Content uploaded by Neerja Mhaskar
Author content
All content in this area was uploaded by Neerja Mhaskar on Mar 09, 2021
Content may be subject to copyright.
1
A Formal Approach to Network Segmentation
Neerja Mhaskar∗‡, Mohammed Alabbad∗†, Ridha Khedri∗
∗Dept. of Computing and Software
McMaster University, Hamilton, Ontario, Canada
†Communications and Information Technology Research Institute
King Abdulaziz City for Science and Technology (KACST), Riyadh, 11442, Saudi Arabia
‡Corresponding Author: pophlin@mcmaster.ca
Abstract—Network segmentation or compartmentalization,
and layered protection are two strategies that are critical in
building a secure network. In the literature, layered protection
has been formalized and termed as the Defense in Depth (DD)
strategy. However, network segmentation has been described
vaguely, and without any formal approach, thus making the
secure design of large networks unwieldy. In this paper, we
formally define network segmentation using a formalism based
on product family algebra and guarded commands. Then we
propose two algorithms that take a set of resources and their
access control policies as input and output a robust network
topology and the policies of its firewalls. The firewall policies are
computed based on the network segmentation formalism and are
strategically placed in the network to achieve DD. Further, we
use the proposed algorithms to build Software Defined Networks
(SDN) and discuss its use in dynamic networks and Internet of
Things.
Index Terms—computer network security, network architec-
ture, network segmentation, layered protection, defence in depth,
product family algebra, guarded commands, Software Defined
Networks.
I. INTRODUCTION
Firewalls control traffic and separate networks with different
security requirements. They are used by organizations to
protect their network resources from unauthorized access.
They inspect network traffic (packets) and perform actions
on it based on the rules, and the actions specified therein
in the policies [7], [46]. An organization could have up to
hundreds of firewalls scattered around its network [46], and
therefore the placement of firewalls and their policies play
a key role in their effectiveness. In practice network admin-
istrators decide the placement and configuration of firewalls
based on network security design principles and best practices.
However, this approach is prone to error, especially for large
networks. Therefore, a formal approach is needed to achieve
and guarantee a secure network design.
Two strategies are followed in network design: layered
protection [48], and compartmentalization [49] or segmenta-
tion [33]. The principle of layered protection [48] states that
the security of a network should not rely on one single access
control point but multiple layers complementing each other
to provide maximum security. This strategy is formalized by
the Defense in Depth (DD) strategy formally defined in [28]
and discussed in [28], [31], [53], [45]. Therefore a guaranteed
robust strategy exists to achieve DD in a network from an
access control perspective.
Network segmentation states that resources of different
security levels and requirements should be placed in different
zones protected by firewalls implementing appropriate poli-
cies. Network segmentation is vital in the design of net-
works as it implements the separation of concerns principle
by putting resources with “similar” policies under the same
firewall. The concept of segmentation has so far been discussed
in an intuitive way [55]. For instance, the criteria used for
segmenting resources in a network are articulated vaguely, as
we find in [48] wordings such as “Information Technology
(IT) system resources of different sensitivity levels (i.e., dif-
ferent risk tolerance values and threat susceptibility) should be
located in different security zones.” Similar wording can be
found in [14]. While these intuitive criteria for segmentation
can be used to design smaller networks, their use for designing
a large network is impractical.
It is now a standard policy in network design to create a
special subnetwork called Demilitarized Zone (DMZ) between
the outer network and the internal network [7], [46], [47].
DMZ usually houses public facing services and systems with
similar access control requirements, thereby protecting internal
networks from outside access. It is clear that DMZ is a man-
ifestation of the strategies of DD and network segmentation.
The rest of the network ought to be segmented in a similar
systematic way. In this paper, we explore how to systematically
segment a network to enhance its security using a formal
approach.
A. Related Work and Motivation
It is evident that network segmentation mitigates security
risks [16], [38]. However, many network segmentation archi-
tectures exist even for a small network and these possibilities
grow exponentially with the increase in the number of re-
sources in the network. Due to the lack of a formal approach
to segment resources to achieve the best network segmentation,
this task is left to the discretion of the network administrators.
Furthermore, research results that address this problem are
very limited with only a handful of papers by Wagner et al.
[56], [54], [55].
In [56] Wagner et al. develop a Markov chain model to
evaluate a given network segmentation architecture which they
claim to be cost effective. The advantage of this approach is
that security practitioners can use this model to examine mul-
tiple candidate architectures and then select the most effective
2
one. However, this solution only evaluates already designed
segmentation architectures and does not build them. Further,
in [55] they present a semi-automated approach to segment
resources based on risk evaluation that uses heuristics to reach
the near best or in some cases the best segmentation. However,
the high cost of this solution makes it impractical for wide-
scale use. Finally, in [54] they present network segmentation
architectures optimized for multiple objectives. Their solution
is fully automated and considers the problem of optimizing
multiple objectives of security, cost, and mission performance.
In contrast, our solution optimizes security in a network,
is fully automated and generates one of the best possible
segmentations. Furthermore, our solution can be easily scaled
to build enormous networks and is also applicable to Software
Defined Networks (SDN) Architectures and Internet of Things
(IoT) (see Section VII).
Other solutions exist that aim to secure existing networks.
For example, [1] proposes an algorithm to determine and
distribute packet filtering functionality to nodes within a given
network. The filtering functions are derived from given secu-
rity goals for a given network. The work in [1] is motivated
by defining the behavioural security specification in a network.
