Using IDDs for Packet Filtering

Firewalls are one of the key technologies used to control the traffic going in and out of a network. A central feature of the firewall is the packet filter. In this paper, we propose a complete framework for packet classification. Through two applications we demonstrate that both performance and security can be improved. We show that a traditional ordered rule set can always be expressed as a first-order logic formula on integer variables. Moreover, we emphasize that, with such specification, the packet filtering problem is known to be constant time. We propose to represent the first-order logic formula as Interval Decision Diagrams. This structure has several advantages. First, the algorithm for removing redundancy and unnecessary tests is very simple. Secondly, it allows us to handle integer variables which makes it efficient on a generic CPUs. And, finally, we introduce an extension of IDDs called Multi-Terminal Interval Decision Diagrams in order to deal with any number of policies. In matter of efficiency, we evaluate the performance our framework through a prototype toolkit composed by a compiler and a packet filter. The results of the experiments shows that this method is efficient in terms of CPU usage and has a low storage requirements. Finally, we outline a tool, called Network Access Verifier. This tool demonstrates how the IDD representation can be used for verifying access properties of a network. In total, potentially improving the security of a network

Design and Implementation of Stateful Packet Filtering Firewall and optimization using Binary Decision Diagram

Today internet is the most useful and big source of knowledge. We can find any information on the internet. But at the same time we are exposed to different types of attacks such as spoof Packet filtering, Denial of Service Attack and so on. So we have to secure the network from this type of attack so that we can easily find information without any hiccups. Through Firewall we can secure our network form this type of attack. There are so many types of Firewall currently exist. But we focus specially on Stateful Packet Firewall. Stateful Packet Filtering in improved version of packet filter firewall in which it validates the first packet of the new connection according to the firewall rule. If that packet is satisfied by the firewall rule policy than corresponding entry is created in state table so that for consecutive packet of the same connection will not be validated by firewall rule. It checks only that packet is corresponding to the existing connection or not. If packet is of existing connection then it will immediately passed through firewall, no need to check according to firewall rule and if packet is of the new connection then it is passed through firewall if and only if it validates the rule and accordingly it will create entry in state table. But there exist problem when the rule list is large in number. Today firewall rules contains thousands or lacks of rule. So it will take long time to decide for a packet to be allowed or not. So we can improve this look up time by using Binary Decision Diagram (BDD). BDD is compressed data structure that will decide immediately that if packet should be passed or not. Operation are performed directly on compressed data structure. On testing on millions of packets the look up time is decreases up to 74%

Toward Static Analysis of SIGNAL Programs using Interval Techniques

International audienceThis paper presents a work-in-progress aiming at improving the functional analysis of Signal programs. The usual adopted technique relies on abstractions. Typically, in order to check the presence or absence of variables in a program at some logical instants, the program is transformed into another program that reflects its clock information so that the presence or absence of each variable can be straightforwardly checked. Signal adopts a boolean abstraction for the static functional analysis of programs. This abstraction does not enable to fully reason on the values of non logical variables. Here, we propose a solution based on interval techniques in order to be able to deal with both logical and numerical parts of programs

Formal analysis of firewall policies

This dissertation describes a technique for formally analyzing a firewall security policy using a quasi-reduced multiway decision diagram model. The analysis allows a system administrator to detect and repair errors in the configuration of the firewall without a tedious manual inspection of the firewall rules.;We present four major contributions. First, we describe a set of algorithms for representing a firewall rule set as a multi-way decision diagram and for solving logical queries against that model. We demonstrate the application of these techniques in a tool for analyzing iptables firewalls. Second, we present an extension of our work that enables analysis of systems of connected firewalls and firewalls that use network address translation and other packet mangling rules. Third, we demonstrate a technique for decomposing a network into classes of equivalent hosts. These classes can be used to detect errors in a firewall policy without apriori knowledge of potential vulnerabilities. They can also be used with other firewall testing techniques to ensure comprehensive coverage of the test space. Fourth, we discuss a strategy for partially automating repair of the firewall policy through the use of counterexamples and rule history.;Using these techniques, a system administrator can detect and repair common firewall errors, such as typos, out-of-order rules, and shadowed rules. She can also develop a specification of the behaviors of the firewall and validate the firewall policy against that specification

An mtidd based firewall using decision diagrams for packet filtering

Abstract. This paper explores the use of Multi-Terminal Interval Decision Diagrams (MTIDDs) as the central structure of a firewall packet filtering mechanism. This is done by first relating the packet filtering problem to predicate logic, then implementing a prototype which is used in an empirical evaluation. The main benefits of the MTIDD structure are that it provides access to Boolean algebra over filters, efficient classification time, and a compact representation. Results from the empirical evaluation shows that MTIDDs are scalable in terms of memory usage: a 50,000 rule filter requires only 3MB of memory, and efficient for packet classification: it is able to handle more rules than the schemes it was compared to without causing a degradation in performance