1 / 15

A Model of Stateful Firewalls and its Properties

A Model of Stateful Firewalls and its Properties. Mohamed G. Gouda and Alex X. Liu {gouda, alex}@cs.utexas.edu June 2005. Firewalls. A firewall connects a private network and the outside Internet It accepts or discards each incoming or outgoing packet. Stateful Firewalls.

derex
Download Presentation

A Model of Stateful Firewalls and its Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Model of Stateful Firewalls and its Properties Mohamed G. GoudaandAlex X. Liu{gouda, alex}@cs.utexas.eduJune 2005

  2. Firewalls • A firewall connects a private network and the outside Internet • It accepts or discards each incoming or outgoing packet

  3. Stateful Firewalls • Stateless firewall decides to accept or discard a packet based on the packet itself • Stateful firewall decides to accept or discard a packet based on: (1) the packet itself, (2) the packets that the firewall has accepted previously. • Why stateful? — Finer control For example, a stateful firewall may accept incoming “pong” packet only after it has accepted outgoing “ping” packet

  4. Firewall Models • Models for stateless firewalls exist • A sequence of rules, first match • Firewall Decision Diagrams • Models for stateful firewalls do not exist • This causes two problems: (1) Hard to do research on stateful firewalls. (2) Stateful firewalls cannot be specified by users like stateless firewalls.

  5. A Stateful Firewall Model • When a packet reaches a firewall, an extra field “tag” is added to the packet. The initial value of “tag” is 0. • Each firewall f has a variable “state” • The value of “state” is a subset of the packets accepted earlier by f. • The initial value of “state” is empty. • Each firewall has two sections: • stateful section that changes the value of “tag” in each received packet based on current value of “state”, • stateless section that decides to accept or discard a packet based on the values of its fields (including “tag”).

  6. Firewall Example • Each packet has two fields (I, X). I=0 indicates the packet is incoming I=1 indicates the packet is outgoing • Design firewall f such that (1) each outgoing packet (1, X) is accepted, and (2) each incoming packet (0, X) is accepted iff X>5 and the firewall has already accepted outgoing packet (1, X). • This implies that whenever f encounters an outgoing packet (1, X) where X>5, then f inserts this packet into its “state”.

  7. Rules of Firewall Example • Stateful Section: I=0 and X=X’ → tag:=1 • Stateless Section: I=1 and X ≤ 5 and tag = any → accept I=1 and X > 5 and tag = any → accept; insert I=0 and X=any and tag = 1 → accept; remove I=0 and X=any and tag = 0 → discard

  8. Examples in paper • Tracking the Ping protocol (countering smurf attacks): An incoming pong packet is accepted if corresponding ping packet has been accepted by the firewall recently. • Tracking outgoing packets A packet from an outside computer is accepted if an inside host has sent a packet to that computer recently. • Tracking FTP protocol

  9. Removing Packets from State • A packet is removed from “state” when no longer needed • Two ways to remove a packet from “state”: (1) By executing the “remove” command (2) When time-to-live of packet expires

  10. Accepted and Acceptable Packets • An accepted packet of a firewall f is one that is accepted in every reachable state of f. • “f.a” denotes the set of all accepted packets of f • An acceptable packet of a firewall f is one that is accepted in some reachable state of f. • “f.b” denotes the set of all acceptable packets of f • Theorem 1: f.a is a subset of f.b, and if f is stateless, then f.a = f.b.

  11. Stateless Derivatives • The stateless derivative g of a firewall f is a firewall that is obtained after (1) making stateful section of f empty (2) removing “insert” from every rule in stateless section of f • Theorem 2: (1) f.a is a subset of g.a, (2) g.a = g.b, (3) g.b is a subset of f.b

  12. Stateful or Stateless • This firewall f seems stateful Stateful Section: I=0 and X=X’ → tag:=1 Stateless Section: I=any and X ≤ 5 and tag = any → accept; insert I=any and X > 5 and tag = any → discard • In fact, f has the same function as its stateless derivative g Stateful Section: Stateless Section: I=any and X ≤ 5 and tag = any → accept I=any and X > 5 and tag = any → discard

  13. Truly Stateful and Truly Stateless • A firewall f is truly stateful iff f.a is a proper subset of f.b • A firewall f is truly stateless iff f.a = f.b

  14. Verification of Truly Stateful Firewall • In paper, we present a method for verifying that a firewall is truly stateful. • A firewall f is truly stateful if f is both “conforming” and “proper”. • This condition is sufficient (but not necessary) to verify that a firewall is stateful.

  15. Conclusions • The first model for stateful firewalls • Simple, powerful, and compatible with the common model for stateless firewalls • Enables us to study the design and analysis of stateful firewalls

More Related