Further, in [44] the authors propose an automated framework
for generating network security configurations and physical
placements of security devices. Given a network topology, its
security requirements and its business constraints as inputs,
the framework formulates the security design synthesis prob-
lem and solves it using the Satisfiability Modulo Theories
(SMT) [10]. This framework also supports placing security
devices in an existing network. In contrast to [1], [44], we
focus on building a network topology that achieves security
strengths by design. The approach presented in [1], [44] can
be used on the network topology built from our approach
to further enhance network security by ensuring that security
goals/constraints are met.
To summarize, although many approaches and formalisms
exist to build a secure network and harden security in existing
networks, a formal approach to achieve network segmentation
does not exist. Therefore, the notion of ‘similarity’ or ‘different
sensitivity levels’ while grouping resources has not been
precisely articulated, resulting in the inability to automate the
derivation of the best solution for a network segmentation and
prove its correctness. Motivated by these issues, in our paper
we present a formal approach to network segmentation, and
later use it to build a robust secure network which provides
maximum access-protection to its resources.
The outline of the paper is as follows. In Section II, we
provide an illustrative example. In Sections III, we give the
mathematical background of the formalism used. In Sec-
tion IV, we summarize the Strict Defense in Depth (SDD)
strategy and present theoretical results needed for the rest of
the paper. In Section V, we formally define segmentation. In
Section VI, we present two algorithms to build a guaranteed
robust network; the Exponential Robust Network and Seg-
mentation Algorithm (Exp-RNS) and the Robust Network and
Segmentation Algorithm (RNS). In Section VII, we discuss
the use of the RNS algorithm in an SDN architecture. In
Section VIII, we discuss few other applications of the RNS
algorithm. In Section IX, we discuss the use of the RNS
algorithm in different scenarios. Finally, in Section X, we
conclude and discuss avenues for future work.
II. IL LU ST RATI VE E XA MP LE
In this section, we present an example for which manual im-
plementation of the network segmentation principle is straight-
forward. The example is used for illustration throughout the
paper due to its simplicity in presenting the concepts intro-
duced. Consider an organization with different departments, in
which resources are connected in a network. We consider the
following small subset of resources: a Web server, an Email
server, two workstations belonging to the Engineering depart-
ment (i.e., Engineering1 and Engineering2), two workstations
and a database belonging to the Finance department (i.e.,
Finance1,Finance2, and Finance DB), and an internal File
server available to all departments. A topology of a network
for the organization is shown in Figure 1.
The above resources have different security requirements
governing their access. All of them allow an established or
a related connection and drop every invalid packet. The Web
server and Email server allow every HTTP (TCP port 80)
and SMTP (TCP port 25) connection from any source, any
access from all internal resources, and drop everything else.
The File server rejects access requests made by the Web server
and Email server, allows all internal resources, and drops
every other access request. The resources belonging to the
Engineering and Finance departments have stricter policies,
which allow access only by users and resources within their
respective department, reject all requests made by any other
internal resource, and drops every other access request. These
security requirements are translated into policies in the lan-
guage of iptables∗and are given in Figures 2, 3, 4, and 5.
Throughout the paper, we use this setup to demonstrate the
concepts discussed or introduced.
Observe that the policies in Figures 2, 3, 4, and 5 have three
actions: ACCEPT,REJECT, and DROP. Although firewalls
typically perform two actions; one to let the network traffic
pass and the other to block it, some firewalls perform more
actions. For example, in iptables we find the following four
actions: ACCEPT,LOG,REJECT, and DROP. The action
ACCEPT allows the packet to pass, while REJECT and DROP
both block the packet. In addition to blocking the packet,
REJECT also sends an error message to the requester, thereby
acknowledging the receipt of the packet. Finally, the action
LOG simply records the request in the syslog files.
We now consider three network structures to protect the
above listed resources. The first network structure, shown in
Figure 1, has an outer firewall protecting all the resources.
Observe that the outer firewall Fw1 does not provide sufficient
protection to the engineering and finance resources, as it must
have a policy to enable access to Web server and Email
server, which in turn allows access requests coming from the
Internet. As a result, the segmentation of resources in Figure 1
leaves the resources with stricter access policy vulnerable (for
∗iptables is a command line utility program for configuring Linux kernel
firewall
3
Internet
Web Server
192.168.4.1
Email Server
192.168.4.2
File Server
192.168.3.1
Engineering1
192.168.2.1
Finance2
192.168.1.2
Finance DB
192.168.1.3
Engineering2
192.168.2.2
Finance1
192.168.1.1
Fw 1
(a) A topological representation of network (1)
Fw 1
Web Email File Eng 1Fin 1 Fin 2 Fin DB Eng 2
(b) A graph representation of network (1)
Fig. 1: Network Structure (1)
1−A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2−A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3−A INPUT −p t c p −m s t a t e −− s t a t e NEW −m tc p −−dp o r t 8 0 −j
ACCEPT
4−A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 25 −j
ACCEPT
5−A INPUT −s 192.168.1.0/24 −j ACCEPT
6−A INPUT −s 192.168.2.0/24 −j ACCEPT
7−A INPUT −s 192.168.3.0/24 −j ACCEPT
8−A INPUT −s 192.168.4.0/24 −j ACCEPT
9−A INPUT −j DROP
Fig. 2: Web server and Email server policy
1−A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2−A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3−A INPUT −s 192.168.1.0/24 −j ACCEPT
4−A INPUT −s 192.168.2.0/24 −j ACCEPT
5−A INPUT −s 192.168.3.0/24 −j ACCEPT
6−A INPUT −s 192.168.4.0/24 −j RE JECT
7−A INPUT −j DROP
Fig. 3: File server policy
1−A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2−A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3−A INPUT −s 192.168.1.0/24 −j RE JECT
4−A INPUT −s 192.168.2.0/24 −j ACCEPT
5−A INPUT −s 192.168.3.0/24 −j RE JECT
6−A INPUT −s 192.168.4.0/24 −j RE JECT
7−A INPUT −j DROP
Fig. 4: Engineering workstations policy
example Engineering1 and Engineering2). Moreover, there is
no protection from any internal attacks. Therefore, there is
a need for a better network structure, in which resources
1−A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2−A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3−A INPUT −s 192.168.1.0/24 −j ACCEPT
4−A INPUT −s 192.168.2.0/24 −j RE JECT
5−A INPUT −s 192.168.3.0/24 −j RE JECT
6−A INPUT −s 192.168.4.0/24 −j RE JECT
7−A INPUT −j DROP
Fig. 5: Finance workstations and database policy
are segmented to achieve better protection from external and
internal unauthorized access. The main concern is whether we
can detect the weakness of this solution through a simple
formal process. Furthermore, in this case we have a simple
example for illustration, however is it possible to detect the
weaknesses of a large network?
