Reasoning about firewall policies through refinement and composition

Abstract

Network and host-based access controls, for example, firewall systems, are important points of security-demarcation, operating as a front-line defence for networks and networked systems. A firewall policy is conventionally defined as a sequence of order-dependant rules, and when a network packet matches with two or more policy rules, the policy is anomalous. Policies for access-control mechanisms may consist of thousands of access-control rules, and correct management is complex and error-prone. We argue that a firewall policy should be anomaly-free by construction, and as such, there is a need for a firewall policy language that allows for constructing, comparing, and composing anomaly-free policies. In this paper, an algebra is proposed for constructing and reasoning about anomaly-free firewall policies. Based on the notion of refinement as safe replacement, the algebra provides operators for sequential composition, union and intersection of policies. The effectiveness of the algebra is demonstrated by its application to anomaly detection, and standards compliance. The effectiveness of the approach in practice is evaluated through a mapping to/from iptables. The algebra is used to specify and reason about iptables firewall policy configurations. A prototype policy management toolkit has been implemented.

Keywords

Firewalls algebra iptables anomalies policy-composition

1. Introduction

Firewall policy management is complex and error-prone. A misconfigured policy may permit accesses that were intended to be denied and/or vice-versa. We regard the specification of a firewall policy as a process that evolves, as threats to, and access requirements for, resources behind a firewall do not usually remain static, and over time, a policy or distributed policy configuration may be updated on an ad-hoc basis, possibly by multiple specifiers/administrators. This can be problematic and may introduce anomalies; whereby the intended semantics of the specified access controls become ambiguous.

A firewall policy is conventionally defined as a sequence of order-dependent rules. A rule is composed of filter conditions and a target action. Filter conditions usually consist of fields/attributes from IP, TCP/UDP headers; with the most commonly used attributes being source/destination IP/port, and network protocol. Target actions are usually allow or deny. When a network packet matches with two or more policy rules, the policy is anomalous [2,10].

A firewall policy may be developed as a collection of independent or related specifications that an administrator will need to replace by a policy that adequately captures the requirements of the individual specifications. A configuration may need to be updated with additional policy specifications when a new threat is identified, or when a new permissible access is required. Therefore, having a consistent means of composing these specifications is desirable. The objective of this paper is to develop a theory about composing anomaly-free firewall policies. When a policy is anomaly-free, there is no ambiguity as to whether a given network packet is allowed or denied by the firewall. Our goal is to provide an algebra where policies are anomaly-free by construction.

Example 1.
When configuring the rules that define a firewall policy, the specifier must understand the relationship of each rule to every other rule in the policy. Consider, as a running example, a company that employs a team of administrators and a team of developers. There are two network security policy requirements, whereby network traffic destined to the IP range $[1 . . 3]$ on ports $[1 . . 3]$ is to be allowed from the administrators, and traffic destined to the IP range $[2 . . 4]$ on ports $[2 . . 4]$ is to be allowed from the developers. For ease of exposition, we give the IPs as natural numbers, and the IP and port ranges as intervals of $N$ . For simplicity, we do not consider the source IP ranges for the administrators and the developers.

Specifying the requirements. System Administrator $Bob$ manages the network access controls for the administration and development teams. He specifies the network security policy requirement for the administration team as: ${Pol}_{Admin} = = ⟨ (1, [1 . . 3], [1 . . 3], allow) ⟩$ , whereby $1$ is the position of the rule in the policy, the first instance of $[1 . . 3]$ is the required destination IP range, the second instance of $[1 . . 3]$ is the required destination port range, and $allow$ , means that network traffic matching this pattern is permitted traversal of the firewall. Similarly, for the development team, he specifies: ${Pol}_{Dev} = = ⟨ (1, [2 . . 4], [2 . . 4], allow) ⟩$ . Bob needs to combine ${Pol}_{Admin}$ and ${Pol}_{Dev}$ into a single firewall policy, and security requirements may change. He requires a consistent means of composing firewall policies, whereby the result is anomaly-free and upholds the enforcements of each policy involved in the composition.

Sequential composition. To specify the firewall policy for the company, he tries sequentially composing ${Pol}_{Admin}$ and ${Pol}_{Dev}$ as follows: ${Pol}_{Admin} ⌢ {Pol}_{Dev} = ⟨ (1, [1 . . 3], [1 . . 3], allow), (2, [2 . . 4], [2 . . 4], allow) ⟩$ . This approach, however, does not does yield the desired result. That is, in the above specification ( ${Pol}_{Admin} ⌢ {Pol}_{Dev}$ ), the rule at position $1$ allows some of the IP/port pairs allowed by the rule at position $2$ and vice-versa. Therefore, the policy is anomalous. From this, we have that the naïve sequential composition of rules is not a consistent operation when specifying an anomaly-free policy.

A flattening approach. To specify the firewall policy, Bob considers the approach whereby for each IP/port pair allowed by the company’s network security policy requirements, there is a rule to allow each IP/port pair. He specifies: $⟨ (1, [1 . . 1], [1 . . 1], allow), (2, [1 . . 1], [2 . . 2], allow) . . (14, [4 . . 4], [4 . . 4], allow) ⟩$ . This policy does provide the desired result, in that it is both anomaly-free and consistent with the two network security policy requirements involved in the composition. We observe however, that this approach is tedious, error-prone and not practical for large numbers of IPs/ports or large numbers of policy rules.

A different approach. Bob is required to specify the firewall policy whereby policy rules allow the IP/port-range pairs from either ${Pol}_{Admin}$ or ${Pol}_{Dev}$ . To specify the policy for the company, he decides to compose the two requirements into a single requirement as follows: $⟨ (1, [1 . . 4], [1 . . 4], allow) ⟩$ . This approach, however, is inconsistent with the two network security policy requirements outlined by the company. That is, the result of composition is an overly-permissive firewall policy, whereby network traffic is permitted to IP $1$ on port $4$ , and to IP $4$ on port $1$ . Conversely, this approach would result in an overly-restrictive policy if the rules had a target action of $deny$ .

A better approach. Bob is required to specify the firewall policy whereby the desired result is the smallest number of anomaly-free rules that allow all the IP/port pairs from either ${Pol}_{Admin}$ or ${Pol}_{Dev}$ . He specifies the policy: $⟨ (1, [1 . . 4], [2 . . 3], allow), (2, [1 . . 3], [1 . . 1], allow), (3, [2 . . 4], [4 . . 4], allow) ⟩$ . In this case, the result is as desired, as it is the smallest number of anomaly-free rules that allow all the IP/port pairs from either ${Pol}_{Admin}$ or ${Pol}_{Dev}$ .

Mutual policy enforcements. Bob receives a request to configure the policy that allows the IP/port pairs from both ${Pol}_{Admin}$ and ${Pol}_{Dev}$ . He specifies: $⟨ (1, [2 . . 3], [2 . . 3], allow) ⟩$ . In this case, the specification provides the desired result, and defines the smallest number of anomaly-free rules that allow all the IP/port pairs from both ${Pol}_{Admin}$ and ${Pol}_{Dev}$ . We observe that the resulting policy upholds the restrictions of both ${Pol}_{Admin}$ and ${Pol}_{Dev}$ .

Conflicting policy decisions. Suppose, for example, the policy rules specified were: $⟨ (1, [1 . . 3], [1 . . 3], allow), (2, [2 . . 4], [2 . . 4], deny) ⟩$ . Then this policy is anomalous, as rule $2$ denies packets already allowed by rule $1$ . As such, then a semantically-equivalent interpretation of the policy, defining the smallest number of anomaly-free rules, may be specified by Bob as follows: $⟨ (1, [1 . . 3], [1 . . 3], allow), (2, [2 . . 4], [4 . . 4], deny), (3, [4 . . 4], [2 . . 3], deny) ⟩$ .

For an administrator, it may be relatively straightforward to understand policy composition where only a small number of rules are involved, however, this does not scale. We argue that to reason confidently a policy or distributed policy configuration is anomaly-free and adequately mitigates the identified threats; a common framework is required, whereby knowledge related to detailed access control configurations and standards-based firewall policies can be represented and reasoned about.

In this paper, we present a firewall policy algebra ${FW}_{1}$ for constructing and reasoning over anomaly-free policies. The algebra allows policies to be composed in such a way, that the result upholds the access requirements of each policy involved; and permits one to reason as to whether some policy is a safe (secure) replacement for another policy in the sense of [19,20,28]. In this paper, when one policy is considered a safe (secure) replacement for another, then this means that the former is no less restrictive than the latter. The proposed algebra is used to reason about iptables firewall policy configurations. We derive a filter condition specification for ${FW}_{1}$ from a collection of attributes expressible in firewall rules from the iptables filter table. iptables is a command line utility used to define policies for the Linux kernel firewall Netfilter [37]. We focus on stateful and stateless firewall policies that are defined in terms of constraints on source and destination IP and port ranges, the TCP, UDP and ICMP protocols, and additional filter condition attributes. Note, the notion of state in iptables is an abstraction, where given literals signify user-land ‘states’ that packets within tracked connections can be related to.

The primary contribution of this paper is an algebra ${FW}_{1}$ , that can be used to reason about firewall policies using refinement and composition operators. The effectiveness of the algebra is demonstrated by using it to characterise anomalies in firewall policies and to define standards compliance. The effectiveness of the approach in practice is evaluated through a mapping to/from iptables. The evaluation shows that the approach is practical for large policies. This paper is a revised and extended version of the work in [38]. In the sequel, we encode additional filtering specifications in ${FW}_{1}$ , in particular, for OSI Layer 2 packet-types and MAC addresses, OSI Layer 7 Linux UIDs and GIDs, and Application layer protocols recognisable by iptables. We also develop a definition for time-based filtering rules. We include new definitions for anomaly detection through policy composition, and describe how to incorporate an additional target action of ‘log’ for firewall rules in the algebra. An extended definition for firewall rule (duplet datatype) ordering, as well as implementation definitions for duplet join and difference are given.

The paper is organised as follows. In Section 2, we specify the core filter condition specification for rules in the ${FW}_{1}$ algebra. The specification is derived from filter condition attributes expressible in firewall rules for the iptables filter table. Section 3 introduces the notion of adjacency, which is at the heart of reasoning about/composing firewall rules that involve IP/port ranges. In Section 4 we define datatypes for firewall rule attributes, such as IP/port ranges. Section 5 defines the firewall policy algebra ${FW}_{1}$ . In Section 6, we use ${FW}_{1}$ to reason about firewall policies in practice. Section 7 describes a prototype policy management toolkit for iptables and presents some preliminary results. Related work is outlined in Section 8 and Section 9 concludes the paper. The Z notation [42] is used to provide a consistent syntax for structuring and presenting the definitions and examples in this paper. We use only those parts of Z that can be intuitively understood and the Appendix gives a brief overview of the notation used. Mathematical definitions have been syntax- and type-checked using the fuzz tool.
2. Attributes of a Linux-based firewall

In this section, the core filter condition attributes used to define firewall rules in the ${FW}_{1}$ firewall algebra are formally specified. Attributes are derived from the Data Link, Network, Transport and Application Layers of the OSI model. Additional filter condition attributes are also defined. Attribute definitions are extended in Section 4 to specify range-based filter conditions used to define firewall rules in the ${FW}_{1}$ policy algebra. The attributes defined in this paper are based on the expressiveness on the iptables firewall. The following example demonstrates the specification of a firewall rule using the iptables command-line syntax.

Example 2.
The following iptables access-control rule specifies that inbound (INPUT) TCP packets (-p tcp) originating from the IP address 0.0.0.1 (-s 0.0.0.1) destined to the IP address 0.0.0.2 (-d 0.0.0.2) will be permitted traversal of the firewall (-j ACCEPT). $\begin{matrix} iptables -t filter -A INPUT -p tcp -s 0.0.0.1 -d 0.0.0.2 -j ACCEPT \end{matrix}$ Note, the filter table is the default table for iptables, therefore it is not necessary to include the (-t filter) option when specifying a firewall rule.

2.1. Data link layer filtering

Packet-type. iptables allows for the specification of firewall rules that filter the type of packet at the Data Link layer of the OSI model. Let $PktTpe$ be the set of Data Link-layer packet types, whereby: $\begin{matrix} PktTpe : : = unicast ∣ broadcast ∣ multicast \end{matrix}$

Media access control (MAC) addresses. iptables allows for constructing firewall rules that filter the MAC address of a Ethernet device at the Data Link layer of the OSI model. Filtering is applied to source MAC addresses entering the FORWARD or INPUT chains of the filter table [37]. Let basic type $MAC$ be the set of all MAC addresses. We define: $\begin{matrix} [MAC] \end{matrix}$ For simplicity, we do not consider how the values of $MAC$ may be constructed, other than to assume that the usual human-readable notation can be used, such as 00:0F:EA:91:04:08 and $00:0F:EA:91:04:09 \in MAC$ .

2.2. Network layer filtering

IP addresses. iptables allows the specification of firewall rules that filter the source/destination IP address of a network packet. For simplicity, we consider only the IPv4 address range, as a firewall rule with an IPv6 address filter condition attribute must be specified using ip6tables; the equivalent IPv6 firewall [25]. In this paper, IP addresses as encoded using natural numbers, as there is a logical mapping from IPs to natural numbers, and a logical mapping from IP ranges and CIDR blocks to intervals of $N$ . This is done for ease of exposition, and to exploit the natural ordering of ⩽ over $N$ . We define the constant $maxIP$ , whereby: $\begin{matrix} maxIP = = 2^{32} - 1 \end{matrix}$

ICMP. iptables allows for filtering by ICMP Type and Code. Let $TypesCodes$ be the set of all valid ICMP Type/Code pairs, as detailed in [40]. Most Type/Code pairs $i, j \in N$ are given as $(i, j) \in TypesCodes$ , for example, $(8,0)$ is an ICMP Echo Request, however, some ICMP Types $i \in N$ ; for example, Type $19$ (reserved for security), have no ICMP Code, and are given as $(i, - 1) \in TypesCodes$ . Note, for ease of exposition we use syntactic sugar in the definition of $TypesCodes$ as a free-type. $\begin{matrix} TypesCodes : : = (0,0) ∣ (3,0) ∣ (3,1) ∣ (3,2) ∣ (3,3) ∣ (3,4) ∣ (3,5) ∣ (3,6) ∣ (3,7) ∣ \\ (3,8) ∣ (3,9) ∣ (3,10) ∣ (3,11) ∣ (3,12) ∣ (3,13) ∣ (3,14) ∣ (3,15) ∣ (4,0) ∣ (5,0) ∣ \\ (5,1) ∣ (5,2) ∣ (5,3) ∣ (6,0) ∣ (8,0) ∣ (9,0) ∣ (9,16) ∣ (10,0) ∣ (11,0) ∣ (11,1) ∣ \\ (12,0) ∣ (12,1) ∣ (12,2) ∣ (13,0) ∣ (14,0) ∣ (15,0) ∣ (16,0) ∣ (17,0) ∣ (18,0) ∣ \\ (19, -1) ∣ (20, -1) ∣ (21, -1) ∣ (22, -1) ∣ (23, -1) ∣ (24, -1) ∣ (25, -1) ∣ (26, -1) ∣ \\ (27, -1) ∣ (28, -1) ∣ (29, -1) ∣ (30, -1) ∣ (31, -1) ∣ (32, -1) ∣ (33, -1) ∣ (34, -1) ∣ \\ (35, -1) ∣ (36, -1) ∣ (37, -1) ∣ (38, -1) ∣ (39, -1) ∣ (40,0) ∣ (40,1) ∣ (40,2) ∣ \\ (40,3) ∣ (40,4) ∣ (40,5) ∣ (41, -1) ∣ (253, -1) ∣ (254, -1) \end{matrix}$

2.3. Transport layer filtering

Network ports. A network port is a communication end-point used by the Transport layer protocols (for example, TCP/UDP) of the OSI model. iptables allows for constructing firewall rules that filter by source/destination ports. A port is a 16-bit unsigned integer. We define the constant $maxPrt$ , where: $\begin{matrix} maxPrt = = 2^{16} - 1 \end{matrix}$

UDP. iptables allows the specification of firewall rules that filter UDP traffic. Let $UDP$ define the set of packet values for the UDP protocol; whereby 1 signifies that a packet is using UDP or 0 signifies it is not. We define: $\begin{matrix} UDP : : = 1 ∣ 0 \end{matrix}$

TCP. iptables allows for TCP firewall rules to be constructed using a pair of TCP flags specifications. The first, specifies the flags that are to be examined in a packet-header, and the second specifies the flags that are to be set in a packet-header, these are the mask and comp values for a TCP packet [25]. Let $Flags$ be the set of TCP flags filterable in an iptables rule (as a mask or a comp specification), whereby: $\begin{matrix} Flags : : = syn ∣ ack ∣ fin ∣ psh ∣ rst ∣ urg \end{matrix}$ and let ${Flag}_{Spec}$ be the set of all (mask, comp) pairs, we define: $\begin{matrix} {Flag}_{Spec} = = P Flags \times P Flags \end{matrix}$

