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

Abstract-Packet classification is the core mechanism that enables many networking services on the Internet such as firewall packet filtering and traffic accounting. Using Ternary Content Addressable Memories (TCAMs) to perform high-speed packet classification has become the de facto standard in the industry. TCAMs classify packets in constant time by comparing a packet with all classification rules of ternary encoding in parallel. Despite their high speed, TCAMs suffer from the well-known interval expansion problem. As packet classification rules usually have fields specified as intervals, converting such rules to TCAM-compatible rules may result in an explosive increase in the number of rules. This is not a problem if TCAMs have large capacities. Unfortunately, TCAMs have very limited capacity, and more rules means more power consumption and more heat generation for TCAMs. Even worse, the number of rules in packet classifiers have been increasing rapidly with the growing number of services deployed on the Internet. In this paper, we propose to address the interval expansion problem of TCAMs by removing redundant rules in classifiers. This equivalent transformation can significantly reduce the number of TCAM entries needed by a classifier. Our experiments on real-life classifiers show an average reduction of 58.2 percent in the number of TCAM entries by removing redundant rules. Given the logical interleaving nature of packet filtering rules, identifying redundant rules in classifiers is by no means trivial, and to achieve the guarantee of no redundant rules in resulting classifiers is even more challenging. In this paper, for the first time, we give a necessary and sufficient condition for identifying all redundant rules in a classifier. Based on this condition, we categorize redundant rules into upward redundant rules and downward redundant rules. Second, we present two algorithms for detecting and removing the two types of redundant rules, respectively. Third, we formally prove that the resulting classifiers have no redundant rules after running the two algorithms. Last, we conduct extensive experiments on both real-life and synthetic classifiers. The experimental results show that our redundancy removal algorithms are both effective and efficient.

show abstract

Firewall Compressor: An Algorithm for Minimizing Firewall Policies

Cited by 29 publications

References 3 publications

Reducing packet delay through filter merging

Reducing packet delay through filter merging

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

Complete Redundancy Removal for Packet Classifiers in TCAMs

Contact Info

Product

Resources

About