Internet
Fw 3
Web Server
192.168.4.1
Email Server
192.168.4.2
File Server
192.168.3.1
Engineering1
192.168.2.1
Finance1
192.168.1.1
Finance DB
192.168.1.3
Fw 2
Finance2
192.168.1.2
Fw 1
Engineering2
192.168.2.2
(a) A topological representation of network (2)
Fw 1
Web EmailFile Eng 1Fin 1 Fin 2 Fin DB Eng 2
Fw 2 Fw 3
(b) A graph representation of network (2)
Fig. 6: Layered Network Structure (2)
As discussed above, while building a network it is important
to adhere to segmentation and DD strategies. The second
network structure shown in Figure 6 attempts to implement
both strategies. However, observe that in this network the outer
firewall Fw1 and the internal firewall Fw3 would necessarily
have the same policy; both of these firewalls allow traffic
from the Internet. As a result, traffic from the Internet will
not be blocked by Fw1 or Fw3, making the engineering
workstations vulnerable. An attacker from outside can easily
gain access to the same subnetwork where the engineering
workstations reside. Therefore, although the structure seems
to implement segmentation and DD strategies, it does not
provide the best protection/segmentation of resources. Simply
4
adding extra layers of firewalls does not always guarantee
extra protection without proper policy and proper placement of
resources and firewalls. More importantly, we are concerned
with the ability to reach these conclusions for large networks,
something not readily possible via only general guidelines.
Internet
Web Server
192.168.4.1
Email Server
192.168.4.2
File Server
192.168.3.1
Engineering1
192.168.2.1
Finance1
192.168.1.1
Finance DB
192.168.1.3
Engineering2
192.168.2.2
Finance2
192.168.1.2
Fw 1 Fw 2 Fw 3
Fw 4
Fw 5
(a) A topological representation of network (3)
Fw 1
WebFw 2 Email
File Fw 3
Fw 4 Fw 5
Eng 1Fin 1 Fin 2 Fin DB Eng 2
(b) A graph representation of network (3)
Fig. 7: Robust Network Structure (3)
Finally, the third network structure shown in Figure 7
shows the ideal network architecture, which correctly follows
the guidelines and best practices for network design [42].
Following such guidelines might be easy and achievable for
a small size network such as this example. However, for a
large network with a huge number of resources, it is almost
impossible using only human judgment, motivating a formal
approach. We will show later that we can obtain it through
calculations.
III. MATHEMATICAL BACKGROU ND
To formalize network segmentation we use the theory of
Product Family Algebra (PFA) which treats policies as a
family of related products (in this case sets of policies), and
the theory of Guarded Commands which deals with rules of
policies and their conditions and actions. We then use it and
the DD strategy [28] to build a robust secure network. Below
we briefly describe these formalisms and their usage in our
context.
A. Guarded Commands
We use a variant of Dijkstra’s guarded command introduced
in [22] and used in [28], [36] to model policies. A command
is a transition relation from starting states to their successor
states, and a set of states that do not lead to failure, and for-
mally defined as follows: for a set Σof states, a command over
Σis a pair (R, P ), where R⊆Σ×Σis a transition relation,
and Pis a subset of Σthat is intended to characterize those
states from which the command cannot lead to abortion/failure.
The command abort is a command that offers no transition
and does not guarantee the absence of abortion/failure for any
state, and is defined as: abort def
= (∅,∅).
For a command (R, P )and a set of states Q⊆Σ, the
guarded command Q−→ (R, P )(where Qis called the
guard) is defined as Q−→ (R, P )def
= (Q↓R, Q ∪P),
where Q↓Ris the restriction of Rto Qdefined as Q↓Rdef
=
R∩(Q×Σ) and Qis the complement of Q w.r.t. Σ. For the
set of states from which the guarded command does not lead
to abortion, we augment the set Pby the complement of Q;
that is, by Q. The reason is that outside of the set of states
Q(i.e., Q) the command cannot be executed and therefore
there is no possibility of abortion or failure. For a relation
R⊆A×B, the domain of Rthat is denoted by dom(R)is
{x|x∈A∧(∃y|y∈B·(x, y)∈R)}.
