Firewalls, packet filters placed at the boundary of a network in order to screen incoming packets of traffic (and discard any undesirable packets), are a prominent component of network security. In this dissertation, we make several contributions to the study of firewalls.
1. Current algorithms for verifying the correctness of firewall policies use O(nd) space, where n is the number of rules in the firewall (several thousand) and d the number of fields in a rule (about five). We develop a fast probabilistic firewall verification algorithm, which runs in time and space O(nd), and determines whether a firewall F satisfies a property P. The algorithm is provably correct in several interesting cases—notably, for every instance where it states that F does not satisfy P—and the overall probability of error is extremely small, of the order of .005%.
2. As firewalls are often security-critical systems, it may be necessary to verify the correctness of a firewall with no possibility of error, so there is still a need for a fast deterministic firewall verifier. In this dissertation, we present a deterministic firewall verification algorithm that uses only O(nd) space.
3. In addition to correctness, optimizing firewall performance is an important issue, as slow-running firewalls can be targeted by denial-of-service attacks. We demonstrate in this dissertation that in fact, there is a strong connection between firewall verification and detection of redundant rules; an algorithm for one can be readily adapted to the other task. We suggest that our algorithms for firewall verification can be used for firewall optimization also.
4. In order to help design correct and efficient firewalls, we suggest two metrics for firewall complexity, and demonstrate how to design firewalls as a battery of simple firewall modules rather than as a monolithic sequence of rules. We also demonstrate how to convert an existing monolithic firewall into a modular firewall. We propose that modular design can make firewalls easy to design and easy to understand.
Thus, this dissertation covers all stages in the life cycle of a firewall—design, testing and verification, and analysis—and makes contributions to the current state of the art in each of these fields.
|Advisor:||Gouda, Mohamed G.|
|Commitee:||Garg, Vijay K., Lam, Simon S., Mok, Aloysius K., Qiu, Lili|
|School:||The University of Texas at Austin|
|School Location:||United States -- Texas|
|Source:||DAI-B 74/12(E), Dissertation Abstracts International|
|Subjects:||Computer Engineering, Computer science|
|Keywords:||Firewall optimization, Firewalls, Modular verification, Redundant rules, Security-critical systems|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be