As the Internet becomes an essential part of our everyday computing and communication infrastructure, it has also grown to be a complex distributed system that is hard to characterize. There have been numerous studies on network topology, IP-reachability, and routing dynamics to analyze end-to-end packet forwarding performance. However, there is very little systematic investigation into the influence of other packet transformations that happen along the path, e.g., firewalls, packet filtering, and quality-of-service mapping. Among these, firewalls are ubiquitous as they become indispensable security defense mechanisms used in business and enterprise networks. Just as router mis-configurations can lead to unpredictable routing problems, misconfigured firewalls may fail to enforce the intended security policies, or may incur high packet processing delay. Unfortunately, firewall configuration for a large, complex enterprise network is a demanding and error-prone task, even for experienced administrators. Firewalls can be distributed in many parts of the network or across layers (IP-layer filtering versus application-layer solutions) to cooperatively achieve a global, network-wide policy. As distributed firewall rules are concatenated, it becomes extremely difficult to predict the resulting end-to-end behavior and whether it meets the higher-level security policy.
Intellectual merit: In this project, the principal investigators (PIs) propose to develop a unified framework for policy-checking, optimization, and auto-reconfiguration of distributed firewalls. This research will provide novel analysis, design techniques, and tools to better protect our critical information infrastructures from attacks. The PIs will explore providing consistent and efficient security protection for an enterprise that may have geographically distributed business networks served by different local Internet Service Providers. They adopt an inter-disciplinary technical approach that leverages multi-way communications among the three PIs with expertise in networking, security, and programming languages and compilers areas to design an integrated solution. In particular, the PIs propose a systematic treatment of the problem by casting it as a static program analysis question, exploiting well-established and rigorous techniques from the area of programming languages and compilers. The PIs will pursue the following closely related tasks:
Policy Validation for Security: The PIs first classify all possible policy anomalies (including both inconsistency and inefficiency) in firewall configurations. They will model firewalls as finite-state transition systems and apply symbolic model checking techniques on these finite-state representations to detect both intra-firewall and inter-firewall policy anomalies. The policy validation method consists of two phases. First, they perform control-flow analysis and identify all possible flow paths. Second, they perform data-flow analysis and check for anomalies on every path. Identifying most intra-firewall and inter-firewall anomalies can be accomplished in one traversal. The processing results of each path are further used to identify inter-path misconfigurations.
Policy Optimization for Performance: In a typical firewall setting, a packet is compared against a list of rules sequentially until the packet matches a rule. Firewalls with complex rule sets can cause significant delays on network traffic and therefore becomes a bottleneck (especially in high-speed networks) and an attractive target for DoS attacks. Therefore, it is important to optimize packet filtering to provide network Quality of Service (QoS) requirement. In addition, the total number of rules configured and the order of rules also play major roles in the load and efficiency of a firewall. The PIs approach this problem by representing filtering rules as binary decision diagrams (BDDs) and generating "optimal filter rule sets" from the internal BDD representation. They also apply dataflow analysis to hoist same or similar rules from different paths to a common location to reduce traffic. They will leverage the underlying network topology, routing, and traffic distribution information in the optimization step to improve the efficiency of firewall checking, which enhances packet-forwarding performance. The key advantage of this approach is the ability to pro-actively prevent vulnerabilities in firewalls since static analysis can be applied before the actual deployment of firewalls.
Broader Impacts: The proposed research efforts will help system and network administrators to configure networked systems more securely and efficiently. The educational component, which is directed at both undergraduate and graduate students, complements the research activities. Research results will be incorporated into new and existing courses. The PIs will actively participate in UC Davis' minority outreach programs to recruit students from underrepresented groups into science and engineering. In addition, firewall configuration tools developed in the project will be distributed for teaching