Let Σ = S×P×St ×Dport ×A, where Sis the set of
all possible source IP numbers, Pis the set of all possible
protocols, St is the set of connection states, Dport is the set
of destination ports, and Ais the set of actions, respectively.
The sets S, P, St,Dport,and Aare called the state attributes.
We denote by Lthe universal relation on this space.
In this setting, the rule on Line 1 of the policy shown in Fig-
ure 2 can be written as follows: C1= [Q−→ (R, P )],where
Q⊆Σis the the following guard:
{(s, p, st, dport, a)|st ∈ {RELATED,ESTABLISHED}},
and Qis:
{(s, p, st, dport, a)|st /∈ {RELATED,ESTABLISHED}}.
The relation Rcan be defined in this case as
R={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
a0=ACCEPT}.
Since the domain of the relation Ris Σwith no restrictions,
we cannot guarantee the absence of abortion for any state.
Therefore, P=∅. After restricting Rto Qwe have:
Q↓R={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(st ∈ {RELATED,ESTABLISHED})∧a0=ACCEPT}.
and C1= [Q−→ (R, P )] = [Q↓R, Q].
We treat the other rules of the policy analogously.
The policy in Figure 2 can also be represented as a set of
rules or a single rule obtained by combining the relations of
the rules as follows:
5
Rweb ={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(st ∈ {RELATED,ESTABLISHED})∧a0=ACCEPT
∨(st /∈ {RELATED,ESTABLISHED,NEW} ∧ a0=DROP)
∨(p=TCP ∧st =NEW ∧dport ∈ {80,25} ∧ a0=ACCEPT)
∨(s∈ {192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24}
∧a0=ACCEPT)
∨(s /∈ {192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24}
∧p6=TCP ∧st =NEW ∧a0=DROP)
∨(s /∈ {192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24}
∧p=TCP ∧st =NEW ∧dport /∈ {80,25} ∧ a0=DROP)}
Relations can be represented in many ways. However, we
are particularly interested in representing relations as tabular
expressions [24], [26], [40], as they simplify the computation
of policies (see Appendix-D).
We say that command (R, P )refines command (S, Q)and
we write (R, P )v(S, Q)def
⇔Q⊆P∧Q↓R⊆S.
If we take the command C1= [Q↓R, Q]presented above,
we can easily verify that it is refined by C2= [P, Q], where
P={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(st ∈ {RELATED,ESTABLISHED})
∧dport0= 25 ∧a0=ACCEPT}.
The command C2is more restrictive than C1as it requires a
specific port while C1does not. In term of policies, a policy
refines another if it is more restrictive in its rules or it is more
deterministic.
Based on [12], a relation Qrefines a relation Rwritten as
QvRiff (Q∩(dom(R)×Σ) ⊆R)∧(dom(R)⊆dom(Q)).
Therefore, C1given above is refined by C2. This is clear from
the example given for the demonic join. The demonic join
R1tR2is refined by both R1and R2.
The greatest lower bound of commands (R, P )and (S, Q)
w.r.t. vis the demonic meet which is defined as
(R, P )u(S, Q) = (R∩S)∪(P↓S)∪(Q↓R), P ∪Q
The demonic meet for the commands (R, dom(R)) and
(S, dom(S)) is defined iff dom(R∩S) = dom(R)∩
dom(S). In other terms, the demonic meet of the commands
(R, dom(R)) and (S, dom(S)) is defined iff Rand Sagree
on the action to be carried on their common domain. This
property is called integrability in [19]. The least upper bound
of commands (R, P )and (S, Q)w.r.t. vis the demonic join
which is defined in [12] as (R, P )t(S, Q) =
(R∪S)∩(dom(R)×Σ) ∩(dom(S)×Σ), P ∩Q
The demonic join coincides with what we call later the
Greatest Common Divisor (GCD). Let R1and R2be the
relations representing policies P1and P2respectively:
R1={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(s= 192.168.1.0/24 ∧a0=ACCEPT)
∨(s= 192.168.2.0/24 ∧a0=REJECT)
∨(s= 192.168.3.0/24 ∧a0=ACCEPT)
R2={((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(s= 192.168.1.0/24 ∧a0=ACCEPT)
∨(s= 192.168.2.0/24 ∧a0=ACCEPT)
∨(s= 192.168.4.0/24 ∧a0=ACCEPT)
Then, the demonic join of R1and R2,R1tR2=
{((s, p, st, dport, a),(s0, p0, st0, dport0, a0)) |
(s= 192.168.1.0/24 ∧a0=ACCEPT)
∨(s= 192.168.2.0/24 ∧
(a0=ACCEPT ∨a0=REJECT))
For further information on guarded commands, we refer the
reader to [22], [36].
B. Product Family Algebra
One way to handle large networks is by abstracting sub-
networks into one node that has a family of policies and not
one policy as we would do for a single resource. Consider a
room including a large number of computers that have very
similar access control policies. We can abstract this room into
one node in the global network that has a family of policies.
Moreover, we can have our global network distributed in many
buildings. In designing the subnetwork for a building, we
consider the other resources located at other buildings as nodes
each with a family of policies. Furthermore, in real world
networks, a security policy governing an access control point
consists of rules, possibly coming from different stakeholders
(for example management, security officers, or users). Clearly,
the policies derived from the perspectives of the stakeholders,
share common rules and differ on others. Therefore, we can
think of these policies as families of policies. Hence, we need
to adopt a family approach to manage similar cases illustrated
above. For this purpose, we adopt PFA as the formalism that
links the access control policies to the network.
