On the modular verification and design of firewalls


On the modular verification and design of firewalls

Show simple record

dc.contributor.advisor Gouda, Mohamed G., 1947-
dc.creator Bhattacharya, Hrishikesh
dc.date.accessioned 2012-11-13T18:59:17Z
dc.date.available 2012-11-13T18:59:17Z
dc.date.created 2012-08
dc.date.issued 2012-11-13
dc.date.submitted August 2012
dc.identifier.uri http://hdl.handle.net/2152/ETD-UT-2012-08-5931
dc.description.abstract Firewalls, packet filters placed at the boundary of a network in order to screen incoming packets of traffic (and discard any undesirable packets), are a prominent component of network security. In this dissertation, we make several contributions to the study of firewalls. 1. Current algorithms for verifying the correctness of firewall policies use O(n[superscrip d]) space, where n is the number of rules in the firewall (several thousand) and d the number of fields in a rule (about five). We develop a fast probabilistic firewall verification algorithm, which runs in time and space O(nd), and determines whether a firewall F satisfies a property P. The algorithm is provably correct in several interesting cases -- notably, for every instance where it states that F does not satisfy P -- and the overall probability of error is extremely small, of the order of .005%. 2. As firewalls are often security-critical systems, it may be necessary to verify the correctness of a firewall with no possibility of error, so there is still a need for a fast deterministic firewall verifier. In this dissertation, we present a deterministic firewall verification algorithm that uses only O(nd) space. 3. In addition to correctness, optimizing firewall performance is an important issue, as slow-running firewalls can be targeted by denial-of-service attacks. We demonstrate in this dissertation that in fact, there is a strong connection between firewall verification and detection of redundant rules; an algorithm for one can be readily adapted to the other task. We suggest that our algorithms for firewall verification can be used for firewall optimization also. 4. In order to help design correct and efficient firewalls, we suggest two metrics for firewall complexity, and demonstrate how to design firewalls as a battery of simple firewall modules rather than as a monolithic sequence of rules. We also demonstrate how to convert an existing monolithic firewall into a modular firewall. We propose that modular design can make firewalls easy to design and easy to understand. Thus, this dissertation covers all stages in the life cycle of a firewall -- design, testing and verification, and analysis -- and makes contributions to the current state of the art in each of these fields.
dc.format.mimetype application/pdf
dc.language.iso eng
dc.subject Firewalls
dc.subject First match
dc.subject Verification
dc.subject Rule sequence
dc.title On the modular verification and design of firewalls
dc.date.updated 2012-11-13T18:59:23Z
dc.identifier.slug 2152/ETD-UT-2012-08-5931
dc.contributor.committeeMember Lam, Simon S.
dc.contributor.committeeMember Mok, Aloysius K.
dc.contributor.committeeMember Qiu, Lili
dc.contributor.committeeMember Garg, Vijay K.
dc.description.department Computer Sciences
dc.type.genre thesis
dc.type.material text
thesis.degree.department Computer Sciences
thesis.degree.discipline Computer Science
thesis.degree.grantor University of Texas at Austin
thesis.degree.level Doctoral
thesis.degree.name Doctor of Philosophy

Files in this work

Size: 408.2Kb
Format: application/pdf

This work appears in the following Collection(s)

Show simple record

Advanced Search


My Account