2.4. Application layer filtering

Layer 7 protocol filtering. iptables allows for constructing firewall rules that filter certain protocols at the Application Layer of the OSI model. Let ${Proto}_{7}^{L}$ be the set of all OSI Application-layer protocols recognised by iptables [33]. Note, for ease of exposition we use syntactic sugar in the definition of ${Proto}_{7}^{L}$ as a free-type. We define: $\begin{matrix} {Proto}_{7}^{L} : : = 100bao ∣ aim ∣ aimwebcontent ∣ applejuice ∣ ares ∣ armagetron ∣ \\ audiogalaxy ∣ battlefield1942 ∣ battlefield2 ∣ battlefield2142 ∣ bgp ∣ biff ∣ \\ bittorrent ∣ chikka ∣ cimd ∣ ciscovpn ∣ citrix ∣ counterstrike-source ∣ cvs ∣ \\ dayofdefeat-source ∣ dazhihui ∣ dhcp ∣ directconnect ∣ dns ∣ doom3 ∣ edonkey ∣ \\ fasttrack ∣ finger ∣ freenet ∣ ftp ∣ gkrellm ∣ gnucleuslan ∣ gnutella ∣ goboogy ∣ \\ gopher ∣ gtalk ∣ guildwars ∣ h323 ∣ halflife2-deathmatch ∣ hddtemp ∣ hotline ∣ \\ http ∣ http-rtsp ∣ http-dap ∣ http-freshdownload ∣ http-itunes ∣ httpaudio ∣ \\ httpcachehit ∣ httpcachemiss ∣ httpvideo ∣ ident ∣ imap ∣ imesh ∣ ipp ∣ irc ∣ \\ jabber ∣ kugoo ∣ live365 ∣ liveforspeed ∣ lpd ∣ mohaa ∣ msn-filetransfer ∣ \\ msnmessenger ∣ mute ∣ napster ∣ nbns ∣ ncp ∣ netbios ∣ nntp ∣ ntp ∣ openft ∣ \\ pcanywhere ∣ poco ∣ pop3 ∣ pplive ∣ pressplay ∣ qq ∣ quicktime ∣ quake-halflife ∣ \\ quake1 ∣ radmin ∣ rdp ∣ replaytv-ivs ∣ rlogin ∣ rtp ∣ rtsp ∣ runesofmagic ∣ \\ shoutcast ∣ sip ∣ skypeout ∣ skypetoskype ∣ smb ∣ smtp ∣ snmp ∣ snmp-mon ∣ \\ snmp-trap ∣ socks ∣ soribada ∣ soulseek ∣ ssdp ∣ ssh ∣ ssl ∣ stun ∣ subspace ∣ \\ subversion ∣ teamfortress2 ∣ teamspeak ∣ telnet ∣ tesla ∣ tftp ∣ thecircle ∣ \\ tonghuashun ∣ tor ∣ tsp ∣ uucp ∣ validcertssl ∣ ventrilo ∣ vnc ∣ whois ∣ \\ worldofwarcraft ∣ x11 ∣ xboxlive ∣ xunlei ∣ yahoo ∣ zmaap \end{matrix}$ The Layer 7 protocol definitions specify how these protocol names correspond to regular expressions that are matched by Netfilter on the packet application layer data. For example, the following regular expression [32]:

^220[\x09-\x0d -~]*ftp

is used by the Netfilter firewall to match packets that are part of FTP traffic.

Packet-owner/creator filtering. For locally generated packets; iptables allows filtering by various characteristics of the packet creator through the owner module. Filtering is applied to the OUTPUT chain of the filter table [37]. We define the constant $maxUID$ for 32-Bit Linux UIDs, where: $\begin{matrix} maxUID = = 2^{32} - 1 \end{matrix}$

Similarly, the constant $maxGID$ for 32-Bit Linux GIDs is defined as: $\begin{matrix} maxGID = = 2^{32} - 1 \end{matrix}$

2.5. Additional filtering specifications

State. The iptables conntrack module defines the state extension [37]. The state extension allows access to the connection tracking state for a packet. Let $State$ be the set of connection tracking states for a packet/connection. $\begin{matrix} State : : = new ∣ established ∣ related ∣ invalid ∣ untracked \end{matrix}$

Time-based filtering. iptables allows for a filtering decision to be made if the packet arrival time/date is within a given range. The possible time range expressible in a rule is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 [16], and is specified in ISO 8601 “T” notation. We define the constant $maxTime$ , whereby $T (date)$ is a function that converts a date specified in “T” notation to a Unix timestamp: $\begin{matrix} maxTime = = T (2038-01-19T04:17:07) \end{matrix}$

Network interfaces and direction-oriented filtering. iptables allows for a filtering decision to be made with respect to the interface the packet is arriving at/leaving through. Let basic type $IFACE$ be the set of all interfaces on a machine, where for simplicity, we assume elements of $IFACE$ resemble lo, eth0, wlan0, tun0, etc. We define: $\begin{matrix} [IFACE] \end{matrix}$

Network traffic can be inbound or outbound on an interface. Direction-oriented filtering is defined as $Dir$ , whereby: $\begin{matrix} Dir : : = ingress ∣ egress \end{matrix}$

iptables chains. Let $Chain$ be the set of chains for the iptables filter table, we define: $\begin{matrix} Chain : : = input ∣ output ∣ forward \end{matrix}$

3. A theory of adjacency

Range-based filter condition attributes (for example, IPs/ports) have logical mappings to intervals of $N$ . For example, the port range that includes all ports from SSH upto and including HTTP can be written as the interval $[22 . . 80]$ .

Example 3.
Consider, as part of a running example, a system that is capable of enforcing firewall rules whereby the filter condition attribute for the rules is a destination port range only. A rule that allowed all ports from SSH to HTTP would be: $(i, [22 . . 80], allow)$ , where i is the index of the rule in the policy, $[22 . . 80]$ is the required port range, and $allow$ means that network traffic matching this pattern is permitted. Suppose we had a second rule, that specifies allow everything from Quote Of The Day (QOTD) up to and including FTP Control, then $(j, [17 . . 21], allow)$ specifies that for the rule at index j; the required port range $[17 . . 21]$ is allowed. Intuitively we can see that the port ranges for the rules at index i and index j are adjacent, and we may want to join rule i and rule j into a single rule that looks like $(k, [17 . . 80], allow)$ . This notion of adjacency becomes more complex when we consider comparing/composing firewall rules comprising two or more filter condition attributes.

3.1. The adjacency specification

In this section we define the filter condition attribute relationships of adjacency, disjointness and subsumption. These can be applied to any ordered set, not just number intervals. These relationships are at the heart of adjacency, and ultimately the ${FW}_{1}$ algebra.

Let $IV [\min, \max]$ be the set of all intervals on the natural numbers, from $\min$ up to and including $\max$ . Intervals are defined by their corresponding sets. $\begin{matrix} IV [\min, \max] = = {S : P N ∣ \exists ⊥, ⊤ : S ∙ \forall x : S ∙ \min ⩽ ⊥ ⩽ x ⩽ ⊤ ⩽ \max} \end{matrix}$

Example 4.
For ease of exposition and when no ambiguity arises, we may write an interval as a pair $[⊥ . . ⊤]$ , rather than by the set it defines. For example, $IV [1, 3] = {[1 . . 1], [1 . . 2], [1 . . 3], [2 . . 2], [2 . . 3], [3 . . 3]}$ .

Let $IPv 4$ define the set of all possible IPv4 address ranges, whereby: $\begin{matrix} IPv 4 = = IV [0, maxIP] \end{matrix}$

Similarly, let $Port$ define the set of all possible network port ranges, whereby: $\begin{matrix} Port = = IV [0, maxPrt] \end{matrix}$

Adjacency. The relation $(_≀_{_}_)$ defines adjacency over any ordered set. Adjacency is a general notion that is not limited to $N$ . We generalize adjacency to any attribute of generic type X, whereby for $a, b \in X$ , if $a ≀_{X} b$ , then a and b are adjacent in the set X. The property of reflexivity is required as any $a \in X$ should be adjacent to itself, that is; if for any a, that $a ≀_{X} a$ did not hold, then an inconsistency would exist. Symmetry follows from a similar requirement, where for $a, b \in X$ , if a is adjacent to b in X, then b must also be adjacent to a in X. The following schema defines a generic adjacency relation that can be instantiated for adjacency over different datatypes.

Given a set $S \in P X$ , then the transitive closure of the adjacency relation for elements in S is defined as follows.

Interval adjacency. Two intervals on the set of natural numbers are adjacent if their union defines a single interval. For a given maximum value $\max \in N$ , we define: $\begin{matrix} \forall I, J : IV [0, \max] ∙ I ≀_{IV [0, \max]} J \Leftrightarrow I \cup J \in IV [0, \max] \end{matrix}$
Example 5.
Interval $[1 . . 2]$ is adjacent to interval $[3 . . 3]$ since $[1 . . 2] \cup [3 . . 3] = [1 . . 3]$ , thus $[1 . . 2] ≀_{IPv 4} [3 . . 3]$ .

Number adjacency. Two numbers are adjacent if they are the same or if they are different by a value of one. We define: $\begin{matrix} \forall a, b : N ∙ a ≀_{N} b \Leftrightarrow (a = b \lor a + 1 = b \lor b + 1 = a) \end{matrix}$

Set adjacency. For a generic type X, and sets $S, T \in P X$ , then S and T are adjacent, as $S \cup T \in P X$ . We define: $\begin{matrix} \forall S, T : P X ∙ S ≀_{P X} T \end{matrix}$

Disjointness. The relation $(_∣_{_}_)$ is used to define the notion of disjointness over any ordered set. Given $a, b \in X$ , $a ∣_{X} b$ denotes a and b are disjoint in X. The property of irreflexivity is required, as a cannot be disjoint from itself, that is; if for any a, that $\neg (a ∣_{X} a)$ did not hold, then an inconsistency would exist. Symmetry is also required for consistency, as if a and b are disjoint in X, then b and a must be disjoint in X also. The following schema defines a generic disjointness relation that can be instantiated for disjointness over different datatypes.

Interval disjointness. Two intervals are disjoint if they don’t intersect. For a given maximum value $\max \in N$ , we define: $\begin{matrix} \forall I, J : IV [0, \max] ∙ I ∣_{IV [0, \max]} J \Leftrightarrow I \cap J = \emptyset \end{matrix}$
Example 6.
The interval $[1 . . 2]$ and interval $[3 . . 3]$ are disjoint, since $[1 . . 2] \cap [3 . . 3] = \emptyset$ , thus $[1 . . 2] ∣_{IPv 4} [3 . . 3]$ .

Number disjointness. Two numbers are disjoint if they are different. We define: $\begin{matrix} \forall a, b : N ∙ a ∣_{N} b \Leftrightarrow a \neq b \end{matrix}$

Set disjointness. Two sets are disjoint if they don’t intersect. We define: $\begin{matrix} \forall S, T : P X ∙ S ∣_{P X} T \Leftrightarrow S \cap T = \emptyset \end{matrix}$

Subsumption. The relation $(_\overline{\leftarrow}_)$ is used to define subsumption over any ordered set. For $a, b \in X$ , if $a \overset{X}{\leftarrow} b$ , then b covers a in X. Reflexivity is required, as any a must cover itself. Transitivity follows from a similar requirement, where for $a, b, c \in X$ , if a covers b and b covers c, then a must cover c. Antisymmetry follows from the assumption of irredundant elements, where if a covers b and b covers a then one of them is unnecessary [13]. The properties of reflexivity, transitivity and antisymmetry define $\overset{X}{\leftarrow}$ as a non-strict partial order over X [5]. The following schema defines a generic subsumption relation that can be instantiated for subsumption over different datatypes.

Some subsumption orderings (for example, subset) may form a lattice with greatest lower bound (glb) $_\cap_{X}_$ and least upper bound (lub) $_\cup_{X}_$ operators for values in X.

Interval subsumption. An interval I subsumes (covers) an interval J, if $J \subseteq I$ . For a given maximum value $\max \in N$ , we define: $\begin{matrix} \forall I, J : IV [0, \max] ∙ J \overset{IV [0, \max]}{\leftarrow} I \Leftrightarrow J \subseteq I \end{matrix}$
Example 7.
Interval $[1 . . 3]$ covers interval $[3 . . 3]$ , since $[3 . . 3] \subseteq [1 . . 3]$ , thus: $[3 . . 3] \overset{IPv 4}{\leftarrow} [1 . . 3]$ .

Number subsumption. For $a, b \in N$ then b covers a if a equals b. We define: $\begin{matrix} \forall a, b : N ∙ a \overset{N}{\leftarrow} b \Leftrightarrow a = b \end{matrix}$ The equality relation is both symmetric and antisymmetric, and defines both an equivalence relation and a non-strict partial order. Thus, $a \overset{N}{\leftarrow} b$ denotes that b subsumes/covers a.

Set subsumption. The definition for set subsumption is as expected, we define: $\begin{matrix} \forall S, T : P X ∙ S \overset{P X}{\leftarrow} T \Leftrightarrow S \subseteq T \end{matrix}$

For a generic type X, and $S \in P X$ , then the flattening function $⌈ S ⌉$ gives the cover-set for the elements of S, whereby the cover-set of S has no subsumption. We define:
Example 8.
Given the set of all intervals on the natural numbers from $1 . . 3$ , then we have: $\begin{matrix} ⌈ IV [1, 3] ⌉ = {[1 . . 1], [1 . . 2], [1 . . 3], [2 . . 2], [2 . . 3], [3 . . 3]} \\ ∖ {[1 . . 1], [1 . . 2], [2 . . 2], [2 . . 3], [3 . . 3]} \\ = {[1 . . 3]} \end{matrix}$

We define a $difference$ operator for $S, T \in P X$ , where $S ∖_{P X} T$ gives the relative compliment of T in S. That is, everything that is of type X that is covered in S, but not in T. We define this as: Example 9.
Given the cover-set for the set of all intervals on the natural numbers from $1 . . 3$ , and the set ${[1 . . 1], [3 . . 3]}$ , we have $⌈ IV [1, 3] ⌉ ∖_{IPv 4} {[1 . . 1], [3 . . 3]} = {[2 . . 2]}$ .

3.2. The adjacency datatype

For a generic type X, the Adjacency datatype $α [X]$ , is the set of all closed subsets of X partitioned by adjacency. $\begin{matrix} α [X] = = {S : P X ∣ (\forall a, b : S ∣ a \neq b ∙ \neg (a ≀_{X} b))} \end{matrix}$

Example 10.
We can use this to define all ways that an interval can be partitioned into sets of non-adjacent intervals. $\begin{matrix} α [IV [1, 3]] = {{[1 . . 1]}, {[1 . . 2]}, {[1 . . 3]}, {[2 . . 2]}, {[2 . . 3]}, {[3 . . 3]}, {[1 . . 1], [3 . . 3]}} \end{matrix}$

Let ${IP}_{Spec}$ define the set of all closed subsets for the intervals of the IPv4 address range, partitioned by adjacency, and similarly, let ${Prt}_{Spec}$ define the set of all closed subsets for the intervals of the network port range, partitioned by adjacency. We define: $\begin{matrix} {IP}_{Spec} = = α [IPv 4] \\ {Prt}_{Spec} = = α [Port] \end{matrix}$

Adjacency datatype ordering. An ordering can be defined over Adjacency-sets of a generic type X as follows:
Lemma 3.1.
The ordering relation ⩽ is a non-strict partial order over $α [X]$ .
Proof.
For $S, T \in α [X]$ , then $S ⩽ T$ means that T covers S, that is, every $a \in S$ is covered by some $b \in T$ . The ordering relation ⩽, is defined as a subsumption ordering/an antisymmetric preorder, where the properties of reflexivity, transitivity and antisymmetry hold for ⩽ over $α [X]$ as $(_\overset{X}{\leftarrow}_)$ is a non-strict partial order for elements of type X. We have: $\begin{matrix} \forall S, T, U : α [X] ∙ \\ S ⩽ S \land \\ (S ⩽ T \land T ⩽ U \Rightarrow S ⩽ U) \land \\ (S ⩽ T \land T ⩽ S \Rightarrow S = T) \end{matrix}$

The elements $⊥, ⊤ \in α [X]$ define the least and greatest bounds, respectively, on $α [X]$ , where ⊥ is the unique minimal element that is covered by all elements, and ⊤ is the unique maximal element that covers all other elements. We have: $\begin{matrix} \forall S : α [X] ∙ ⊥ ⩽ S ⩽ ⊤ \end{matrix}$ □
Example 11.
Given ${ranges}_{1}, {ranges}_{2} \in {IP}_{Spec}$ , where: $\begin{matrix} {ranges}_{1} = = {[1 . . 3], [6 . . 6], [8 . . 8]} \\ {ranges}_{2} = = {[2 . . 4], [7 . . 7], [10 . . 10]} \end{matrix}$ then Fig. 1 depicts a partial Hasse diagram, for the composition of ${ranges}_{1}$ and ${ranges}_{2}$ under the relative ordering of ⩽ over ${IP}_{Spec}$ .