PFA [19], [20], [21] is a commutative idempotent semiring
(S, +,·,0,1), where Sis a set of product families. The binary
operators +and ·are interpreted as the alternative choice be-
tween two product families and the mandatory composition of
two product families, respectively. The constant 0corresponds
to an empty product family, and the constant 1corresponds to
a product family consisting of only a pseudo-product with no
features; that is, no access control rules. A product is a family
that is indivisible with regards to +operator. A feature is a
product that is indivisible with regards to ·operator. For the
mathematical properties of products and features, we refer the
reader to [20].
We have the divisibility relation among families (a|
b)⇐⇒ (∃c|·b=a.c )†, which allows us to find
divisors of families. And therefore, find the GCD, which is the
common divisor that is divided by all other common divisors.
Hence, the following property holds: gcd(a, b) = dsuch that
the following condition is satisfied, [(d|a)∧(d|b)∧
((∀c|·(c|a)∧(c|b) ) =⇒(c|d))]. Finding
the commonalities of two families is formalized by finding
the GCD. For two families aand bwe say they are coprime
family if gcd(a, b)=1. For any family a,gcd(1, a) = 1, and
gcd(a, 0) = a, as we have a·0 = aand therefore a|0.
†In this paper, we adopt the notation used by Gries and Schneider in [17]
for quantifiers. The general form of the notation is ?(x|R:P)where ?is the
quantifier, xis the dummy or quantified variable, Ris predicate representing
the range, and Pis an expression representing the body of the quantification.
An example of the notation is (+ i|1≤i≤3·i2)=12+ 22+ 32.
6
In the context of access control policies, an atomic rule is
a feature (and hence indivisible) and is modelled as a guarded
command. A policy is a set of rules or a single rule obtained
by combining various rules.
1) Firewall Policies as Product Families: Let IP be a set
of policies. Then, an element of P(IP) is a family of policies.
In [28] the commutative idempotent structure Fis presented
as a model for PFA as follows: F= (P(IP),⊕,,0F,1F)
is a product family algebra, where for every A, B ∈P(IP),
we have
1) A⊕Bdef
=A∪B
2) ABdef
={auIP b|a∈A∧b∈B}
3) 0F
def
=∅
4) 1F
def
={ {abort} }
where ⊕is the union of the family of policies and represents
the choice of families, and is an extended notion of the
demonic meet presented previously on the policies of the
families and it represents the integration of families. The
family 0Fis the annihilator element, and 1Fis the neutral
element for the operator.
The families 0Fand 1Fare two pseudo families of policies.
The family 0Fis the empty set of policies. The singleton
family 1Fincludes only one policy that is modelled with
the command abort. This policy does not transform the state
space and does not have any actions to carry. Moreover, its
integration with another policy Ppreserves P(i.e., neutral
for policy integration as PuIP abort =P). For instance, if
we have a “policy” that has no rules, we can model it with
the pseudo command abort. The family that includes only one
“policy” with no rules can be modelled with 1F. Hence, when
a resource has no restrictions and open to all users, we indicate
that it is protected with the family of access policies 1F.
On a product family, Fdenotes the natural order that
comes with the semiring structure for F. It is defined as aF
bdef
⇔a⊕b=b. Then the notion of family refinement of the
elements of Fis defined as follows:
avFbdef
⇔(∃c|·aFbc).
The GCD defined under PFA is equivalent to the demonic
join of the families of policies and can be restated as follows:
(∀A, B |A, B ∈P(IP) ·gcd(A, B)def
={atIP b|a∈
A∧b∈B}), where tIP is the extension of tto accommodate
families of policies, introduced in the definition of demonic
join in Section III-A.
C. Defense in Depth
A network with an outer access control point r; that is,
a firewall, can be represented as a directed acyclic graph.
The leaves represent the resources and the internal vertices
represent firewalls. Figure 8 shows the graph model of a
network that has a root r, internal access points v1to v5, and
leafs v6to v10. The edges represent traffic links. For example
in Figure 8, the edge (v2, v3)indicates the connection from
v2to v3.
Let Gdef
= (V, E , r)be a rooted connected directed acyclic
graph that represents a resource network. The set Vdenotes
the set of vertices or access control points that enforce access
We execute policy p(v1) r
v2
v3
v4
v5
v1
vv v v v
6789 10
The leafs represent resources that also can enforce local policies
Fig. 8: A Network as a rooted connected directed acyclic graph
(figure borrowed from [28])
policies (i.e., firewalls and resources). The set Eis a set of
ordered pairs of vertices that represent the link between access
control points. The vertex ris the root of the graph and
it represents the access point between the network and the
external world.
To guarantee the absence of conflicts in the policies of a
network G, any edge between two access control points should
respect the refinement property discussed in section III-A For
example if the edge (v2, v3)∈Ethen the family of policies
implemented at v2is refined by the policy implemented at v3.
Therefore, the family of policies at a node is a refinement of
its ancestors.
Definition 1 (Defence in Depth Law (DDL) [28]).Let Gdef
=
(V, E , r)be a network of access control points. We denote
by p(v)the family of policies enforced at vertex vin G. The
network Gemploys a DD strategy if p(r)6= 0F∧(∀a, b |
(a, b)∈E·p(b)vFp(a) ).
