Show simple item record

dc.creatorBhattacharya, Hrishikesh
dc.date.accessioned2012-11-13T18:59:17Z
dc.date.available2012-11-13T18:59:17Z
dc.date.created2012-08
dc.date.issued2012-11-13
dc.date.submittedAugust 2012
dc.identifier.urihttp://hdl.handle.net/2152/ETD-UT-2012-08-5931
dc.descriptiontext
dc.description.abstractFirewalls, packet filters placed at the boundary of a network in order to screen incoming packets of traffic (and discard any undesirable packets), are a prominent component of network security. In this dissertation, we make several contributions to the study of firewalls. 1. Current algorithms for verifying the correctness of firewall policies use O(n[superscrip d]) space, where n is the number of rules in the firewall (several thousand) and d the number of fields in a rule (about five). We develop a fast probabilistic firewall verification algorithm, which runs in time and space O(nd), and determines whether a firewall F satisfies a property P. The algorithm is provably correct in several interesting cases -- notably, for every instance where it states that F does not satisfy P -- and the overall probability of error is extremely small, of the order of .005%. 2. As firewalls are often security-critical systems, it may be necessary to verify the correctness of a firewall with no possibility of error, so there is still a need for a fast deterministic firewall verifier. In this dissertation, we present a deterministic firewall verification algorithm that uses only O(nd) space. 3. In addition to correctness, optimizing firewall performance is an important issue, as slow-running firewalls can be targeted by denial-of-service attacks. We demonstrate in this dissertation that in fact, there is a strong connection between firewall verification and detection of redundant rules; an algorithm for one can be readily adapted to the other task. We suggest that our algorithms for firewall verification can be used for firewall optimization also. 4. In order to help design correct and efficient firewalls, we suggest two metrics for firewall complexity, and demonstrate how to design firewalls as a battery of simple firewall modules rather than as a monolithic sequence of rules. We also demonstrate how to convert an existing monolithic firewall into a modular firewall. We propose that modular design can make firewalls easy to design and easy to understand. Thus, this dissertation covers all stages in the life cycle of a firewall -- design, testing and verification, and analysis -- and makes contributions to the current state of the art in each of these fields.
dc.format.mimetypeapplication/pdf
dc.language.isoeng
dc.subjectFirewalls
dc.subjectFirst match
dc.subjectVerification
dc.subjectRule sequence
dc.titleOn the modular verification and design of firewalls
dc.date.updated2012-11-13T18:59:23Z
dc.identifier.slug2152/ETD-UT-2012-08-5931
dc.description.departmentComputer Sciences
dc.type.genrethesis*
thesis.degree.departmentComputer Sciences
thesis.degree.disciplineComputer Science
thesis.degree.grantorUniversity of Texas at Austin
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy


Files in this item

Icon

This item appears in the following Collection(s)

Show simple item record