Adjacency datatype union. The join of $S, T \in α [X]$ is defined using subsumption, as the generalized intersection of all Adjacency-sets, where each element of $(S \oplus T)$ covers an element in either S or T. Intuitively, this means that the values of the join are exactly a union of the elements from both S and T.

Fig. 1.
${IP}_{Spec}$ ordering fragment.
Lemma 3.2.
The operator ⊕ is a least upper bound operator on $α [X]$ .
Proof.
The generalized intersection in the join operation for some $S, T \in α [X]$ defines the smallest collection of $x \in X$ that cover all of the elements from both S and T by subsumption. If we take some $U \in α [X]$ , such that $U ⩽ (S \oplus T)$ and $S ⩽ U \land T ⩽ U$ , then $(S \oplus T) = U$ .

Thus, Adjacency join provides a lowest upper bound operator. Since ⊕ provides a lub operator we have $S ⩽ (S \oplus T)$ and $T ⩽ (S \oplus T)$ . □

Adjacency datatype intersection. Under this ordering, the meet, or intersection $S \otimes T$ of $S, T \in α [X]$ is defined using subsumption, as the cover-set for the generalized union of all Adjacency-sets, where each element of $(S \otimes T)$ is covered by an element in both S and T. Intuitively, this means that the values of the meet are all non-empty intersections of each value in S with each value in T.
Corollary 3.3.
The operator ⊗ is a greatest lower bound operator on $α [X]$ .
Proof.
It follows from Lemma 3.2 by an analogous argument that Corollary 3.3 holds. □

Since ⊗ provides the glb operator, then for $S, T \in α [X]$ we have $S \otimes T$ is covered by both S and T, that is $(S \otimes T) ⩽ S$ and $(S \otimes T) ⩽ T$ .

Adjacency datatype negation. Given $S \in α [X]$ , then $not S$ defines a complement operator in $α [X]$ , where $not S$ is the cover-set for all elements of type X that are not covered by some member of S. We have: $\begin{matrix} \forall S : α [X] ∙ \\ (S \oplus not S) = ⊤ \land (S \otimes not S) = ⊥ \end{matrix}$
Theorem 3.4.
The poset $(α [X], ⩽)$ forms a lattice with lowest-upper, and greatest lower bound operators, ⊕ and ⊗ respectively, and complement operator $not$ .
Proof.
This follows from the definition of ⩽ as a subsumption ordering/an antisymmetric preorder, the properties of $not$ , the definition of the meet as the cover-set for the generalized union of all Adjacency-sets, where for $S, T \in α [X]$ , each element of $(S \otimes T)$ is covered by an element in both S and T, and the definition of the join as the generalized intersection of all Adjacency-sets, where each element of $(S \oplus T)$ covers an element in either S or T. □
3.3. The duplet datatype

The notion of adjacency becomes more complex when we consider comparing/composing firewall rules comprising two or more filter condition attributes. When joining adjacent firewall rules, in some cases the rules may coalesce and in other cases they may partition into a number of disjoint rules.

Example 12.
Recall from Example 3 in this section, the firewall system that supports only destination port range filter conditions. Suppose we want to extend the expressiveness of the policy rules for this system to include a definition for destination IP range. Consider, two policy requirements; whereby network traffic is to be allowed to the IP range $[1 . . 3]$ on ports $[1 . . 3]$ , and to the IP range $[2 . . 4]$ on ports $[2 . . 4]$ . Then modelling this using adjacency-free IP/port range pairs, we have $p_{1}, p_{2} \in ({IP}_{Spec} \times {Prt}_{Spec})$ , whereby: $\begin{matrix} p_{1} = = ({[1 . . 3]}, {[1 . . 3]}) \\ p_{2} = = ({[2 . . 4]}, {[2 . . 4]}) \end{matrix}$

If we consider the attributes separately, we observe that the IP range in $p_{1}$ is adjacent to the IP range in $p_{2}$ , and the port ranges in $p_{1}$ and $p_{2}$ are also adjacent. However, in composing $p_{1}$ and $p_{2}$ under a lowest-upper-bound style operation one cannot simply take a union of the sets of intervals to be the IP/port range pair: $({[1 . . 4]}, {[1 . . 4]})$ , as this results in an overly permissive policy, given that network traffic is permitted to IP $1$ on port $4$ , and to IP $4$ on port $1$ as a result of composition. Conversely, this would result in an overly restrictive policy if we were composing deny rules.

When we consider how the join of $p_{1}$ and $p_{2}$ may be defined, whereby the desired result is the smallest number of non-adjacent rules that cover both $p_{1}$ and $p_{2}$ , then we can apply an adjacency-precedence to the IP ranges in $p_{1}$ and $p_{2}$ , and observe that the port ranges in $p_{1}$ and $p_{2}$ are not disjoint. We refer to this as the 1st attribute major ordering, and the cover for $p_{1}$ and $p_{2}$ is given as: $\begin{matrix} {({[1 . . 4]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}), ({[2 . . 4]}, {[4 . . 4]})} \end{matrix}$ In this case, the result is a set of disjoint rules that exactly cover the IP/port-range pair constraints from $p_{1}$ and $p_{2}$ . We note, however, that instead, the adjacency-precedence may be applied to the second attribute, where in this case we observe that the port ranges in $p_{1}$ and $p_{2}$ are adjacent, and the IP ranges in $p_{1}$ and $p_{2}$ are not disjoint. We refer to this as a 2nd attribute major ordering, and would therefore expect the set of disjoint rules that exactly cover the IP/port-range pair constraints from $p_{1}$ and $p_{2}$ to be: $\begin{matrix} {({[2 . . 3]}, {[1 . . 4]}), ({[1 . . 1]}, {[1 . . 3]}), ({[4 . . 4]}, {[2 . . 4]})} \end{matrix}$

The resulting operations for the $1 st$ attribute major ordering are illustrated in Table 1, whereby the label R signifies the new rule, and the label A means filter condition attribute. In Table 2, the operations for the 2nd attribute major ordering the are encoded.

Table 1
A two-attribute rule join, $1 st$ attribute major ordering

Table 2
A two-attribute rule join, $2 nd$ attribute major ordering

For the remainder of this paper, we consider firewall rule join in terms of the $1 st$ attribute major ordering. However, we also consider the join of rules where there is an adjacency in other than the first attribute, we refer to this type of adjacency as forward adjacency.

Duplets. A duplet is an ordered pair, where the set of all duplets for generic types $X, Y$ , is defined as $δ [X, Y]$ , whereby: $\begin{matrix} δ [X, Y] = = X \times Y \end{matrix}$
Example 13.
For $IV [1, 1]$ and $IV [1, 2]$ , we have: $\begin{matrix} δ [IV [1, 1], IV [1, 2]] = {([1 . . 1], [1 . . 1]), ([1 . . 1], [1 . . 2]), ([1 . . 1], [2 . . 2])} \end{matrix}$ and $δ [{IP}_{Spec}, {Prt}_{Spec}]$ gives the set of all duplets for adjacency-free IP/port-range pairs.
Lemma 3.5.
If the ordering over X is a lattice and the ordering over Y is a lattice, then the ordering over $δ [X, Y]$ is also a lattice.
Proof.
Given the definition of $δ [X, Y]$ as the Cartesian product of X and Y, then if the ordering over X is a lattice and the ordering over Y is a lattice; it follows that $δ [X, Y]$ forms a lattice under the product order of X and Y. □

Forward adjacency. A pair of duplets are forward adjacent to each other if the attributes in the first coordinate are equal and the attributes in the second coordinate are adjacent. For $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define forward adjacency, whereby: $\begin{matrix} (a_{1} = a_{2} \land b_{1} ≀_{Y} b_{2}) \end{matrix}$
Example 14.
Given duplets $({[1 . . 3]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}) \in δ [{IP}_{Spec}, {Prt}_{Spec}]$ , then these duplets are forward adjacent, as: $({[1 . . 3]} = {[1 . . 3]}) \land ({[2 . . 3]} ≀_{{Prt}_{Spec}} {[1 . . 1]})$ .

Duplet adjacency. A pair of duplets $a, b \in δ [X, Y]$ are adjacent, if the attributes in the first coordinate are adjacent, and the attributes in the second coordinate are not disjoint, or a and b are forward adjacent. For $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define: $\begin{matrix} (a_{1}, b_{1}) ≀_{δ [X, Y]} (a_{2}, b_{2}) \Leftrightarrow ((a_{1} ≀_{X} a_{2} \land \neg (b_{1} ∣_{Y} b_{2})) \lor (a_{1} = a_{2} \land b_{1} ≀_{Y} b_{2})) \end{matrix}$
Example 15.
We have that $p_{1} ≀_{δ [{IP}_{Spec}, {Prt}_{Spec}]} p_{2}$ , since the IP ranges are adjacent and the port ranges are not disjoint and we have ${[1 . . 3]} ≀_{{IP}_{Spec}} {[2 . . 4]} \land \neg ({[1 . . 3]} ∣_{{Prt}_{Spec}} {[2 . . 4]})$ .

Duplet disjointness. A pair of duplets are disjoint if the attributes in the first coordinate are disjoint, and/or the attributes in the second coordinate are disjoint. For $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define: $\begin{matrix} (a_{1}, b_{1}) ∣_{δ [X, Y]} (a_{2}, b_{2}) \Leftrightarrow (a_{1} ∣_{X} a_{2} \lor b_{1} ∣_{Y} b_{2}) \end{matrix}$
Example 16.
We have $\neg (p_{1} ∣_{δ [{IP}_{Spec}, {Prt}_{Spec}]} p_{2})$ , since $\begin{matrix} \neg ({[1 . . 3]} ∣_{{IP}_{Spec}} {[2 . . 4]} \land {[1 . . 3]} ∣_{{Prt}_{Spec}} {[2 . . 4]}) \end{matrix}$

Duplet intersection. The definition for duplet intersection is defined as the intersection of the attributes in each coordinate under their respective orderings. For $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define: $\begin{matrix} (a_{1}, b_{1}) \cap_{δ [X, Y]} (a_{2}, b_{2}) = ((a_{1} \cap_{X} a_{2}), (b_{1} \cap_{Y} b_{2})) \end{matrix}$
Example 17.
For $p_{1}$ and $p_{2}$ , we have $p_{1} \cap_{δ [{IP}_{Spec}, {Prt}_{Spec}]} p_{2} = ({[2 . . 3]}, {[2 . . 3]})$ .

Duplet merge. The definition for duplet merge is defined as the union of the attributes in each coordinate under their respective orderings. For $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define: $\begin{matrix} (a_{1}, b_{1}) \cup_{δ [X, Y]} (a_{2}, b_{2}) = ((a_{1} \cup_{X} a_{2}), (b_{1} \cup_{Y} b_{2})) \end{matrix}$
Example 18.
Given $p_{1}$ and $p_{2}$ , we have $p_{1} \cup_{δ [{IP}_{Spec}, {Prt}_{Spec}]} p_{2} = ({[1 . . 4]}, {[1 . . 4]})$ .

Duplet subsumption. A duplet $(a_{1}, b_{1})$ covers a duplet $(a_{2}, b_{2})$ in $δ [X, Y]$ , if $a_{1}$ covers $a_{2}$ in X, and $b_{1}$ covers $b_{2}$ in Y. Thus, we define duplet subsumption as: $\begin{matrix} (a_{2}, b_{2}) \overset{δ [X, Y]}{\leftarrow} (a_{1}, b_{1}) \Leftrightarrow (a_{2} \overset{X}{\leftarrow} a_{1}) \land (b_{2} \overset{Y}{\leftarrow} b_{1}) \end{matrix}$
Example 19.
For $p_{1}$ and $p_{2}$ , we have $({[2 . . 3]}, {[2 . . 3]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{\leftarrow} p_{1}$ and $({[2 . . 3]}, {[2 . . 3]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{\leftarrow} p_{2}$ .

Precedence subsumption. A precedence subsumption is defined for duplets, whereby we explicitly define subsumption orderings separately in each coordinate. The relation $(_\overline{\to}_)$ defines a general format for precedence subsumption over any ordered set. For $a, b \in X$ , if $a \overset{X}{\to} b$ , then a covers b by precedence in X. The properties of reflexivity, transitivity and antisymmetry define $\overset{X}{\to}$ as a non-strict partial order over X [5]. The following schema defines a generic precedence subsumption relation that can be instantiated for precedence subsumption over different datatypes.

A duplet $(a_{1}, b_{1})$ covers a duplet $(a_{2}, b_{2})$ by precedence in $δ [X, Y]$ , if $a_{1}$ covers $a_{2}$ in X, and $b_{2}$ covers $b_{1}$ in Y. Thus, we define precedence subsumption as: $\begin{matrix} (a_{1}, b_{1}) \overset{δ [X, Y]}{\to} (a_{2}, b_{2}) \Leftrightarrow (a_{2} \overset{X}{\leftarrow} a_{1}) \land (b_{1} \overset{Y}{\leftarrow} b_{2}) \end{matrix}$
Example 20.
For $p_{1}, p_{2}$ , and duplets $({[1 . . 4]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}) \in δ [{IP}_{Spec}, {Prt}_{Spec}]$ , then we have: $\begin{matrix} ({[1 . . 3]}, {[1 . . 1]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{\to} p_{1} \land \\ ({[1 . . 4]}, {[2 . . 3]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{\to} p_{1} \land \\ ({[1 . . 4]}, {[2 . . 3]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{\to} p_{2} \end{matrix}$

Precedence cover. For a duplet $a \in δ [X, Y]$ and a set of duplets $S \in P δ [X, Y]$ , then S covers a if the duplet merge of all elements in S that each cover a by precedence subsumption, cover a by duplet subsumption. We define:
Example 21.
For $p_{1}$ , and duplets $({[1 . . 3]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}) \in δ [{IP}_{Spec}, {Prt}_{Spec}]$ , we have: $p_{1} \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{⇜} {({[1 . . 3]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]})}$ as $({[1 . . 3]}, {[1 . . 3]}) \overset{δ [{IP}_{Spec}, {Prt}_{Spec}]}{⇜} {({[1 . . 3]}, {[1 . . 3]})}$ holds.

Intersecting elements. For $a \in δ [X, Y]$ and $S \in P δ [X, Y]$ , then $a ⌊ S ⌋$ is the set of all non-empty intersections of a with each value $b \in S$ . We define: Example 22.
For $p_{1}$ , and duplets $({[1 . . 4]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}), ({[2 . . 4]}, {[4 . . 4]}) \in δ [{IP}_{Spec}, {Prt}_{Spec}]$ , then: $\begin{matrix} p_{1} ⌊ {({[1 . . 4]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]}), ({[2 . . 4]}, {[4 . . 4]})} ⌋ = \\ {({[1 . . 3]}, {[2 . . 3]}), ({[1 . . 3]}, {[1 . . 1]})} \end{matrix}$

3.4. Duplet adjacency ordering

In this section, an ordering is defined for Adjacency-sets of duplets.

Duplet adjacency difference. Given $S, T \in α [δ [X, Y]]$ , then $S ∖_{α [δ [X, Y]]} T$ is the cover-set for the set of all duplets covered in S by a duplet, or by a collection of duplets, and not covered in T. Thus, we define the difference of Adjacency-sets of duplets as: $\begin{matrix} S ∖_{α [δ [X, Y]]} T = ⌈ {c : δ [X, Y] ∣ c \overset{δ [X, Y]}{⇜} c ⌊ S ⌋ \land \neg (c \overset{δ [X, Y]}{⇜} c ⌊ T ⌋)} ⌉ \end{matrix}$

Example 23.
Given ${Pol}_{1}^{p}, {Pol}_{2}^{p} \in α [δ [{IP}_{Spec}, {Prt}_{Spec}]]$ , where: $\begin{matrix} {Pol}_{1}^{p} = = {({[1 . . 3]}, {[1 . . 3]})} \\ {Pol}_{2}^{p} = = {({[2 . . 4]}, {[2 . . 4]})} \end{matrix}$ then: $\begin{matrix} {Pol}_{1}^{p} ∖_{α [δ [{IP}_{Spec}, {Prt}_{Spec}]]} {Pol}_{2}^{p} = {({[1 . . 3]}, {[1 . . 1]}), ({[1 . . 1]}, {[2 . . 3]})} \end{matrix}$

The implementation definition for duplet difference is given in Section 7.2.