Let Gdef
= (V, E , r)be a network of access control points,
and let Tbe a spanning tree of Grooted at r. Let Lbe the set
of leaf nodes, where each leaf l∈Lis assigned a policy p(l).
We use the gcd operator scheme presented in [28] to define
p(v)as follows: p(v) = (gcd vi|(v , vi)∈E·p(vi) )‡.
Obviously, a network Gcould have multiple spanning trees
T1· · · Tn, where for each tree Ti,1≤i≤n, the family of
policies at an internal node is computed using the gcd operator
scheme. Also note that, an internal node could be a node in
multiple spanning trees, say Ti· · · Tk. In this case, the family
of policies implemented at such a node vis p(v) = (gcd i|
1≤i≤k·pi(v) ), where pi(v)is the family of policies for
the node vin the spanning tree Ti.
IV. STRICT DEF EN SE I N DEP TH A S A BAS E FO R OU R
ROB UST NETWORK ARCHITECTURE
In this section, we discuss the Strict Defense in Depth
strategy SDD which is a more strict form of DD strategy (Def-
inition 1) achieved by strengthening the refinement condition.
We use the SDD strategy to place nodes in our robust network
graph.
‡If the range of the quantification is empty then the quantification returns
the neutral value Lfor gcd; that is, gcd(x, L) = x, which is the universal
relation on the space of the policies, as mentioned in Section III-A.
7
Definition 2 (SDD [28]).Let Gdef
= (V, E , r)be a network of
access control points. The network Gemploys an SDD strategy
if
p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ),
where p(b)@Fp(a)⇐⇒ (p(b)vFp(a)∧p(a)6=p(b)).
The SDD is a stronger form of DD. We obtain SDD from
DD by replacing vFby its stricter form @F. By using SDD
to build the network graph we exclude the case where the
families of policies on successive nodes are equal. This allows
us to ensure that firewalls with the same policies do not exist
in any path from the root to a leaf node.
Let Gdef
= (V, E , r)be a network of access control points
and Sdef
={v|v∈V∧(r, v)∈E}be the set of vertices
connected to the root r. Let Tbe a spanning tree of Grooted
at r. Every leaf node l∈Lis assigned a family of policies p(l).
If we want to generate the families of policies of the internal
vertices such that Gimplements SDD, the below lemmas
present cases when SDD is not achievable in the network.
The proofs of these lemmas are in Appendix-A.
Lemma 1. Let Tbe a spanning tree of Ghaving a height
greater than 2. If Thas a leaf l /∈S, such that p(l) = 1F,
then it is impossible to have an SDD implementation on G.
Formally,
(∃l|l∈L·p(l)=1F)
=⇒
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
Lemma 1 states that if a leaf node exists such that it is not
directly attached to the root and has a family of policies equal
to 1F, then the family of policies executed at its ancestors
will be 1F. For example in Figure 9, if p(v6)=1Fthen the
policies at nodes v2and rwill also be 1F; that is p(v2) = 1F
and p(r) = 1F. This case does not meet the requirements of
the SDD strategy which states that each child node should
strictly refine its parent.
r
V1 V2
V4 V5 V6V3
Fig. 9: A network graph
Having a leaf node with a family of policies equal to 1F
deep in the network will result in no security control in the
chain of firewalls from the root to that node. Thereby allowing
unauthorized users access deep into the network without any
line of defense. Consequently, this will hinder the overall
security of the network. To prevent this case we need to isolate
the nodes having 1Fand move them closer to the outer edge.
A resource with 1Fis open to be accessed by everyone.
Therefore by segregating and moving the nodes with 1Fclose
to the root we can protect the resources with stricter policies
efficiently.
A resource protected by 1Fis interpreted as being protected
by a policy with no rules (an empty policy). Therefore, it
is open to any user. Hence, it should be attached to the
root. Any resources with stricter policy than 1Fshould be
at a level higher than one (assuming the level of the root is
zero). Resources in what is commonly referred to as DMZ are
resources that have some level of protection stricter than 1F.
However, they are primarily public facing resources. Hence
they should be connected to the root or to a child of the root.
Lemma 2. Let Tbe a spanning tree of Ghaving a height
greater than 2. If Thas two leaves l1, l2belonging to the
same subtree having coprime families of policies, then it is
impossible to have an SDD implementation on G.
Formally,
(∃l1, l2, s, n, m |s∈S∧n≥1∧m≥1∧(s, l1)∈En
∧(s, l2)∈Em·gcd(l1, l2)=1F)
=⇒
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
(a, b)∈Ekindicates a path with kedges from ato b.
Lemma 2 states that if a subtree of Thas two nodes such that
their families of policies have nothing in common, then the
family of policies of their common ancestors, including the
root of the subtree and the root of the tree, is equal to 1F. In
this case, the SDD strategy is not satisfied. For example, in
Figure 9, if p(v4)and p(v6)are coprime families of policies
such that gcd(p(v4), p(v6)) = 1F, then p(v2)=1Fand
p(r)=1F.
Having nodes with coprime families of policies under a
subtree will result in no security control in the chain of
firewalls from their common ancestor to the root. This in turn
affects the overall security of the network. Therefore a well
designed network adhering to the SDD, groups resources that
share common policies (e.g., resources belonging to the same
department) in a common segment, and places resources hav-
ing nothing in common into different segments/subnetworks.
This approach allows for greater security and protection than
grouping nodes randomly.
Lemma 3. If we have a family of policies at a node that is
equal to the GCD of the family of policies of its siblings, then
it is impossible to have an SDD implementation on G.
