Show simple item record

dc.contributor.advisorGouda, Mohamed G., 1947-en
dc.creatorBhattacharya, Hrishikeshen
dc.date.accessioned2012-11-13T18:59:17Zen
dc.date.available2012-11-13T18:59:17Zen
dc.date.created2012-08en
dc.date.issued2012-11-13en
dc.date.submittedAugust 2012en
dc.identifier.urihttp://hdl.handle.net/2152/ETD-UT-2012-08-5931en
dc.descriptiontexten
dc.description.abstractFirewalls, packet filters placed at the boundary of a network in order to screen incoming packets of traffic (and discard any undesirable packets), are a prominent component of network security. In this dissertation, we make several contributions to the study of firewalls. 1. Current algorithms for verifying the correctness of firewall policies use O(n[superscrip d]) space, where n is the number of rules in the firewall (several thousand) and d the number of fields in a rule (about five). We develop a fast probabilistic firewall verification algorithm, which runs in time and space O(nd), and determines whether a firewall F satisfies a property P. The algorithm is provably correct in several interesting cases -- notably, for every instance where it states that F does not satisfy P -- and the overall probability of error is extremely small, of the order of .005%. 2. As firewalls are often security-critical systems, it may be necessary to verify the correctness of a firewall with no possibility of error, so there is still a need for a fast deterministic firewall verifier. In this dissertation, we present a deterministic firewall verification algorithm that uses only O(nd) space. 3. In addition to correctness, optimizing firewall performance is an important issue, as slow-running firewalls can be targeted by denial-of-service attacks. We demonstrate in this dissertation that in fact, there is a strong connection between firewall verification and detection of redundant rules; an algorithm for one can be readily adapted to the other task. We suggest that our algorithms for firewall verification can be used for firewall optimization also. 4. In order to help design correct and efficient firewalls, we suggest two metrics for firewall complexity, and demonstrate how to design firewalls as a battery of simple firewall modules rather than as a monolithic sequence of rules. We also demonstrate how to convert an existing monolithic firewall into a modular firewall. We propose that modular design can make firewalls easy to design and easy to understand. Thus, this dissertation covers all stages in the life cycle of a firewall -- design, testing and verification, and analysis -- and makes contributions to the current state of the art in each of these fields.en
dc.format.mimetypeapplication/pdfen
dc.language.isoengen
dc.subjectFirewallsen
dc.subjectFirst matchen
dc.subjectVerificationen
dc.subjectRule sequenceen
dc.titleOn the modular verification and design of firewallsen
dc.date.updated2012-11-13T18:59:23Zen
dc.identifier.slug2152/ETD-UT-2012-08-5931en
dc.contributor.committeeMemberLam, Simon S.en
dc.contributor.committeeMemberMok, Aloysius K.en
dc.contributor.committeeMemberQiu, Lilien
dc.contributor.committeeMemberGarg, Vijay K.en
dc.description.departmentComputer Sciencesen
dc.type.genrethesisen
thesis.degree.departmentComputer Sciencesen
thesis.degree.disciplineComputer Scienceen
thesis.degree.grantorUniversity of Texas at Austinen
thesis.degree.levelDoctoralen
thesis.degree.nameDoctor of Philosophyen


Files in this item

Icon

This item appears in the following Collection(s)

Show simple item record