Duplet adjacency ordering. An ordering can be defined over Adjacency-sets of duplets as follows:
Lemma 3.6.
The ordering relation ⩽ is a non-strict partial order over $α [δ [X, Y]]$ .
Proof.
For $S, T \in α [δ [X, Y]]$ , then $S ⩽ T$ means that T covers S, that is, every $a \in S$ is covered under duplet subsumption, either by a duplet, or by a collection of duplets in T. The ordering relation ⩽, is defined as an antisymmetric preorder, where the properties of reflexivity, transitivity and antisymmetry hold for ⩽ over $α [δ [X, Y]]$ .

Reflexivity. For $S \in α [δ [X, Y]]$ , we have for $a \in S$ , then a covers itself under duplet subsumption. Since S is adjacency-free, then every duplet in S covers only itself under a duplet subsumption in S. Since duplet subsumption is reflexive, then ⩽ is reflexive; that is: $\begin{matrix} \forall S : α [δ [X, Y]] ∙ \\ (S, S) \in (_⩽_) \end{matrix}$

Transitivity. For $S, T \in α [δ [X, Y]]$ , then $S ⩽ T$ if all $a \in S$ are covered in T under duplet subsumption. Then if we take some $U \in α [δ [X, Y]]$ , such that $T ⩽ U$ , then all $b \in T$ are covered in U under duplet subsumption. Therefore, all $a \in S$ are covered in U under duplet subsumption as duplet subsumption is transitive. Then ⩽ is transitive; that is: $\begin{matrix} \forall S, T, U : α [δ [X, Y]] ∙ \\ (S, T) \in (_⩽_) \land (T, U) \in (_⩽_) \Rightarrow (S, U) \in (_⩽_) \end{matrix}$

Antisymmetry. For $S, T \in α [δ [X, Y]]$ , then $S ⩽ T$ if all $a \in S$ are covered in T under duplet subsumption, and if $T ⩽ S$ then all $b \in T$ are covered in S under duplet subsumption. Therefore, from the definition of duplet subsumption, if $S ⩽ T$ and $T ⩽ S$ then $T = S$ . Then ⩽ is antisymmetric; that is: $\begin{matrix} \forall S, T : α [δ [X, Y]] ∙ \\ (S, T) \in (_⩽_) \land (T, S) \in (_⩽_) \Rightarrow S = T \end{matrix}$

The elements $⊥, ⊤ \in α [δ [X, Y]]$ define the least and greatest bounds, respectively, on $α [δ [X, Y]]$ , where ⊥ is the unique minimal element that is covered by all elements, and ⊤ is the unique maximal element that covers all other elements. We have: $\begin{matrix} \forall S : α [δ [X, Y]] ∙ \\ ⊥ ⩽ S ⩽ ⊤ \end{matrix}$ Then we have: $\begin{matrix} \forall S, T, U : α [δ [X, Y]] ∙ \\ S ⩽ S \land \\ (S ⩽ T \land T ⩽ U \Rightarrow S ⩽ U) \land \\ (S ⩽ T \land T ⩽ S \Rightarrow S = T) \end{matrix}$ Thus, ⩽ is a non-strict partial order over $α [δ [X, Y]]$ . □
Example 24.
Figure 2 depicts a partial Hasse diagram, for the composition of ${Pol}_{1}^{p}$ and ${Pol}_{2}^{p}$ from Example 23 under the relative ordering of ⩽ over $α [δ [{IP}_{Spec}, {Prt}_{Spec}]]$ .

Adjacency duplet union. The join of $S, T \in α [δ [X, Y]]$ is defined using subsumption, as the cover-set for the duplet merge of the transitive closure of adjacent duplets, from the generalized intersection of all sets of sets of duplets, whereby each element of the generalized intersection covers an element in either S or T by duplet precedence subsumption. The generalized intersection defines the smallest collection of duplets that cover all of the duplets from both S and T by precedence subsumption. Given that all duplets in this set are now disjoint, the cover-set for the duplet merge of the transitive closure of adjacent duplets merges any forward-adjacent duplets from S and T. If we take some $U \in α [δ [X, Y]]$ , such that $U ⩽ (S \oplus T)$ and $S ⩽ U \land T ⩽ U$ , then $(S \oplus T) = U$ . Thus, Adjacency join provides a lowest upper bound operator, we have: $\begin{matrix} \forall S, T, U : α [δ [X, Y]] ∙ \\ S ⩽ (S \oplus T) \land T ⩽ (S \oplus T) \land \\ (S ⩽ U \land T ⩽ U \Rightarrow (S \oplus T) ⩽ U) \end{matrix}$

The implementation definition for duplet adjacency-set join is given in Section 7.2.

Fig. 2.
Duplet ordering fragment.

Adjacency duplet intersection. Under this ordering, the meet $(S \otimes T)$ of $S, T \in α [δ [X, Y]]$ is defined using subsumption, as the cover-set for the generalized union of all Adjacency-sets, where each element of $(S \otimes T)$ is covered by a duplet, or by a collection of duplets in both S and T. The meet is defined as the largest set of adjacency-free duplets that is covered by both S and T. Thus, ⊗ provides the glb operator, then for $S, T \in α [δ [X, Y]]$ we have $S \otimes T$ is covered by both S and T, that is $(S \otimes T) ⩽ S$ and $(S \otimes T) ⩽ T$ .

Adjacency duplet negation. Given $S \in α [δ [X, Y]]$ , then $not S$ defines a complement operator in $α [δ [X, Y]]$ , where $not S$ is the cover-set for all elements of type X that are not covered by some member of S. We have: $\begin{matrix} \forall S : α [δ [X, Y]] ∙ \\ (S \oplus not S) = ⊤ \land (S \otimes not S) = ⊥ \end{matrix}$
Theorem 3.7.
The poset $(α [δ [X, Y]], ⩽)$ forms a lattice with complement operator $not$ .
Proof.
This follows from the definition of ⩽ as an antisymmetric preorder, the properties of $not$ , and the definitions of ⊕ and ⊗.

Commutative laws. We observe that changing the order of the operands/Adjacency-sets does not change the composition result. $\begin{matrix} \forall S, T : α [δ [X, Y]] ∙ \\ S \oplus T = T \oplus S \land \\ S \otimes T = T \otimes S \end{matrix}$

Associative laws. We observe that the order in which the operations are performed does not change the outcome of the operation. $\begin{matrix} \forall S, T, U : α [δ [X, Y]] ∙ \\ S \oplus (T \oplus U) = (S \oplus T) \oplus U \land \\ S \otimes (T \otimes U) = (S \otimes T) \otimes U \end{matrix}$

Absorption laws. The following identities link ⊕ and ⊗. $\begin{matrix} \forall S, T : α [δ [X, Y]] ∙ \\ S \oplus (S \otimes T) = S \land \\ S \otimes (S \oplus T) = S \end{matrix}$

Idempotent laws. We observe that for all $S \in α [δ [X, Y]]$ , S is idempotent with respect to ⊕ and ⊗. $\begin{matrix} \forall S : α [δ [X, Y]] ∙ \\ S \oplus S = S \land \\ S \otimes S = S \end{matrix}$

Identity laws. We observe that $(α [δ [X, Y]], \oplus, \otimes, ⊥, ⊤)$ is a bounded lattice/algebraic structure, such that $(α [δ [X, Y]], \oplus, \otimes)$ is a lattice, ⊥ is the identity element for the join operation ⊕, and ⊤ is the identity element for the meet operation ⊗. $\begin{matrix} \forall S : α [δ [X, Y]] ∙ \\ S \oplus ⊥ = S \land \\ S \otimes ⊤ = S \end{matrix}$

Distributivity laws. The join operation distributes over the meet operation and vice-versa. $\begin{matrix} \forall S, T, U : α [δ [X, Y]] ∙ \\ S \oplus (T \otimes U) = (S \oplus T) \otimes (T \oplus U) \land \\ S \otimes (T \oplus U) = (S \otimes T) \oplus (T \otimes U) \end{matrix}$

Thus, $(α [δ [X, Y]], ⩽, \oplus, \otimes, ⊥, ⊤, not)$ is a lattice. □
4. ${FW}_{1}$ filter conditions

In this section, the filter condition attribute datatypes for the ${FW}_{1}$ policy model are defined.

OSI layer 2. Let $L_{2}$ define the set of all additional filter condition attributes at the Data-Link Layer, given as the set of all duplets over the set of all sets of packet-types $(P PktTpe)$ and the set of all sets of MAC addresses $(P MAC)$ . $\begin{matrix} L_{2} = = δ [P PktTpe, P MAC] \end{matrix}$ From Lemma 3.5, we have that $L_{2}$ is a lattice.

Example 25.
The following iptables rule specifies that inbound (INPUT) TCP broadcast packets (-p tcp --pkt-type broadcast) destined for the IP address 0.0.0.1 (-d 0.0.0.1) be denied (-j DROP). $\begin{matrix} iptables -A INPUT -p tcp --pkt-type broadcast \ \\ -d 0.0.0.1 -j DROP \end{matrix}$

The following iptables rule specifies that TCP packets being routed beyond the firewall (FORWARD -p tcp) destined for the IP address 0.0.0.1 (-d 0.0.0.1) with source MAC address 00:0F:EA:91:04:08 (-m mac --mac-source 00:0F:EA:91:04:08) be denied (-j DROP). $\begin{matrix} iptables -A FORWARD -p tcp -d 0.0.0.1 \ \\ -m mac --mac-source 00:0F:EA:91:04:08 -j DROP \end{matrix}$

OSI layer 7. Let $L_{7}$ define the set of all additional filter condition attributes at the OSI Application Layer, given as the set of all duplets over the set of all sets of Layer 7 protocols ( $P {Proto}_{7}^{L}$ ), the set of all closed subsets for the ranges of all Linux UIDs partitioned by adjacency ( ${UID}_{Spec}$ ), and the set of all closed subsets for the ranges of all Linux GIDs ( ${GID}_{Spec}$ ) partitioned by adjacency. $\begin{matrix} {UID}_{Spec} = = α [IV [0, maxUID]] \\ {GID}_{Spec} = = α [IV [0, maxGID]] \\ L_{7} = = δ [P {Proto}_{7}^{L}, δ [{UID}_{Spec}, {GID}_{Spec}]] \end{matrix}$ From Lemma 3.5, we have that $L_{7}$ is a lattice.
Example 26.
The following iptables rule specifies that outbound (OUTPUT) SSH packets (-m layer7 --l7proto ssh), originating from the Linux application UID 1001 (-m owner --uid-owner 1001), destined for the IP address 0.0.0.2 (-d 0.0.0.2) be allowed (-j ACCEPT). $\begin{matrix} iptables -A OUTPUT -m layer7 --l7proto ssh \ \\ -m owner --uid-owner 1001 -d 0.0.0.2 -j ACCEPT \end{matrix}$

The stateful/protocol datatype. Let $Protocol$ define the set of all stateful protocols, given as the set of all duplets over the TCP protocol ( $P {Flag}_{Spec}$ ), the UDP protocol ( $UDP$ ), the ICMP protocol ( $P TypesCodes$ ), and the set of all sets of connection tracking states for a packet/connection ( $P State$ ). $\begin{matrix} Protocol = = δ [P {Flag}_{Spec}, δ [UDP, δ [P TypesCodes, P State]]] \end{matrix}$ UDP operators are $(\land, \lor, \overset{UDP}{\leftarrow})$ . From Lemma 3.5, we have that $Protocol$ is a lattice.

Stateful/protocol disjointness. A pair of stateful protocols are disjoint if the TCP, UDP and ICMP attributes are disjoint, and/or their state is disjoint. For $t_{1}, t_{2} \in P {Flag}_{Spec}$ , $u_{1}, u_{2} \in UDP$ , $i_{1}, i_{2} \in P TypesCodes$ and $s_{1}, s_{2} \in P State$ , we define: $\begin{matrix} (t_{1}, u_{1}, i_{1}, s_{1}) ∣_{Protocol} (t_{2}, u_{2}, i_{2}, s_{2}) \Leftrightarrow \\ ((t_{1} ∣_{P {Flag}_{Spec}} t_{2} \land u_{1} ∣_{UDP} u_{2} \land i_{1} ∣_{P TypesCodes} i_{2}) \lor s_{1} ∣_{P State} s_{2}) \end{matrix}$

Additional filtering specifications. Let $AdditionalFC$ define the set of all additional filter condition attributes of interest, given as the set of all duplets over the set of all closed subsets for the ranges of all Unix timestamps, from 0 up to and including $maxTime$ ( ${Time}_{Spec}$ ), the set of all sets of all network interfaces on a machine ( $P IFACE$ ), the set of all sets of directions for direction-oriented filtering ( $P Dir$ ) and the set of all sets of iptables chains ( $P Chain$ ). $\begin{matrix} {Time}_{Spec} = = α [IV [0, maxTime]] \\ AdditionalFC = = δ [{Time}_{Spec}, δ [P IFACE, δ [P Dir, P Chain]]] \end{matrix}$ From Lemma 3.5, we have that $AdditionalFC$ is a lattice.
Example 27.
The following iptables rule specifies that for all inbound (INPUT) packets arriving on interface eth0 (-i eth0) from the IP address 0.0.0.1 (-s 0.0.0.1), attempting to traverse the firewall between 8 a.m. January 1st 2017 and 6 p.m. January 3rd 2017 (-m time --datestart 2017-01-01T08:00:00 --datestop 2017-01-03T18:00:00), are to be denied. $\begin{matrix} iptables -A INPUT -i eth0 -s 0.0.0.1 -m time --datestart \ \\ 2017-01-01T08:00:00 --datestop 2017-01-03T18:00:00 -j DROP \end{matrix}$

Filter conditions. A filter condition is a eight-tuple (s, $sprt$ , d, $dprt$ , p, $l_{2}$ , $l_{7}$ , a), representing network traffic originating from source IP ranges s, with source port ranges $sprt$ , destined for destination IP ranges d, with destination port ranges $dprt$ , using stateful-protocols p, with additional Layer 2 attributes $l_{2}$ , additional Layer 7 attributes $l_{7}$ and additional filtering specifications a. Let $FC$ define the set of all filter conditions, whereby: $\begin{matrix} FC = = δ [{IP}_{Spec}, δ [{Prt}_{Spec}, δ [{IP}_{Spec}, δ [{Prt}_{Spec}, δ [Protocol, δ [L_{2}, δ [L_{7}, AdditionalFC]]]]]]] \end{matrix}$ From Lemma 3.5, we have that $FC$ is a lattice.

Forward adjacency. Recall, for $(a_{1}, b_{1}), (a_{2}, b_{2}) \in δ [X, Y]$ , we define forward adjacency, whereby: $(a_{1} = a_{2} \land b_{1} ≀_{Y} b_{2})$ . A pair of filter conditions are forward adjacent if the attributes in the first coordinate are equal, and there is one adjacent attribute in the second coordinate, while all other attributes in the second coordinate are equal.
5. The ${FW}_{1}$ firewall algebra

In this section we define an algebra ${FW}_{1}$ , for constructing and reasoning about anomaly-free firewall policies. We focus on stateless and stateful firewall policies that are defined in terms of constraints on source/destination IP/port ranges, the TCP, UDP and ICMP protocols, and additional filter condition attributes. A firewall policy defines the filter conditions that may be allowed or denied by a firewall. Let $Policy$ define the set of all firewall policies, whereby: $\begin{matrix} Policy = = {A, D : α [FC] ∣ \forall a : A; d : D ∙ a ∣_{FC} d} \end{matrix}$

A firewall policy $(A, D) \in Policy$ defines a policy as a pair of adjacency-free sets of filter conditions under the duplet adjacency ordering, whereby a filter condition $f \in A$ should be allowed by the firewall, while a filter condition $f \in D$ should be denied. Given $(A, D) \in Policy$ then A and D are disjoint: this avoids any contradiction in deciding whether a filter condition should be allowed or denied. The policy destructor functions $allow$ and $deny$ are analogous to functions $first$ and $second$ for ordered pairs:

Thus, we have for all $P \in Policy$ then $P = (allow (P), deny (P))$ .

Lemma 5.1.
$Policy$ defines the set of anomaly-free policies.
Proof.
Given a policy $(A, D) \in Policy$ , as A and D are adjacency-free sets, then A has no redundancy and D has no redundancy, as Adjacency-sets have no subsumption. Therefore, all packets matched in filter conditions allowed by the policy are distinct, as are all packets matched in filter conditions that are denied by the policy. Given a policy $P \in Policy$ , as $allow (P)$ and $deny (P)$ are disjoint, then P has no shadowing. $\begin{matrix} \forall P : Policy ∙ \\ allow (P) ∣_{α [FC]} deny (P) \end{matrix}$

As P has no subsumption and P has no shadowing, then P has no generalised filter conditions and P has no correlated filter conditions. Therefore, as P has no redundancy/shadowing/generalisation/correlation, then $Policy$ defines the set of anomaly-free policies. □

Note that $(A, D) \in Policy$ need not partition $⌈ FC ⌉$ : the allow and deny sets define the filter conditions to which the policy explicitly applies, and an implicit default decision is applied for those filter conditions in $⌈ FC ⌉ ∖_{α [FC]} (A \oplus D)$ . For the purposes of modelling iptables firewalls it is sufficient to assume default deny, though we observe that ${FW}_{1}$ can also be used to reason about default allow firewall policies.