Formally,
(∃v|(u, v)∈E·p(v) = (gcd vi|(u, vi)∈E·p(vi))
=⇒
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
Lemma 3 states that if we have a node such that its family
of policies is equal to the commonality of its siblings, then
the family of policies of its parent is the same as that of the
8
node. Clearly in this case the SDD strategy is not satisfied.
For example in Figure 9, if p(v4) = gcd(p(v5), p(v6)), then
the family of policies of their parent v2; that is, p(v2) = p(4).
Based on the above lemmas we propose an approach to
network segmentation that implements SDD in the following
section.
V. NE TW OR K SEG ME NTATION AND ROBUST NETWO RK
ARCHITECTURE
In this section, we formally define the notions of network
segmentation and robust network architecture. We introduce a
weight function to quantify the different security requirements
of an access control policy. We then use this function to
formally define network segmentation.
Recall that an atomic rule is modelled as a guarded com-
mand, which is a transition relation from the starting state to
end state(s). Therefore, we compute the weight of an atomic
rule based on the weights of the end state(s). One way of
doing this is by assigning weights to the different values of
chosen state attributes and using them to compute the weight
of an end state, such that the values having higher security
requirements are assigned higher weights. Furthermore, since
a chain is as secure as its weakest link, an atomic rule with a
relation that maps a starting state to multiple end states has a
weight equal to the minimum weight of its end states.
Formally, let SAi, where 1≤i≤m, be the different state
attributes, and let VSAi={ai1, ai2, . . . , ain}be the set of
all possible values assigned to SAi. Then wVSAi:VSAi→Z
is the weight function that assigns an integer value to each
element in VSAi, such that for any two elements aik, ail ∈VSAi
if the security requirement of aik is less than that of ail,
then wVSAi(aik)< wVSAi(ail ). Let Rbe the set of all
atomic rules for all the resources in the organization. Then
wR:R→N∪ {−1}, is the weight function which assigns
to an atomic rule r∈Rits corresponding weight. The
weight of 1Fis taken to be −1, as it is a rule that does
not bring any security constraints. Furthermore, the weight
of a rule (r) with its domain mapped to multiple end states
(say p), is the minimum of the weights assigned to its
end states. For each end state si, where 1≤i≤p, we
take vsi=eval(wVSA1, wVSA2, . . . , wVSAp), where wVSAiis the
weight of the assigned value to the state attribute SAi. For a
state si, the eval function takes the weight of the attributes
of si, and assigns to it and overall security weight vsi. Then
to compute the weight of such an atomic rule, we take the
minimum of all the values vsi. Therefore, for an atomic rule
rthat has pend states, we have wR(r) = min(vs1,· · · , vsp).
For the illustrative example, we compute the weights of
our atomic rules based on the state attribute ACTION (AC).
The set of values of this attribute as given by the set AC =
{ACCEPT,REJECT,DROP}. As discussed in Section I, the
three actions in AC contribute differently to the confidentiality
of the resources of the network, and so DROP has a higher
weight than REJECT, which in turn has a higher weight than
ACCEPT. Based on this we assign the following weights to
each element in AC:wAC(ACCEPT)=0,wAC (REJECT)=1,
and wAC(DROP) = 2. Then for example, a rule that maps an
initial state to two end states (s1and s2) where the action
attribute in s1is assigned the value ACCEPT and the action
attribute in s2is assigned the value REJECT, then the rule
has a weight equal to the minimum weight of the two; that is,
0.
The weight of a policy or a combined rule rthat is formed
by the set Arof atomic rules is the sum of the weights of the
atomic rules in Ar. Let Pbe the set of all policies composed
of the atomic rules in R. Then wP:P→N∪ {−1}, is the
weight function that assigns an integer value to each element
in Pbased on wR. We assign −1as the weight of the 1F
policy, and +∞as the weight of the 0Fpolicy.
In a typical firewall policy, rules are executed sequentially.
Such rules usually are not atomic. For example, Rule 9 in
the policy of Figure 2 can be divided by all other rules in
the policy. Therefore, a rule might be followed by another
that includes it. If we apply the weight function on these
rules, we can have double counting of weights. Therefore,
to avoid any problem we transform policies into a set of
rules that are (relative) atomic (or, relative prime). A relative
atomic/prime rule in this context is a rule that is indivisible
by any other given rule (i.e., it is only divisible by 0 and
itself). The weight function takes such a rule and assigns
a weight to it. For example, consider the policy shown in
Figure 4 which is transformed to a relative atomic policy with
270 rules: two rules with ACCEPT actions, three rules with
REJECT actions, and 265 rules with DROP actions. Therefore,
the weight assigned to the policy is 2∗0+3∗1+265∗2 = 533.
Figure 16 in Appendix E shows a snippet of the relative
atomic policy. These generated relative atomic rules are only
to calculate the weight and identify the commonalities among
policies. Once the commonalities are calculated we discard
them.
As can be seen we measure the level of security require-
ments of a resource by the weight of the policy governing it,
such that its security requirements are directly proportional to
the weight of its policies. For example, consider two resources
v1and v2, where the weights of their policies are wP(p(v1))
and wP(p(v2)), respectively. If wP(p(v2)) < wP(p(v1)), it
means that v1has higher level of security requirement than
v2.
