Completeness Issue Interface Source IP Dest.IP Dest.Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept host1,host2} any 80 TCP accept any any any any any accept This firewall accepts non-email packets to the email server! -email packets to hosts other than the email server! This is wrong (assuming this firewall is required to discard the above two types of packets) 11
11 Completeness Issue This firewall accepts ─ non-email packets to the email server! ─ email packets to hosts other than the email server! This is wrong (assuming this firewall is required to discard the above two types of packets) Interface Source IP Dest. IP Dest. Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept 1 {host1, host2} any 80 TCP accept any any any any any accept
Completeness Issue Interface Source IP Dest.IP Dest.Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept 0 any mail server any any discard 0 any any 25 TCP discard (host1,host2) any 80 TCP accept any any any any any accept ■ This firewall accepts -non-email packets to the email server! email packets to hosts other than the email server! ■1 This is wrong (assuming this firewall is required to discard the above two types of packets) Need to add two more rules Completeness issue:hard to ensure all necessary rules are included 12
12 Completeness Issue This firewall accepts ─ non-email packets to the email server! ─ email packets to hosts other than the email server! This is wrong (assuming this firewall is required to discard the above two types of packets) Need to add two more rules Completeness issue: hard to ensure all necessary rules are included Interface Source IP Dest. IP Dest. Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept 0 any mail server any any discard 0 any any 25 TCP discard 1 {host1, host2} any 80 TCP accept any any any any any accept
Compactness Issue Interface Source IP Dest.IP Dest.Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept 0 any mail server any any discard 0 any any 25 TCP discard 1 (host1,host2) any 80 TCP accept any any any any any accept This rule is redundant! a Compactness issue:hard to ensure all rules are needed 13
13 Compactness Issue This rule is redundant! Compactness issue: hard to ensure all rules are needed Interface Source IP Dest. IP Dest. Port Protocol Decision 0 malicious hosts any any any discard 0 any mail server 25 TCP accept 0 any mail server any any discard 0 any any 25 TCP discard 1 {host1, host2} any 80 TCP accept any any any any any accept
Consistency,Completeness,and Compactness Consistency and completeness issues cause firewall errors Compactness issue causes low firewall performance Firewall packet decision (a sequence of rules) Less rules,faster decision -Fast firewalls use TCAM(Ternary Content Addressable Memory) Solution:Structured Firewall Design 14
14 Consistency, Completeness, and Compactness Consistency and completeness issues cause firewall errors Compactness issue causes low firewall performance ─ Less rules, faster decision ─ Fast firewalls use TCAM (Ternary Content Addressable Memory) Solution: Structured Firewall Design Firewall (a sequence of rules) packet decision