Policy refinement. An ordering can be defined over firewall policies, whereby given $P, Q \in Policy$ then $P ⊑ Q$ means that P is no less restrictive than Q, that is, any filter condition that is denied by Q is denied by P. Intuitively, policy P is considered to be a safe replacement for policy Q, in the sense of [19,20,28] and any firewall that enforces policy Q can be reconfigured to enforce policy P without any loss of security. The set $Policy$ forms a lattice under the safe replacement ordering and is defined as follows.

Formally, $P ⊑ Q$ iff every filter condition allowed by P is allowed by Q and that any filter conditions explicitly denied by Q are also explicitly denied by P. Note that in this definition we distinguish between filter conditions explicitly denied in the policy versus those implicitly denied by default. This means that, everything else being equal, a policy that explicitly denies a filter condition is considered more restrictive than a policy that relies on the implicit default-deny for the same network traffic pattern. Safe replacement is defined as the Cartesian product of Adjacency orderings over allow and deny sets and it therefore follows that $(Policy, ⊑)$ is a poset. ⊥ and ⊤ define the most restrictive and least restrictive policies, that is, for any $P \in Policy$ we have $⊥ ⊑ P ⊑ ⊤$ . Thus, for example, any firewall enforcing a policy P can be safely reconfigured to enforce the (not very useful) firewall policy ⊥.
Theorem 5.2.
The set of all policies $Policy$ forms a lattice under safe replacement, with greatest lower bound (⊓) and lowest upper bound (⊔) operators in ${FW}_{1}$ .
Proof.
The ordering of adjacency-free filter condition/duplets is a lattice under subsumption, the Cartesian product is a lattice under the definitions of glb and lub, therefore, ${FW}_{1}$ is a lattice. □

Policy intersection. Under this ordering, the meet $P ⊓ Q$ , of two firewall policies P and Q is defined as the policy that denies any filter condition that is explicitly denied by either P or Q, but allows filter conditions that are allowed by both P and Q. Intuitively, this means that if a firewall is required to enforce both policies P and Q, it can be configured to enforce the policy $(P ⊓ Q)$ since $P ⊓ Q$ is a safe replacement for both P and Q, that is; $(P ⊓ Q) ⊑ P$ and $(P ⊓ Q) ⊑ Q$ . Given the definition of safe replacement as a product of two Adjacency lattices, it follows that the policy meet provides the glb operator. Thus, $P ⊓ Q$ provides the ‘best’/least restrictive safe replacement (under ⊑) for both P and Q.

Policy union. The join of two firewall policies P and Q is defined as the policy that allows any filter condition allowed by either P or Q, but denies filter conditions that are explicitly denied by both P and Q. Intuitively, this means that a firewall that is required to enforce either policy P or Q can be safely configured to enforce the policy $(P ⊔ Q)$ . Since ⊔ provides a lub operator we have $P ⊑ (P ⊔ Q)$ and $Q ⊑ (P ⊔ Q)$ .
5.1. Constructing firewall policies

The lattice of policies ${FW}_{1}$ provides us with an algebra for constructing and interpreting firewall polices. The following constructor functions are used to build primitive policies. Given a set of adjacency-free filter conditions A, then $(Allow A)$ is a policy that allows filter conditions in A, and $(Deny D)$ is a policy that explicitly denies filter conditions in D.

This provides what we refer to as a weak interpretation of allow and deny. Network traffic patterns that are not explicitly mentioned in parameter S are default-deny and therefore are not specified in the deny set of the policy. The following provides us with a strong interpretation for these constructors:

In this case $({Allow}^{+} A)$ allows filter conditions specified in A, while explicitly denying all other filter conditions, and $({Deny}^{+} D)$ denies filter conditions specified in D while allowing all other filter conditions.

A firewall policy $P \in Policy$ can be decomposed into its corresponding allow and deny sets, and re-constructed using the algebra; for any $(A, D) \in Policy$ , since A and D are disjoint then:

Lemma 5.3.
Given $A, D \in α [FC]$ , then: $\begin{matrix} ({Allow}^{+} A) ⊔ (Deny D) = (A, ⌈ FC ⌉ ∖_{α [FC]} A) ⊔ (\emptyset, D) \end{matrix}$
Proof.
Follows since $({Allow}^{+} A) ⊔ (Deny D) = (Allow A) ⊓ ({Deny}^{+} D) = (A, D)$ . □
Corollary 5.4.
Given $A, D \in α [FC]$ , then it follows that $\begin{matrix} ({Deny}^{+} D) ⊓ (Allow A) = (A, \emptyset) ⊓ (⌈ FC ⌉ ∖_{α [FC]} D, D) \end{matrix}$

6. Reasoning about policies in practice

Sequential composition. A firewall policy is conventionally constructed as a sequence of rules, whereby for a given network packet, the decision to allow or deny the packet is checked against each policy rule, starting from the first, in sequence, and the first rule that matches gives the result that is returned. The algebra ${FW}_{1}$ can be extended to include a similar form of sequential composition of policies. The policy constructions in Section 5.1 can be regarded as representing the individual rules of a conventional firewall policy.

Let $(Allow A) ⨾ Q$ denote a sequential composition of an allow rule $(Allow A)$ with policy Q with the interpretation that a given network packet matched in A is allowed; if it does not match in A then policy Q is enforced. The resulting policy either: allows filter conditions in A (and denies all other filter conditions), or allows/denies filter conditions in accordance with policy Q. We define: $\begin{array}{rcl} (Allow A) ⨾ Q & = & ({Allow}^{+} A) ⊔ Q \\ = & ((A \oplus allow (Q)), ((⌈ FC ⌉ ∖_{α [FC]} A) \otimes deny (Q))) \\ = & ((A \oplus allow (Q)), (deny (Q) ∖_{α [FC]} A)) \end{array}$ which is as expected. A similar definition can be provided for the sequential composition $(Deny D) ⨾ Q$ , whereby a given network packet that is matched in D is denied; if it does not match in D then policy Q is enforced. We define: $\begin{array}{rcl} (Deny D) ⨾ Q & = & ({Deny}^{+} D) ⊓ Q \\ = & (((⌈ FC ⌉ ∖_{α [FC]} D) \otimes allow (Q)), deny (Q) \oplus D) \\ = & (allow (Q) ∖_{α [FC]} D, deny (Q) \oplus D) \end{array}$

While in practice its usual to write a firewall policy in terms of many constructions of allow and deny rules, in principle, any firewall policy $P \in Policy$ can be defined in terms of one allow policy $(Allow allow (P))$ and one deny policy $(Deny deny (P))$ and since the allow and deny sets of P are disjoint we have $P ⨾ Q = (Deny deny (P)) ⨾ (Allow allow (P)) ⨾ Q$ . We define this as:

Let $Rule$ define the set of all firewall rules, whereby: $\begin{matrix} Rule : : = allow ⟨ ⟨ FC ⟩ ⟩ ∣ deny ⟨ ⟨ FC ⟩ ⟩ \end{matrix}$ We define a rule interpretation function as:

A firewall policy is defined as a sequence of rules $⟨ r_{1}, r_{2}, . ., r_{n} ⟩$ , for $r_{i} \in Rule$ , and is encoded in the policy algebra as $I (r_{1}) ⨾ I (r_{2}) ⨾ . . ⨾ I (r_{n})$ . In practice, firewall policies are often anomalous [43], where a policy’s deny rules are not disjoint from it’s allow rules, and a “first match” principle is applied to filtered packets. Mapping a sequence of potentially anomalous firewall rules $⟨ r_{1}, r_{2}, . ., r_{n} ⟩$ into the ${FW}_{1}$ algebra gives a semantically-equivalent anomaly-free $P \in Policy$ .

Policy negation. The policy negation of $P \in Policy$ allows filter conditions explicitly denied by P and explicitly denies filter conditions allowed by P. We define:

From this definition it follows that $(P)$ is simply $(deny (P), allow (P))$ and thus $(Deny D) = (Allow D)$ and $(Allow A) = (Deny A)$ . Note however, that in general policy negation does not define a complement operator in the algebra ${FW}_{1}$ , that is, it not necessarily the case that $(P ⊔ P) = ⊤$ and $(P ⊓ P) = ⊥$ . However, the sub-lattice of policies with allow and deny sets that exactly partition the same set $S ⩽ ⌈ FC ⌉$ has policy negation as complement ( $allow (P) \oplus deny (P) = S$ for all P in the sub-lattice).

A target action of log in ${FW}_{1}$ . In this paper, the focus is on firewall rules with a target action of either $allow$ or $deny$ . However, from a compliance perspective, it is considered best practice to log traffic for auditing purposes [41]. Future work should extend the ${FW}_{1}$ algebra to include a target action of $\log$ for firewall rules. An approach may be taken, whereby we extend $(A, D) \in Policy$ to $(A, D, L) \in Policy$ , where $L \in α [FC]$ and a filter condition $f \in L$ should be logged by the firewall. We give the destructor function $\log$ for firewall policies; whereby $\log (A, D, L) = L$ . For policy composition, then for $P, Q \in Policy$ , we have $P ⊓ Q$ signifies the operation $(\log P \oplus \log Q)$ for logged filter conditions. Similarly, for $P ⊔ Q$ we have the logged filter conditions $(\log P \otimes \log Q)$ . From this, we have that the ordering for logged filter conditions is defined similarly to the ordering for denied filter conditions. In practice, a logged filter condition may be shadowed by a filter condition with a target action of $allow$ or $deny$ . However, it is not the case that a filter condition with a target action of $\log$ can shadow a filter condition with a target action of $allow$ or $deny$ . Therefore, for sequential composition, then we have $P ⨾ Q$ defines the logged filter conditions for the resulting policy as: $(\log P \oplus (\log Q ∖_{α [f c]} (allow P \oplus deny P)))$ . Encoding a definition for Network Address Translation in ${FW}_{1}$ is also a topic for future research.

6.1. Detecting anomalies in firewall policies

A firewall policy is conventionally constructed as a sequence of order-dependent rules, and when a network packet matches with two or more policy rules, the policy is anomalous [2,3,10]. By definition, the adjacency-free allow and deny sets of some $P \in Policy$ are disjoint, therefore P is anomaly-free by construction. We can however define anomalies using the algebra; by considering how a policy changes when composed with other policies.

Redundancy. A policy P is redundant given policy Q if their composition results in no difference between the resulting policy and Q, in particular, if: $\begin{matrix} P ⨾ Q = Q \end{matrix}$

Further definitions may be given for redundancy. For example, there are redundant packets with a target action of allow in filter conditions between policy P and policy Q, if: $\begin{matrix} Allow (allow (P)) ⊓ Allow (allow (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ as: $\begin{matrix} Allow (allow (P)) ⊓ Allow (allow (Q)) = (allow (P) \otimes allow (Q), \emptyset) \end{matrix}$

A similar interpretation follows for redundant packets with a target action of deny between filter conditions in a policy P and filter conditions in a policy Q. In particular, we have redundant denies if: $\begin{matrix} Deny (deny (P)) ⊔ Deny (deny (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ as: $\begin{matrix} Deny (deny (P)) ⊔ Deny (deny (Q)) = (\emptyset, deny (P) \otimes deny (Q)) \end{matrix}$

Shadowing. Some part of policy Q is shadowed by the entire policy P in the composition $P ⨾ Q$ if the by filter condition constraints that are specified by P contradict the constraints that are specified by Q, in particular, if: $\begin{matrix} (P) ⨾ Q = Q \end{matrix}$ This is a very general definition for shadowing. Perhaps a more familiar interpretation of this definition is one where the policy P is a specific allow/deny rule that shadows a part or all of the policy with which it is composed. Recall that $((Allow A)) = (Deny A)$ and, for example, in $(Allow A) ⨾ Q$ all or part of policy Q is shadowed by the rule/primitive policy $(Allow A)$ if Q denies the filter conditions specified in A, that is, $(Deny A) ⨾ Q = Q$ . Similarly, in $(Deny D) ⨾ Q$ part or all of policy Q is shadowed by the rule/primitive policy $(Deny D)$ if $((Deny D)) ⨾ Q = Q$ .

Further definitions may also be given for shadowing. For example, we have that some of the packets denied by filter conditions in a policy P shadow some of the packets allowed by filter conditions in a policy Q if: $\begin{matrix} Deny (deny (P)) ⊔ Deny (allow (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ as: $\begin{matrix} Deny (deny (P)) ⊔ Deny (allow (Q)) = (\emptyset, deny (P) \otimes allow (Q)) \end{matrix}$

Similarly, some of the packets allowed by filter conditions in a policy P shadow some of the packets denied by filter conditions in a policy Q if: $\begin{matrix} Allow (allow (P)) ⊓ Allow (deny (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ as: $\begin{matrix} Allow (allow (P)) ⊓ Allow (deny (Q)) = (allow (P) \otimes deny (Q), \emptyset) \end{matrix}$

Generalisation. A generalisation anomaly exists between P and Q if some of the packets allowed by filter conditions in P shadow some of the packets denied by filter conditions in Q, in particular, if: $\begin{matrix} Allow (allow (P)) ⊓ Allow (deny (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ and, those packets shadowed by filter conditions in Q are subsumed by Q’s denies: $\begin{matrix} (Allow (allow (P)) ⊓ Allow (deny (Q))) \neq Deny (deny (Q)) \end{matrix}$ whereby: $\begin{matrix} (Allow (allow (P)) ⊓ Allow (deny (Q))) = (\emptyset, allow (P) \otimes deny (Q)) \end{matrix}$

Similarly, a generalisation anomaly exists between P and Q if some of the packets denied by filter conditions in P shadow some of the packets allowed by filter conditions in Q, in particular, if: $\begin{matrix} Deny (deny (P)) ⊔ Deny (allow (Q)) \neq (\emptyset, \emptyset) \end{matrix}$ and, those packets shadowed by filter conditions in Q are subsumed by Q’s allows: $\begin{matrix} (Deny (deny (P)) ⊔ Deny (allow (Q))) \neq Allow (allow (Q)) \end{matrix}$ as: $\begin{matrix} (Deny (deny (P)) ⊔ Deny (allow (Q))) = (deny (P) \otimes allow (Q), \emptyset) \end{matrix}$

Inter-policy anomalies. We can also use the ${FW}_{1}$ algebra to reason about anomalies between the different policies of distributed firewall configurations. In the following, assume that P is a policy on an upstream firewall and Q is a policy on a downstream firewall.

Redundancy. An inter-redundancy anomaly exists between policies P and Q if some part of Q is redundant to some part of P, whereby the target action of the redundant filter conditions is deny. Given some set of filter conditions A denied by P, and some set of filter conditions B denied by Q, then there exists an inter-redundancy between P and Q, if: $\begin{matrix} (Deny A) ⨾ (Deny B) = (Deny A) \end{matrix}$

Further definitions may be given for inter-redundancy. For example, there are redundant packets with a target action of deny in filter conditions between upstream policy P and downstream policy Q, if: $\begin{matrix} Deny (deny (P)) ⊔ Deny (deny (Q)) \neq (\emptyset, \emptyset) \end{matrix}$

Shadowing. An inter-shadowing anomaly exists between policies P and Q if some part of Q’s allows are shadowed by some part of P’s denies. Given some set of filter conditions A denied by P, and some set of filter conditions B allowed by Q, then there is an inter-shadowing anomaly between P and Q, if: $\begin{matrix} (Deny A) ⨾ (Allow B) = (Deny A) \end{matrix}$

Further definitions may also be given for inter-shadowing. For example, we have that some of the packets denied by filter conditions in a policy P shadow some of the packets allowed by filter conditions in a policy Q if: $\begin{matrix} Deny (deny (P)) ⊔ Deny (allow (Q)) \neq (\emptyset, \emptyset) \end{matrix}$

Spuriousness. An inter-spuriousness anomaly exists between policies P and Q if some part of Q’s denies are shadowed by some part of P’s allows. Given some set of filter conditions A allowed by P, and some set of filter conditions B denied by Q, then there exists an inter-spuriousness anomaly between P and Q, if: $\begin{matrix} (Allow A) ⨾ (Deny B) = (Allow A) \end{matrix}$

Spuriousness may also be defined as follows, whereby some of the packets allowed by filter conditions in a policy P shadow some of the packets denied by filter conditions in a policy Q. We have an inter-spuriousness anomaly from an upstream policy P to a downstream policy Q, if: $\begin{matrix} Allow (allow (P)) ⊓ Allow (deny (Q)) \neq (\emptyset, \emptyset) \end{matrix}$

To apply the definitions presented in this section to the detection of anomalies in firewall policies in practice, an approach may be taken, whereby an algorithm is constructed, that incorporates the anomaly definitions into the sequential composition of policies/rules when mapping a potentially anomalous, already deployed firewall policy into ${FW}_{1}$ . That is, given a sequence of firewall rules $⟨ r_{1}, r_{2}, . ., r_{n} ⟩$ , then before each sequential composition, an anomaly check can be made using the definitions in this section, the result of which can be used to alert an administrator to the presence of anomalies in the policies/rules under question.

