Firewall Modules and Modular Firewalls H. B. Acharya University of Texas at Austin acharya@cs.utexas.edu Aditya Joshi University of Texas at Austin adityaj@cs.utexas.edu M. G. Gouda National Science Foundation mgouda@nsf.gov Abstract—A ﬁrewall is a packet ﬁlter placed at an entry point of a network in the Internet. Each packet that goes through this entry point is checked by the ﬁrewall to determine whether to accept or discard the packet. The ﬁrewall makes this determination based on a speciﬁed sequence of overlapping rules. The ﬁrewall uses the ﬁrst-match criterion to determine which rule in the sequence should be applied to which packet. Thus, to compute the set of packets to which a rule is applied, the ﬁrewall designer needs to consider all the rules that precede this rule in the sequence. This “rule dependency” complicates the task of designing ﬁrewalls (especially those with thousands of rules), and makes ﬁrewalls hard to understand. In this paper, we present a metric, called the dependency metric, for measuring the complexity of ﬁrewalls. This metric, though accurate, does not seem to suggest ways to design ﬁrewalls whose dependency metrics are small. Thus, we present another metric, called the in- version metric, and develop methods for designing ﬁrewalls with small inversion metrics. We show that the dependency metric and the inversion metric are correlated for some classes of ﬁrewalls. So by aiming to design ﬁrewalls with small inversion metrics, the designer may end up with ﬁrewalls whose dependency metrics are small as well. We present a method for designing modular ﬁrewalls whose inversion metrics are very small. Each modular ﬁrewall consists of several components, called ﬁrewall modules. The inversion metric of each ﬁrewall module is very small - in fact, 1 or 2. Thus, we conclude that modular ﬁrewalls are easy to design and easy to understand. I. I NTRODUCTION A ﬁrewall is a packet ﬁlter that is placed at an entry point of a network in the Internet. The function of a ﬁrewall is to check each packet that goes through the entry point (at which the ﬁrewall is located) and determine whether to accept the packet and allow it to proceed on its way or to discard the packet. The ﬁrewall perform its function based on a speciﬁed sequence of rules. Each rule is of the form < predicate >→< decision > where < predicate > is a function that assigns to each packet a boolean value, true or false, and < decision > is either ”accept” or ”discard”. When a packet p reaches a ﬁrewall F , F performs two steps: 1) F identiﬁes the ﬁrst rule r (in its sequence of rules) whose < predicate > assigns the value true to packet p. 2) If the < decision > of rule r is accept (or discard, respectively) then F accepts (or discards, respectively) packet p. Note that F employs a ”ﬁrst-match” criterion to determine which rule (in its sequence of rules) should be applied to which packet. This ﬁrst-match criterion allows the rules in the rule sequence to be “overlapping”. This can be both advantageous and disadvantageous. The advantage of making the rules in the rule sequence overlapping is that it reduces the number of rules in the rule sequence, sometimes dramatically. The disadvantage of making the rules in the rule sequence overlapping is that it creates many dependencies between the rules in the rule sequence. This, in turn, complicates the task of designing and understanding the rule sequence. For instance, if the ﬁrewall designer needs to compute the set of packets to which a rule r (in the rule sequence) applies, then the designer needs to consider not only rule r but also all the rules that precede r in the rule sequence. In this paper, we introduce a metric, called the “dependency metric”, that measures the complexity of ﬁrewalls. The more the value of the metric for a given ﬁrewall, the more complex the ﬁrewall is and the harder it is to design and understand. Unfortunately, the dependency metric, though accurate, does not seem to suggest methods for designing ﬁrewalls for which the values of the metric are small. Thus, we introduce another complexity metric, called the “inversion metric”, for measuring the complexity of ﬁrewalls. We show, below, that the dependency metric and the inver- sion metric are correlated (at least for a rich class of ﬁrewalls called “uniform ﬁrewalls”). This result allows us to use the inversion metric as a good approximation of the dependency metric. Then, we identify three classes of ﬁrewalls, namely “simple ﬁrewalls”, “partitioned ﬁrewalls”, and “modular ﬁrewalls”, for which the values of the inversion metric are small. (This implies that these classes of ﬁrewalls are easier to design and understand.) We also describe methods for designing ﬁrewalls in these three classes. Of particular interest is the class of modular ﬁrewalls. Each modular ﬁrewall consists of simple ﬁrewall components, called “ﬁrewall modules”. The value of the inversion metric for each ﬁrewall module is 1 or 2. This causes the value of the inversion metric for the full ﬁrewall to be 1 or 2. (Note that the smallest possible value of the inversion metric is 1.) We present an algorithm that takes as input any ﬁrewall F whose inversion metric is large and computes as output an equivalent modular ﬁrewall MF whose inversion metric is (by deﬁnition) 1 or 2. The complexity of this algorithm is O(n 2 )