6.2. Standards compliance

RFC 5735 [9], details fifteen IPv4 address blocks that have been assigned by IANA for specialized/global purposes. Some of these address spaces may appear on the Internet, and may be used legitimately outside a single administrative domain, however, while the assigned values of the address blocks do not directly raise security issues; unexpected use may indicate an attack [9]. For example, packets with a source IP address from the private address space 172.16.0.0/12, arriving on the Wide Area Network interface of a network router, may be considered spoofed, and may be part of a Denial of Service (DoS), or Distributed DoS attack.

RFC 5735 compliance. Best practice recommendations are implemented for each of the fifteen specialized IP address block ranges in [9], resulting in one hundred and twenty iptables $deny$ rules. In [18], we defined this $deny$ ruleset for a firewall management tool. We define IP spoof-mitigation policies for each iptables chain separately. For the INPUT chain, a compliance policy ${RFC 5735}^{I}$ is defined, whereby for each of the IP address block ranges, the following iptables rules are enforced. $\begin{matrix} iptables -A INPUT -i $in \ -m iprange –src-range $min:$max -j DROP \\ iptables -A INPUT -i $in \ -m iprange –dst-range $min:$max -j DROP \end{matrix}$

Similarly, for the OUTPUT chain, an IP spoof-mitigation compliance policy ${RFC 5735}^{O}$ is defined, whereby for each of the specialized IP address block ranges we have: $\begin{matrix} iptables -A OUTPUT -o $out \ -m iprange –src-range $min:$max -j DROP \\ iptables -A OUTPUT -o $out \ -m iprange –dst-range $min:$max -j DROP \end{matrix}$

For the FORWARD chain, then ${RFC 5735}^{F}$ enforces the following iptables rules for each of the IP address block ranges. $\begin{matrix} iptables -A FORWARD -i $in \ -m iprange –src-range $min:$max -j DROP \\ iptables -A FORWARD -i $in \ -m iprange –dst-range $min:$max -j DROP \\ iptables -A FORWARD -o $out \ -m iprange –src-range $min:$max -j DROP \\ iptables -A FORWARD -o $out \ -m iprange –dst-range $min:$max -j DROP \end{matrix}$

Each policy, ${RFC 5735}^{I}, {RFC 5735}^{O}, {RFC 5735}^{F}$ , terminates with a final iptables rule that specifies all other traffic be permitted on the given iptables chain.

A redefined firewall policy. We model these iptables rules in the algebra by redefining some policy-model attributes, and provide more formal definitions of ${RFC 5735}^{I}$ , ${RFC 5735}^{O}$ and ${RFC 5735}^{F}$ . Let ${AdditionalFC}_{I}$ be the set of all duplets for additional filter condition attributes of interest, where: $\begin{matrix} {AdditionalFC}_{I} = = δ [P Chain, δ [P Dir, P IFACE]] \end{matrix}$

A revised definition for the set of all filter conditions ${FC}_{I}$ is given as: $\begin{matrix} {FC}_{I} = = δ [{IP}_{Spec}, δ [{Prt}_{Spec}, δ [{IP}_{Spec}, δ [{Prt}_{Spec}, δ [Protocol, {AdditionalFC}_{I}]]]]] \end{matrix}$

A revised definition for the set of all policies ${Policy}_{I}$ is given as: $\begin{matrix} {Policy}_{I} = = {A, D : α [{FC}_{I}] ∣ \forall a : A; d : D ∙ a ∣_{{FC}_{I}} d} \end{matrix}$

The compliance policies ${RFC 5735}^{I}, {RFC 5735}^{O}, {RFC 5735}^{F} \in {Policy}_{I}$ , define the minimum requirements for what it means for some perimeter network firewall policy to mitigate the threat of IP spoofing for all traffic, in accordance with RFC 5735. Thus, we have for all $P \in {Policy}_{I}$ if: $\begin{matrix} P ⊑ ({RFC 5735}^{I} ⊓ {RFC 5735}^{O} ⊓ {RFC 5735}^{F}) \end{matrix}$ then P complies with the best practice recommendations outlined in [9] for IP address spoof-mitigation.

7. Encoding and evaluating iptables policies

A prototype policy management toolkit has been implemented in Python for iptables. The prototype allows for parsing the system’s currently enforced iptables ruleset $⟨ r_{1}, r_{2} . . r_{n} ⟩$ by chain, using the Python-iptables package [36], and then normalizing each rule to a primitive/singleton policy. The overall policy for the chain being evaluated as $I (r_{1}) ⨾ I (r_{2}) ⨾ . . ⨾ I (r_{n})$ . Once the sequential composition of the system’s currently enforced iptables policy is computed, the prototype generates a semantically-equivalent adjacency-free set of iptables rules and re-writes this new ruleset to the system.

We reason over ${Policy}_{I}$ policies using the ⨾, ⊔, and ⊑ policy operators. The test-bed for the experiments was a 64-Bit Ubuntu 14.04 LTS OS, running on a Dell Latitude E6430, with a quad-core Intel i5-3320M processor and 4 GB of RAM. Every experiment was conducted three times; the median result chosen for inclusion in this paper. Overall, the results are promising. In this section, the firewall datatypes for the prototype are described.

Firewall rules. An iptables rule is modelled as a list of generic filter conditions. The current implementation defines firewall rules with filter condition attributes for source/destination IP/port ranges, the ICMP, UDP and TCP protocols, and additional filter condition attributes. The relationships of adjacency, disjointness and subsumption have been encoded, as have composition operators for rule intersection and rule join/combination.

Range-based attributes. Filter condition attributes defined as ranges in the ${FW}_{1}$ framework, for example, source/destination IP/port ranges, are implemented as interval sets, using the Pyinter Python package [39]. The package was modified to include definitions for relative compliment operators and adjacency over intervals and interval sets.

ICMP and UDP. The ICMP protocol is modelled as the set of all valid ICMP Type/Code pairs, given in Section 4. UDP has been defined as a binary attribute. Boolean operators apply for the UDP filter condition attributes.

TCP. The TCP protocol is encoded as a $2^{12}$ bit array, whereby the position of each bit is mapped to an index value in a table. This table is the implementation of the ${Flag}_{Spec}$ object defined in Section 4, and is encoded as the list of TCP (mask, comp) pairs, as pairs of six-bit arrays. A value of $1$ at a given position in the $2^{12}$ bit array indicates that this particular arrangement of TCP flags are matched in the packets specified by the firewall rule. Table 3 gives an overview of the $FlagSpec$ lookup.

Table 3
Partial TCP $FlagSpec$ lookup table

Index Mask Comp

1 ‘000000’ ‘000000’

2 ‘000000’ ‘000001’

$. .$ $. .$ $. .$

8 ‘000000’ ‘000111’

$. .$ $. .$ $. .$

4096 ‘111111’ ‘111111’

Index	Mask	Comp
1	‘000000’	‘000000’
2	‘000000’	‘000001’
$. .$	$. .$	$. .$
8	‘000000’	‘000111’
$. .$	$. .$	$. .$
4096	‘111111’	‘111111’

Additional attributes. Attributes for direction-oriented filtering, network interface and iptables chains have been encoded as sets for firewall rules.

Firewall policies. A policy is implemented as a disjoint pair of adjacency-free sets of firewall rules. The adjacency-free sets of rules have been modelled following the approach taken to model the interval-sets in the Pyinter package [39].

Transitive closure of adjacent rules. The transitive closure for the adjacency relation over rules in firewall policies has been implemented recursively, following the approach used in the Pyinter package to implement the transitive closure over adjacent intervals [39]. A set of firewall rules is adjacency-free by construction. When a new rule is added to the ruleset, a check is made firstly to determine if there are any rules in the set that are adjacent to the new rule. If there are none, the new rule is added. Otherwise, the adjacent rules are removed from the ruleset, and rules resulting from the combination of the new rule with the adjacent rules are added to the ruleset, starting again with a check to determine if there are any rules in the set that are adjacent to the new rule.

7.1. Evaluating policy operators

Evaluating sequential policy composition. The implementation parses the system’s currently enforced iptables ruleset $⟨ r_{1}, r_{2} . . r_{n} ⟩$ by chain, and then normalizes each rule to a primitive/singleton policy $⟨ I (r_{1}), I (r_{2}) . . I (r_{n}) ⟩$ . The overall policy for the chain is evaluated as $I (r_{1}) ⨾ I (r_{2}) ⨾ . . ⨾ I (r_{n})$ . Two datasets were generated for experimentation. Each dataset consists of iptables policies of size $2^{4} . . 2^{11}$ . One dataset contains policies where no rule is adjacent to any other rule (other than itself), and the other dataset consists of policies where every new rule is adjacent to the previous rule; to ensure the maximum number of possible rules are generated as a result of composition. The rules all have a target action of allow. Table 4 details the results for the non-adjacent dataset, while the results for the adjacent dataset are illustrated in Table 5.

Table 4
Sequential composition with no adjacent rules (in seconds)

Num rules Time Ratio

$2^{4}$ 0.07 –

$2^{5}$ 0.13 1.85

$2^{6}$ 0.29 2.23

$2^{7}$ 0.67 2.31

$2^{8}$ 1.73 2.58

$2^{9}$ 4.98 2.87

$2^{10}$ 16.09 3.23

$2^{11}$ 57.81 3.59

Num rules	Time	Ratio
$2^{4}$	0.07	–
$2^{5}$	0.13	1.85
$2^{6}$	0.29	2.23
$2^{7}$	0.67	2.31
$2^{8}$	1.73	2.58
$2^{9}$	4.98	2.87
$2^{10}$	16.09	3.23
$2^{11}$	57.81	3.59

Table 5

Sequential composition with adjacent rules (in seconds)

Num rules	Time	Ratio
$2^{4}$	0.80	–
$2^{5}$	2.02	2.53
$2^{6}$	5.13	2.98
$2^{7}$	15.32	3.34
$2^{8}$	51.18	3.58
$2^{9}$	183.42	3.85
$2^{10}$	707.15	3.85
$2^{11}$	2792.81	3.94

We observe that as the number of rules increase, the cost of computing the sequential composition of non-adjacent rules is relatively cheap, and we see that for the largest ruleset, $2^{11}$ , the evaluation time is approximately one minute. For the adjacent dataset, the cost of computing the sequential composition of adjacent rules is expensive, but is also proportional to the number of rules used in the experiment. However, the cost is by orders of magnitude more expensive than the cost for evaluating the sequential composition of non-adjacent policies of the same size. For $2^{9}$ rules, the time taken for the evaluation of sequential composition is around three minutes, and the time taken for $2^{11}$ rules is approximately forty six minutes.

Evaluating policy union. Experiments were conducted to test policy lub, whereby each policy in the adjacent dataset used in the sequential composition experiments was split into two policies, whereby the first policy contains the odd (index) rules from the original policy, and the second policy contains the even (index) rules from the original policy. The odd (index) policies are adjacency-free, as are the even (index) policies. Constructing the dataset from the odd-index and even-index policies allows us to evaluate the cost, in terms of time, of composing policies of different sizes, whereby for the policy union experiments, the maximum number of rules are generated as a result of composition. For each $P, Q \in {Policy}_{I}$ in this split dataset, the time taken for the operation $P ⊔ Q$ is given by Table 6.

Table 6

Time taken to compute $P ⊔ Q$ (in seconds)

A benefit of conducting the policy join experiments in this way, is that in practice, we may want to update a policy P, comprising a large number of rules, with a smaller policy Q that permits some new accesses. The time taken for composition of policies of equal size is approximately the same as (slightly less than) the time necessary to sequentially compose the rules from both policies. That is; for example, the time taken for the sequential composition of $2^{9}$ rules is around three minutes, as is the join of the two policies of size $2^{8}$ . This is highlighted through the diagonal in the matrix, and is as expected; given that we used all allow rules, and the sequential composition of the rules used in these experiments results in the eventual join of the rules.

Evaluating policy compliance. A dataset consisting of iptables policies of size $2^{5}, 2^{6} . . 2^{11}$ is generated to test policy compliance. Each policy in this dataset is RFC 5735 compliant by construction, for TCP traffic arriving on the iptables INPUT chain to/from each of the fifteen special-use IPv4 addresses [9]. Recall, the compliance policy ${RFC 5735}^{I}$ defined in Section 6.2 for ${Policy}_{I}$ policies. Rules from the previously defined non-adjacent dataset have been re-written with a target action of $deny$ , and are used to construct the remaining rules for each policy in the compliance dataset. For each $P$ in the compliance dataset, the time taken in seconds for the evaluation of $P ⊑ {RFC 5735}^{I}$ is given in Table 7. We observe that the compliance test has a cheap cost in terms time, and all evaluation times for $P ⊑ {RFC 5735}^{I}$ are negligible.

Table 7

Time taken to compute $P ⊑ {RFC 5735}^{I}$ (in seconds)

Num rules	Time	Ratio
$2^{5}$	0.07	–
$2^{6}$	0.09	1.28
$2^{7}$	0.15	1.66
$2^{8}$	0.32	2.13
$2^{9}$	0.50	1.56
$2^{10}$	0.87	1.74
$2^{11}$	1.64	1.88

7.2. Implementing duplet join and difference

In this section, the Python prototype implementations of duplet/rule join and duplet/rule difference are defined. We demonstrate how Algorithm 1 (duplet join) and Algorithm 2 (duplet difference) relate to firewall rule composition in ${FW}_{1}$ . For ease of exposition, we use colours in tables when illustrating rule/duplet composition. The colours used are of no particular significance. The Python implementation is expected to shortly be uploaded to an open-source repository.

Duplet combination. For $f, g \in δ [X, Y]$ , then the combination operation $(f ⊎_{δ [X, Y]} g)$ defines a set of adjacency-free duplets that exactly cover f and g.

The operation is described using three recursive functions; center $C (f, g)$ , left $L (f, g)$ and right $R (f, g)$ , and is defined as the set union of the duplets resulting from $C (f, g)$ , $L (f, g)$ and $R (f, g)$ . For ease of exposition, a duplet is given as a sequence of filter condition attributes. We assume f and g always have the same number of attributes. The functions are defined as follows.

Center. For $f, g \in δ [X, Y]$ , then $C (f, g)$ defines the join of the adjacent and common attributes in f and g. For duplets comprising two attributes, we define: $\begin{matrix} C (⟨ a_{1}, b_{1} ⟩, ⟨ a_{2}, b_{2} ⟩) = ⟨ a_{1} \cup_{X} a_{2}, b_{1} \cap_{Y} b_{2} ⟩ \end{matrix}$ Table 8 specifies the operations and duplet resulting from $C (f, g)$ for two-attribute duplets. The label D signifies duplet, while A means the attribute. For f and g of length greater than two, we define for each additional attribute: $\begin{matrix} C (f \hat{} ⟨ c_{1} ⟩, g \hat{} ⟨ c_{2} ⟩) = C (f, g) ⌢ ⟨ c_{1} \cap_{Y} c_{2} ⟩ \end{matrix}$ Table 9 specifies the operations and duplet resulting from $C (f, g)$ for duplets with three attributes.

Table 8
$Center$ function for two-attribute duplets

Table 9

$Center$ function for three-attribute duplets

Left. For $f, g \in δ [X, Y]$ , then $L (f, g)$ defines the remaining attribute constraints covered in f, that are not covered in $C (f, g)$ . For duplets comprising two attributes, we define: $\begin{matrix} L (⟨ a_{1}, b_{1} ⟩, ⟨ a_{2}, b_{2} ⟩) = {⟨ a_{1}, b_{1} ∖_{Y} b_{2} ⟩} \end{matrix}$ Table 10 specifies the operations and duplet resulting from $L (f, g)$ for two-attribute duplets. For f and g of length greater than two, we define for each additional attribute: $\begin{matrix} L (f \hat{} ⟨ c_{1} ⟩, g \hat{} ⟨ c_{2} ⟩) = {⟨ head f ⟩ ⌢ tail (C (f, g)) ⌢ ⟨ c_{1} ∖_{Y} c_{2} ⟩} \cup \\ {t : L (f, g) ∙ t ⌢ ⟨ c_{1} ⟩} \end{matrix}$ Table 11 specifies the operations and duplets resulting from $L (f, g)$ for duplets comprising three attributes.

Table 10

$Left$ function for two-attribute duplets

Table 11

$Left$ function for three-attribute duplets

Table 12

$Right$ function for two-attribute duplets

Table 13

$Right$ function for three-attribute duplets

Right. For $f, g \in δ [X, Y]$ , then $R (f, g)$ defines the remaining attribute constraints covered in g, that are not covered in $C (f, g)$ . For duplets comprising two attributes, we define: $\begin{matrix} R (⟨ a_{1}, b_{1} ⟩, ⟨ a_{2}, b_{2} ⟩) = {⟨ a_{2}, b_{2} ∖_{Y} b_{1} ⟩} \end{matrix}$ Table 12 specifies the operations and duplet resulting from $R (f, g)$ for two-attribute duplets. For f and g of length greater than two, we define for each additional attribute: $\begin{matrix} R (f \hat{} ⟨ c_{1} ⟩, g \hat{} ⟨ c_{2} ⟩) = {⟨ head g ⟩ ⌢ tail (C (f, g)) ⌢ ⟨ c_{2} ∖_{Y} c_{1} ⟩} \\ \cup {t : R (f, g) ∙ t ⌢ ⟨ c_{2} ⟩} \end{matrix}$ Table 13 specifies the operations and duplets resulting from $R (f, g)$ for duplets comprising three attributes.

Thus, we define the combination operation for f and g as: $\begin{matrix} f ⊎_{δ [X, Y]} g = {C (f, g)} \cup L (f, g) \cup R (f, g) \end{matrix}$

Theorem 7.1.

The duplet combination operation defines the adjacency-free combination for all $f, g \in δ [X, Y]; n \in N$ , where $(n = # f = # g) ⩾ 2$ .

Proof.

We will show that for $f, g \in δ [X, Y]$ , then $f ⊎_{δ [X, Y]} g$ defines the adjacency-free combination for all $n \in N$ , where $(n = # f = # g) ⩾ 2$ , using induction on n.

Base case. For $n = 2$ , then for $f ⊎_{δ [X, Y]} g$ , the resulting operations and duplets for f and g as two-attribute duplets are given in Table 14. From these results, we have that Theorem 7.1 holds when $n = 2$ .

Table 14

A two-attribute duplet join

Table 15

A k-attribute duplet join

Table 16

A $(k + 1)$ -attribute duplet join

Inductive hypothesis. Suppose Theorem 7.1 holds for $k \in N$ , where $k > n$ , and $k = # f = # g$ . Then for $f ⊎_{δ [X, Y]} g$ , the resulting operations and duplets for f and g as k-attribute duplets are given in Table 15.

Inductive step. Let $n = k + 1$ . Then by the recursive definitions of $C (f, g)$ , $L (f, g)$ and $R (f, g)$ , the resulting operations and duplets for f and g as $(k + 1)$ -attribute duplets in $(f ⊎_{δ [X, Y]} g)$ are given in Table 16. Therefore, from these results, we have that Theorem 7.1 holds for $n = k + 1$ . By the principal of mathematical induction, the theorem holds for all $n \in N$ , where $n ⩾ 2$ . □

Algorithm 1 summarises the duplet combination operation, whereby the input is a pair of duplets $(f, g)$ , the number of attributes ( $len$ ), and an empty list ( $ruleSet$ ) to hold the result. The output is the list ( $ruleSet$ ), whereby $ruleSet = ⟨ C (f, g), L (f, g), R (f, g) ⟩$ .

Algorithm 1

Duplet combination operation

A bottom-up approach to duplet join. Recall, the definition for the join operation of $S, T \in α [δ [X, Y]]$ given in Section 3.3 is constructed following a top-down approach with respect to the ordering relation ⩽, whereby: $\begin{matrix} S \oplus T = ⌈ {a, b : ⋂ {U : P (δ [X, Y]) ∣ (\forall c : U ∙ \exists a : S; b : T ∙ \\ c \overset{δ [X, Y]}{\to} a \lor c \overset{δ [X, Y]}{\to} b)} ∣ a ≀_{δ [X, Y]}^{+} b ∙ a \cup_{δ [X, Y]} b} ⌉ \end{matrix}$

For all $S, T \in α [δ [X, Y]]$ , we define the implementation definition for sets of adjacency-free duplets as: $\begin{matrix} S \oplus T = ⌈ {a, b : ⌈ ⋃ {a, b : (S \cup T) ∣ a ≀_{(S \cup T)}^{+} b ∙ (a ⊎_{δ [X, Y]} b)} ⌉ ∣ \\ a ≀_{δ [X, Y]}^{+} b ∙ a \cup_{δ [X, Y]} b} ⌉ \end{matrix}$

Adjacency duplet union implementation. The implementation definition for the join of $S, T \in α [δ [X, Y]]$ is defined as the cover-set for the duplet merge of the transitive closure of adjacent duplets, from the coverset for the generalized union of sets from the duplet combination operation ( $_⊎_{_}_$ ), for all transitively adjacent duplets in S and T. The coverset for the generalized union defines the smallest collection of duplets that cover all of the duplets from both S and T by precedence subsumption. Given that all duplets in this set are now disjoint, the cover-set for the duplet merge of the transitive closure of adjacent duplets merges any forward-adjacent duplets from S and T. If we take some $U \in α [δ [X, Y]]$ , such that $U ⩽ (S \oplus T)$ and $S ⩽ U \land T ⩽ U$ , then $(S \oplus T) = U$ . Thus, the implementation definition for duplet Adjacency-set join provides a lowest upper bound operator.

Theorem 7.2.

The two given definitions for joining sets of adjacency-free duplets are equivalent. $\begin{matrix} \forall S, T : α [δ [X, Y]] ∙ \\ S \oplus T = ⌈ {a, b : ⋂ {U : P (δ [X, Y]) ∣ (\forall c : U ∙ \exists a : S; b : T ∙ \\ c \overset{δ [X, Y]}{\to} a \lor c \overset{δ [X, Y]}{\to} b)} ∣ a ≀_{δ [X, Y]}^{+} b ∙ a \cup_{δ [X, Y]} b} ⌉ \\ = ⌈ {a, b : ⌈ ⋃ {a, b : (S \cup T) ∣ a ≀_{(S \cup T)}^{+} b ∙ (a ⊎_{δ [X, Y]} b)} ⌉ ∣ \\ a ≀_{δ [X, Y]}^{+} b ∙ a \cup_{δ [X, Y]} b} ⌉ \end{matrix}$

Proof.

Given that both definitions define the cover-set for the duplet merge of the transitive closure of forward adjacent duplets from the smallest collection of disjoint adjacency-free duplets that cover all of the duplets from both S and T by precedence subsumption, then Theorem 7.2 holds. □

Duplet difference. For $f, g \in δ [X, Y]$ , the operation $(f ∖_{δ [X, Y]} g)$ defines a set of adjacency-free duplets that are covered by f but not by g. The operation is described using two recursive functions; center $C^{diff} (f, g)$ , and the left $L (f, g)$ function given previously. The function $(f ∖_{δ [X, Y]} g)$ is defined as the set union of the duplets resulting from $C^{diff} (f, g)$ and $L (f, g)$ .

Table 17

$Center$ difference function for two-attribute duplets

Table 18

$Center$ difference function for three-attribute duplets

Table 19

A two-attribute duplet difference

Table 20

A k-attribute duplet difference

Center. For $f, g \in δ [X, Y]$ , then for duplets comprising two attributes; $C^{diff} (f, g)$ is defined as follows: $\begin{matrix} C^{diff} (⟨ a_{1}, b_{1} ⟩, ⟨ a_{2}, b_{2} ⟩) = ⟨ a_{1} ∖_{X} a_{2}, b_{1} \cap_{Y} b_{2} ⟩ \end{matrix}$ The operations and duplet resulting from $C^{diff} (f, g)$ for two-attribute duplets are given in Table 17. For f and g of length greater than two, we define for each additional attribute: $\begin{matrix} C^{diff} (f \hat{} ⟨ c_{1} ⟩, g \hat{} ⟨ c_{2} ⟩) = C^{diff} (f, g) ⌢ ⟨ c_{1} \cap_{Z} c_{2} ⟩ \end{matrix}$ The operations and duplet resulting from $C^{diff} (f, g)$ for duplets with three attributes are given in Table 18. Thus, we define the difference operation for f and g as: $\begin{matrix} f ∖_{δ [X, Y]} g = {C^{diff} (f, g)} \cup L (f, g) \end{matrix}$

Theorem 7.3.

The duplet difference operation defines the adjacency-free duplet-difference for all $f, g \in δ [X, Y]; n \in N$ , where $(n = # f = # g) ⩾ 2$ .

Proof.

We will show that for $f, g \in δ [X, Y]$ , then $f ∖_{δ [X, Y]} g$ defines the adjacency-free duplet difference for all $n \in N$ , where $(n = # f = # g) ⩾ 2$ , using induction on n.

Base case. For $n = 2$ , then for $f ∖_{δ [X, Y]} g$ , the resulting operations and duplets for f and g as two-attribute duplets are given in Table 19. From these results, we have that Theorem 7.3 holds when $n = 2$ .

Inductive hypothesis. Suppose Theorem 7.3 holds for $k \in N$ , where $k > n$ , and $k = # f = # g$ . Then for $f ∖_{δ [X, Y]} g$ , the resulting operations and duplets for f and g as k-attribute duplets are given in Table 20.

Table 21

A $(k + 1)$ -attribute duplet difference

Algorithm 2

Duplet difference operation

Inductive step. Let $n = k + 1$ . Then by the recursive definitions of $C^{diff} (f, g)$ and $L (f, g)$ , the resulting operations and duplets for f and g as $(k + 1)$ -attribute duplets in $(f ∖_{δ [X, Y]} g)$ are given in Table 21. Therefore, from the results we observe that Theorem 7.3 holds for $n = k + 1$ . By the principal of mathematical induction, the theorem holds for all $n \in N$ , where $n ⩾ 2$ . □

Algorithm 2 summarises the duplet difference operation, whereby the input is a pair of duplets $(f, g)$ , the number of attributes ( $len$ ), and an empty list ( $ruleSet$ ) to hold the result. The output is the list ( $ruleSet$ ), whereby $ruleSet = ⟨ C^{diff} (f, g), L (f, g) ⟩$ .

8. Related work

There is a rich literature of work on managing firewall policy configurations. For example, The goal of [2,3,8,10,23,44] is to provide an administrator with the means to detect/resolve anomalies, and work such as [15,17,34,35] allows for querying a policy configuration with regard to the filtering of specific network traffic. High-level specification languages such as [1,4,12,26,31] allow an administrator to abstractly specify what would otherwise be low-level rules. However, in general, the literature for policy management is focused on the conventional five-tuple firewall rule with a binary target action of $allow$ or $deny$ , and few have considered stateful firewall configurations.

Hari et al. [27] report some of the earliest research on conflict detection and resolution in policies for packet-filters, and model rule relations within a policy in a directed graph. Al-Shaer et al. [2,3] provide definitions for firewall policy anomalies. The authors use a form of Binary Decision Diagram (BDD) to represent a firewall policy, and define relationships between pairwise rules. The Firewall Policy Advisor [2] tool implements algorithms used to identify firewall rule anomalies using set theory. In this paper, we use a subset of the classifications from [2,3] when reasoning about firewall policy anomalies. Cuppens et al. [10] and García-Alfaro et al. [24], present MIRAGE (MIsconfiguRAtion manaGEr), and provide definitions alternative to[2,3] for intra- and inter-firewall policy anomalies. Given a firewall configuration, MIRAGE will automatically detect and remove intra-redundant [10,24] and intra-shadowed [10,24] rules, and generate a semantically-equivalent order-independent set of disjoint rules that are anomaly-free. In contrast to [27], the approach incorporates the automatic re-writing of anomalous rules. Yuan et al. [44] present the FIREMAN (FIREwall Modelling ANalysis) tool. Policy configurations are analysed for inconsistencies that consider intra-shadowing, intra-generalisation, intra-correlation and inter-shadowing anomalies [2,3]. Firewall inefficiency in packet classification and memory consumption is also considered as a result of intra-redundant rules, and ‘verbosities’, whereby a set of rules may be summarized into a smaller number of rules without changing the filtering semantics of the policy. Chomsiri and Pornavalai [8] propose a method of firewall policy analysis using relational algebra. The definitions provided for intra-redundant and intra-shadowed rules are analogous to [10], and upon detection, such rules are removed in order to reduce the size of the policy. The definitions given for intra-generalization and intra-correlation are analogous to [2]. Similar to the notion of verbosities in [44], Chomsiri and Pornavalai propose combining rules that may be ‘summarized’ without changing the filtering semantics of the policy. Buttyán et al. [7] propose a tool based on FIREMAN [44] for managing anomalies in stateful firewall policies. The authors argue that verifying a stateful firewall for inconsistencies can be reduced to the problem of verifying a stateless firewall for inconsistencies. A limitation of the approach is that their model does not distinguish rules with different state information, that is, for example, there is no differentiation between the establishment and termination phase of a given stateful protocol, and as a consequence, they do not consider more complex anomalies that may occur specifically in the stateful case. Cuppens et al. [11] and García-Alfaro et al. [23] propose an algorithmic approach to detect and resolve anomalies in a stateful firewall policy. A connection-oriented protocol is modelled using general automata, whereby the permitted protocol states and transitions are encoded. Intra-redundant and intra-shadowed rules [10] are considered for the stateful firewall policy. Further definitions are proposed, whereby an intra-state anomaly occurs in a stateful firewall policy if there are policy rules that partially match (complete) the paths of the protocol automata. In the case of missing rules, then covering-rules are suggested to the administrator as a means of completing the path of the protocol automata. Their work also considers invalid protocol states, and inter-state anomalies that may occur in a firewall policy that filters packets against both stateful and stateless rules. The work in [11,23] also extends the MIRAGE [24] tool. To consider the types of stateful anomalies from [23] in the proposed model ${FW}_{1}$ , then it would be necessary to apply additional constraints when constructing and composing anomaly-free firewall policies. For example, a policy that specifies a firewall rule that enables the establishment of a TCP connection from host X to host Y, should also include rules that allow for the various other permissible transitions of the TCP protocol.

Firewall query analysis allows an administrator to pose questions of a policy configuration, such as, for example, “does the policy permit SSH traffic from system X to system Y?”. Mayer et al. [35], present Fang (Firewall ANalysis enGine). Based on graph algorithms and a rule-base simulator, Fang parses vendor-specific firewall policy and configuration files, and constructs a model of the network topology and a global firewall policy for the network. Fang interacts with the administrator through a query-and-answer session, and queries are constructed as triples, consisting of source IPs, destination IPs and endpoint services/ports. Eronen and Zitting [15] propose an expert system for query analysis, implemented in constraint programming logic. A query is constructed as a six-tuple, consisting of source and destination IP and port, network protocol, and flags. The flags attribute is for TCP connections, however, only the SYN and ACK flags are considered. Eronen and Zitting argue that in comparison to Fang [35], the expert system is a more natural solution for query analysis. Liu et al. [34] present the Structured Firewall Query Language (SFQL), an SQL-like query language. Liu et al. state that constructing an expert system such as [15] “just for analysing a firewall is overwrought and impractical” [34], however, they do not give their reasoning for this assertion. SFQL queries can be constructed over $allow$ and $deny$ rules for an arbitrary number of filter fields. While query analysis provides an administrator with a means of asking questions of a firewall policy, what can actually be queried is restricted by the collection of filter condition attributes and target actions expressible in the query language. Effective query analysis may be further hampered by the complexity of the query language, or through an administrators inability to construct useful queries. A consequence of the ${FW}_{1}$ algebra proposed in this paper, is that it enables an administrator to perform effective query analysis of a firewall policy configuration. While we do not construct individual high-level queries, we do however demonstrate how policies in the algebra may be tested/queried for compliance with best practice standards and recommendations.

High-level specification languages provide an administrator with the means to reduce the complexity of constructing a firewall policy configuration. Guttman [26] reported some of the earliest research in this area. Bartal et al. [4] present the Firmato toolkit. The proposed specification language allows an administrator to specify the network security policy and the topology for the network in terms of an entity-relationship (ER) model. Subsequently, a policy configuration is synthesised from the ER model. A limitation of the work is that it only applies to packet-filter policy configurations. The High Level Firewall Language (HLFL) [31] translates high-level firewall rules into usable rulesets for iptables, Cisco ACLs, IPFW and others. However, the generated rulesets are order-dependant and may contain anomalies, and the approach does not provide support for incorporating knowledge about a network topology when specifying the high-level rules. Fitzgerald and Foley [17] propose using ontologies to represent knowledge about firewall policy configurations. Policies are specified using Description Logic and SWRL. Semantic Threat Graphs [21] are used to encode catalogues of best practice firewall rules, and an automated synthesis of standards-compliant rules for a policy configuration is considered. However, the administrator must manually construct the rulesets for the catalogues then populate the Semantic Threat Graphs, and this process is error-prone. The proposed model in [17] can also be used for firewall policy query analysis. Adão et al. [1] propose a declarative policy specification language, and present Mignis, a tool that translates high-level access control specifications into low-level policy configurations for Netfilter. An abstract model of the Netfilter firewall is proposed, and definitions for Network Address Translation and stateful filtering are encoded. The synthesised policies consist of order-independent iptables firewall rules. However, the proposed approach is tightly coupled with Netfilter. Brucker et al. [6] present a formal model of both stateless and stateful firewalls, including Network Address Translation. The authors follow a theorem-proving approach to reason about firewall policies, and provide formal and machine-verifiable proof of correctness using the Isabelle theorem prover. Diekmann et al. [14] present a fully verified firewall ruleset analysis framework for iptables, that similar to Brucker et al. [6], also provides proof of correctness using Isabelle. In this paper, we use the Z notation to provide a consistent syntax for systematically presenting the proposed model ${FW}_{1}$ . Mathematical definitions have been syntax- and type-checked, however the proofs in this paper are of the conventional pen-and-paper variety.

We model a firewall policy as an ordered pair of disjoint adjacency-free sets, where the set of policies $Policy$ forms a lattice under ⊑, and each $P \in Policy$ is anomaly-free by construction. In [2,3,10,27,44] an algorithmic approach is taken to detect/resolve anomalies. In contrast, we follow an algebraic approach towards modelling anomalies in a single policy, and across a distributed policy configuration through policy composition. In [45], a firewall policy algebra is proposed. However, the authors note that an anomaly-free composition is not guaranteed as a result of using their algebraic operators. Our work differs, in that policy composition under the ⊓, ⊔ and ⨾ operators defined in this paper all result in anomaly-free policies. In earlier work [22], we developed the algebra ${FW}_{0}$ , and used it to reason over host-based and network access controls in OpenStack. In the ${FW}_{0}$ algebra, we focused on stateless firewall policies that are defined in terms of constraints on individual IPs, ports and protocols. In this paper, the algebra ${FW}_{1}$ is defined over stateful firewall policies constructed in terms of constraints on source/destination IP/port ranges, the TCP, UDP and ICMP protocols, and additional filter condition attributes. We argue that ${FW}_{1}$ gives a more expressive means for reasoning over OpenStack security group and perimeter firewall configurations. In [30], cloud calculus is used to capture the topology of cloud computing systems and the global firewall policy for a given configuration. This paper could extend the work in [30], given that ${FW}_{1}$ may be used in conjunction with cloud calculus to guarantee anomaly-free dynamic firewall policy reconfiguration, whereby the ordering relation ⊑ may give a viable alternative for the given equivalence relation defined over ‘cloud’ terms for the formal verification of firewall policy preservation after a live migration. The proposed algebra ${FW}_{1}$ is used to reason about and compose anomaly-free policies and therefore we do not have to worry about dealing with conflicts that may arise. Anomaly conflicts are dealt with in composition by computing anomaly-free policies, rather than using techniques such as [29] to resolve conflicts in policy decisions.

9. Conclusion

A policy algebra ${FW}_{1}$ is defined in which firewall policies can be specified and reasoned about. At the heart of this algebra is the notion of safe replacement, that is, whether it is secure to replace one firewall policy by another. The set of policies form a lattice under safe replacement and this enables consistent operators for safe composition to be defined. Policies in this lattice are anomaly-free by construction, and thus, composition under glb and lub operators preserves anomaly-freedom. A policy sequential composition operator is also proposed that can be used to interpret firewall policies defined more conventionally as sequences of rules. The algebra can be used to characterize anomalies, such as shadowing and redundancy, that arise from sequential composition. Best practice policy compliance may be defined using ⊑. The algebra ${FW}_{1}$ provides a formal interpretation of the network access controls for a partial mapping to the iptables filter table.

${FW}_{1}$ is a generic algebra and can also be used to model other firewall systems. The results in this paper are described in terms of the algebra ${FW}_{1}$ , for stateful firewall policies that are defined in terms of constraints on source/destination IP/port ranges, the TCP, UDP and ICMP protocols, and additional filter condition attributes.

Footnotes

Acknowledgments

The authors would like to thank the anonymous reviewers for their valuable feedback. This work was supported, in part, by Science Foundation Ireland under grant SFI 10/CE/I1853 and Irish Research Council/Chist-ERA.

The Z notation

A set may be defined in Z using set specification in comprehension. This is of the form ${D ∣ P ∙ E}$ , where D represents declarations, P is a predicate and E an expression. The components of ${D ∣ P ∙ E}$ are the values taken by expression E when the variables introduced by D take all possible values that make the predicate P true. For example, the set of squares of all even natural numbers is defined as ${n : N ∣ (n mod 2) = 0 ∙ n^{2}}$ . When there is only one variable in the declaration and the expression consists of just that variable, then the expression may be dropped if desired. For example, the set of all even numbers may be written as ${n : N ∣ (n mod 2) = 0}$ . Sets may also be defined in display form such as ${1, 2}$ .

In Z, relations and functions are represented as sets of pairs. A (binary) relation R, declared as having type $A \leftrightarrow B$ , is a component of $P (A \times B)$ , where $P X$ is the powerset of X. For $a \in A$ and $b \in B$ , then the pair $(a, b)$ is written as $a \mapsto b$ , and $a \mapsto b \in R$ means that a is related to b under relation R. Functions are treated as special forms of relations. The schema notation is used to structure specifications. A schema such as ${FW}_{1}$ defines a collection of variables (limited to the scope of the schema) and specifies how they are related. The variables can be introduced via schema inclusion, as done, for example, in the definition of sequential composition.

References

Adão,

Bozzato,

Dei Rossi,

Focardi and

F.L.

Luccio, Mignis: A semantic based tool for firewall configuration, in: Computer Security Foundations Symposium (CSF), 2014 IEEE 27th, IEEE, 2014, pp. 351–365. doi:10.1109/CSF.2014.32.

Al-Shaer and

Hamed, Firewall policy advisor for anomaly discovery and rule editing, in: 8th IFIP/IEEE International Symposium on Integrated Network Management, Colorado Springs, USA, March, 2003.

Al-Shaer,

Hamed,

Boutaba and

Hasan, Conflict classification and analysis of distributed firewall policies, IEEE Journal on Selected Areas in Communications 23(10) (2005), 2069–2084.

Bartal,

Mayer,

Nissim and

Wool, Firmato: A novel firewall management toolkit, in: 20th IEEE Symposium on Security and Privacy, Oakland, CA, USA, May, 1999.

Birkhoff, Lattice Theory, 3rd edn, American Mathematical Society Colloquium Publications, Vol. XXV, American Mathematical Society, 1967.

A.D.

Brucker,

Brügger and

Wolff, Formal firewall conformance testing: An application of test and proof techniques, Softw. Test. Verif. Reliab. 25(1) (2015), 34–71. doi:10.1002/stvr.1544.

Buttyán,

Pék and

T.V.

Thong, Consistency verification of stateful firewalls is not harder than the stateless case, Infocommunications Journal 64(1) (2009), 2–8.

Chomsiri and

Pornavalai, Firewall rules analysis, in: International Conference on Security and Management (SAM), Las Vegas, Nevada, USA, June, 2006.

Cotton and

Vegoda, Special use IPv4 addresses, RFC 5735, January 2010.

10.

Cuppens,

Cuppens-Boulahia and

García-Alfaro, Detection and removal of firewall misconfiguration, in: IASTED International Conference on Communication, Network and Information Security (CNIS), November, 2005.

11.

Cuppens,

Cuppens-Boulahia,

García-Alfaro,

Moataz and

Rimasson, Handling stateful firewall anomalies, in: Information Security and Privacy Research – 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, Heraklion, Crete, Greece, June 4–6, Proceedings, 2012, pp. 174–186.

12.

Cuppens,

Cuppens-Boulahia,

Sans and

Miège, A formal approach to specify and deploy a network security policy, in: 2nd Workshop on Formal Aspects in Security and Trust (FAST), August, 2004.

13.

D.E.

Denning, A lattice model of secure information flow, Commun. ACM 19(5) (1976), 236–243. doi:10.1145/360051.360056.

14.

Diekmann,

Michaelis,

M.P.L.

Haslbeck and

Carle, Verified iptables firewall analysis, in: 2016 IFIP Networking Conference, Networking 2016 and Workshops, Vienna, Austria, May 17–19, IEEE, 2016, pp. 252–260. doi:10.1109/IFIPNetworking.2016.7497196.

15.

Eronen and

Zitting, An expert system for analyzing firewall rules, in: 6th Nordic Workshop on Secure IT Systems (NordSec), Copenhagen, Denmark, November, 2001, pp. 100–107.

16.

Fabrice, iptables extensions – time module, http://ipset.netfilter.org/iptables-extensions.man.html (accessed February 2017).

17.

W.M.

Fitzgerald and

S.N.

Foley, Management of heterogeneous security access control configuration using an ontology engineering approach, in: 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig 2010, Chicago, IL, USA, October 4, 2010, pp. 27–36.

18.

W.M.

Fitzgerald,

Neville and

S.N.

Foley, MASON: Mobile autonomic security for network access controls, Journal of Information Security and Applications (JISA) 18(1) (2013), 14–29. doi:10.1016/j.jisa.2013.08.001.

19.

S.N.

Foley, Reasoning about confidentiality requirements, in: Seventh IEEE Computer Security Foundations Workshop – CSFW ’94, Franconia, New Hampshire, USA, June 14–16, Proceedings, 1994, pp. 150–160. doi:10.1109/CSFW.1994.315939.

20.

S.N.

Foley, The specification and implementation of commercial security requirements including dynamic segregation of duties, in: ACM Conference on Computer and Communications Security, 1997, pp. 125–134.

21.

S.N.

Foley and

W.M.

Fitzgerald, An approach to security policy configuration using semantic threat graphs, in: 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec), LNCS, Springer, 2009, pp. 33–48.

22.

S.N.

Foley and

Neville, A firewall algebra for openstack, in: 2015 IEEE Conference on Communications and Network Security, CNS 2015, Florence, Italy, September 28–30, 2015, pp. 541–549. doi:10.1109/CNS.2015.7346867.

23.

García-Alfaro,

Cuppens,

Cuppens-Boulahia,

Martínez Perez and

Cabot, Management of stateful firewall misconfiguration, Computers & Security 39 (2013), 64–85. doi:10.1016/j.cose.2013.01.004.

24.

García-Alfaro,

Cuppens,

Cuppens-Boulahia and

Preda, MIRAGE: A management tool for the analysis and deployment of network security policies, in: Data Privacy Management and Autonomous Spontaneous Security – 5th International Workshop, DPM 2010 and 3rd International Workshop, SETOP 2010, Athens, Greece, September 23, Revised Selected Papers, 2010, pp. 203–215.

25.

Gheorghe, Designing and Implementing Linux Firewalls with QoS Using Netfilter, iproute2, NAT and l7-Filter, PACKT Publishing, 2006.

26.

J.D.

Guttman, Filtering postures: Local enforcement for global policies, in: IEEE Symposium on Security and Privacy, May, 1997, pp. 120–129.

27.

Hari,

Suri and

Parulkar, Detecting and resolving packet filter conflicts, in: 19th Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM, Vol. 3, 2000, pp. 1203–1212.

28.

J.L.

Jacob, The varieties of refinement, in: Proceedings of the 4th Refinement Workshop,

J.M.

Morris and

R.C.

Shaw, eds, Springer, Heidelberg, 1991, pp. 441–455. doi:10.1007/978-1-4471-3756-6_19.

29.

Jajodia,

Samarati,

M.L.

Sapino and

V.S.

Subrahmanian, Flexible support for multiple access control policies, ACM Trans. Database Syst. 26(2) (2001), 214–260. doi:10.1145/383891.383894.

30.

Jarraya,

Eghtesadi,

Debbabi,

Zhang and

Pourzandi, Cloud calculus: Security verification in elastic cloud computing platform, in: International Conference on Collaboration Technologies and Systems (CTS), IEEE, 2012, pp. 447–454. doi:10.1109/CTS.2012.6261089.

31.

Launay, High level firewall language, 2003, https://www.cusae.com/hlfl/ (accessed August 2016).

32.

Levandoski

et al., iptables L7-filter pattern writing, 2008, http://l7-filter.sourceforge.net/Pattern-HOWTO (accessed February 2017).

33.

Levandoski

et al., iptables L7-filter supported protocols, 2008, http://l7-filter.sourceforge.net/protocols (accessed February 2017).

34.

Liu,

Gouda,

Ma and

Hgu, Firewall queries, in: 8th International Conference on Principles of Distributed Systems (OPODIS), Grenoble, France, December, 2004, pp. 197–212.

35.

Mayer,

Wool and

Ziskind, Fang: A firewall analysis engine, in: 21st IEEE Symposium on Security and Privacy, Oakland, CA, USA, May, 2000.

36.

Nebehaj, Python-iptables – Python bindings for iptables, https://pypi.python.org/pypi/python-iptables (accessed August 2016).

37.

Netfilter Core Team, Linux iptables – CLI for configuring the Linux kernel firewall, Netfilter, http://www.netfilter.org/projects/iptables/index.html (accessed February 2017).

38.

Neville and

S.N.

Foley, Reasoning about firewall policies through refinement and composition, in: Data and Applications Security and Privacy XXX – 30th Annual IFIP WG 11.3 Conference, DBSec 2016, Trento, Italy, July 18–20, Proceedings, 2016, pp. 268–284.

39.

Ocean, Pyinter – a small and simple library written in Python for performing interval and discontinous range arithmetic, 2015, https://pypi.python.org/pypi/pyinter/ (accessed August 2016).

40.

Postel,

Johnson,

Markson,

Simpson and

Su, Internet control message protocol (ICMP) parameters, 2013, https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml (accessed February 2017).

41.

Scarfone and

Hoffman, Guidelines on firewalls and firewall policy: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-41, Revision 1, September 2009.

42.

J.M.

Spivey, The Z Notation: A Reference Manual, 2nd edn, Series in Computer Science, Prentice Hall International, 1992.

43.

Wool, Trends in firewall configuration errors: Measuring the holes in Swiss cheese, IEEE Internet Computing 14(4) (2010), 58–65. doi:10.1109/MIC.2010.29.

44.

Yuan,

Chen,

Mai,

Chuah,

Su and

Mohapatra, Fireman: A toolkit for firewall modeling and analysis, in: 2006 IEEE Symposium on Security and Privacy, IEEE, 2006, 15 pp. doi:10.1109/SP.2006.16.

45.

Zhao and

S.M.

Bellovin, Policy algebras for hybrid firewalls, Number CUCS-017-07, March 2007.

Reasoning about firewall policies through refinement and composition

Abstract

Keywords

1. Introduction

2.2. Network layer filtering

2.3. Transport layer filtering

2.4. Application layer filtering

2.5. Additional filtering specifications

3. A theory of adjacency

6.1. Detecting anomalies in firewall policies

6.2. Standards compliance

7. Encoding and evaluating iptables policies

Table 3 Partial TCP FlagSpec lookup table Index Mask Comp 1 ‘000000’ ‘000000’ 2 ‘000000’ ‘000001’ . . . . . . 8 ‘000000’ ‘000111’ . . . . . . 4096 ‘111111’ ‘111111’

Table 4 Sequential composition with no adjacent rules (in seconds) Num rules Time Ratio 2 4 0.07 – 2 5 0.13 1.85 2 6 0.29 2.23 2 7 0.67 2.31 2 8 1.73 2.58 2 9 4.98 2.87 2 10 16.09 3.23 2 11 57.81 3.59

Table 8 Center function for two-attribute duplets

9. Conclusion

Footnotes

Acknowledgments

The Z notation

References

Table 3
Partial TCP $FlagSpec$ lookup table

Index Mask Comp

1 ‘000000’ ‘000000’

2 ‘000000’ ‘000001’

$. .$ $. .$ $. .$

8 ‘000000’ ‘000111’

$. .$ $. .$ $. .$

4096 ‘111111’ ‘111111’

Table 4
Sequential composition with no adjacent rules (in seconds)

Num rules Time Ratio

$2^{4}$ 0.07 –

$2^{5}$ 0.13 1.85

$2^{6}$ 0.29 2.23

$2^{7}$ 0.67 2.31

$2^{8}$ 1.73 2.58

$2^{9}$ 4.98 2.87

$2^{10}$ 16.09 3.23

$2^{11}$ 57.81 3.59

Table 8
$Center$ function for two-attribute duplets