Let wRbe the partial order on the atomic rules based on
their weights and wPbe the total order on the policies based
also on their weights. Then there exists an order preserving
map f:wR→wPsatisfying the following condition:
(∀i|1≤i≤n∧xi, yiare atomic rules ·xi<wRyi)
⇔f(P(x1, x2, . . . , xn)) <wPf(P(y1, y2, . . . , yn)),
P(x1, x2, . . . , xn), and P(y1, y2, . . . , yn)are the policies con-
sisting of atomic rules x1, x2, . . . , xnand y1, y2, . . . , ynre-
spectively. Since wRis a partial order, some values of the
atomic rules might not have a weight assigned. In this case,
the mapping fassigns zero, the neutral value for addition.
We now define segmentation formally based on the weights
of the commonalities among the policies of the resources in a
segment.
9
Definition 3 (Segment).Let Rbe a set of resources. A set
S⊆Ris said to be a segment of Riff
(∀r, r0|r∈S∧r0∈(R−S)·wP(gcd(p(r), p(r0))) ≤
wP(gcd( r|r∈S·p(r) )) ).
Our definition of a segment forces us to have at least two
elements in a segment, as the GCD is a 2-arity operator.
Definition 4 (Segmentation).Let Rbe a set of resources, and
let Fbe a set of subsets of Rsuch that (∪A|A∈F·A) =
R. Then Fis a segmentation of Riff
(∀A|A∈F·Ais a segment of R ).
In our definition of segmentation, a resource is placed within
a group of resources if and only if the commonalities it has
with the members of the group is more strict than with any
outside resource; that is, the commonalities have equal or
more weight than the weight of the commonalities it has
with any other resource not in the segment. As a result,
this segmentation provides maximum access-protection to its
resources.
Lemma 4.
(a) Let S⊆Rbe a set of resources formed by only mutually
co-prime policies that are 6= 1F.Sforms a segment only
if (∀r|r∈(R−S)·p(r)=1F).
(b) Let S⊆R, and there exists resources r, r0∈Ssuch that
p(r) = 1Fand p(r0)@1F, and
(∀r, r0|r∈S∧r0∈(R−S)·gcd(p(r), p(r0)) = 1F).
Then Sis a segment.
By requiring DD, resources with 1Fpolicy are directly
attached to the root having 1Fpolicy, thus forming elements
of a DMZ. If a segment satisfying the condition in Lemma 4(a)
exists then the root of this segment will have 1Fpolicy.
Consequently, the root of the global network will have 1F
policy. To achieve SDD all the resources and internal nodes
attached to the root of the segment Swill be attached to
the global root. By Lemma 4(b) Sis not a segment, if
S6⊆ R, or there do not exist resources r, r0∈S, such that
p(r)=1Fand p(r0)@1F, or there exists resources r∈S
and r0∈(R−S)such that gcd(p(r), p(r0)) 6= 1F. This means
that if Sis a segment that has some resources with 1Fpolicy
and others resources with policies different than 1F, then the
commonality of each resource in Swith a resource out of S
has to be 1F. Otherwise, Scannot be a segment. The proof
of Lemma 4 is in Appendix-A.
Superfluous Firewall Chaining exists in a network when a
firewall has only a single firewall attached to it. For example,
when firewalls are connected forming a chain, and resources
are attached only at the bottom of the chain, thus in this
case firewalls only exist to protect other firewalls. Therefore,
superfluous firewall chaining is a waste of network resources,
as it is possible to replace all the firewalls forming a chain
with the firewall at the bottom of the chain with resources
attached, as it has the most restrictive policies among all the
other firewalls in the chain.
We now define a robust network, which provides maximum
access-protection to its resources using minimum firewalls. It
achieves this by implementing the SDD strategy and segmen-
tation defined in Definition 4.
A network graph Gis said to be (access control) robust if
the following criteria hold:
1) Gsatisfies SDD strategy in every path from the root to
the parent of a resource,
2) Ghas a segmentation as defined in Definition 4, and
3) Ghas no superfluous firewall chaining.
The first criterion for a robust network ensures that any two
internal nodes strictly refine each other. However, it allows a
leaf node and its parent to have the same policy. This can be
seen when resources have 1Fpolicy, and as a result the fire-
wall protecting them; that is, the root will also have 1Fpolicy.
The second criterion ensures that resources are segmented in a
way such that maximum access-protection is provided to them.
These segments are then placed in the network at varying
depths depending on their levels of security requirements.
Segments with high levels of security requirements are placed
deep down in the network and protected by layers of firewalls
each adding an extra level of security. And the segments
with low levels of security are placed closer to the root;
that is, the outer firewall. Therefore, traffic going from the
Internet to an internal segment is faced by layers of firewalls
and traffic from segment to segment is managed by internal
firewalls. Consequently, segments consisting of resources with
high levels of security requirements are protected from internal
and external threats. Furthermore, if an unauthorized agent
gains access to an internal segment, it will not be able to easily
gain access to another segment. Finally, the third criterion
ensures that we have the most effective strict defense in depth
and segmentation at a minimum cost.
VI. ALGORITHMS TO BUILD A ROBUST NETW OR K
In this section, we present two algorithms to build a robust
network. In Section VI-A we present the Exp-RNS algorithm
which uses a brute force approach to build a robust network,
resulting in an exponential running time. The purpose of
presenting this algorithm is that it is easy to grasp the use
of the formalism presented in Section III in constructing
the network graph. Then, in Section VI-B, we present the
RNS algorithm that uses a similar approach presented in
the BUILD-NETWORK-GRAPH procedure of the Exp-RNS
algorithm. However, to achieve a polynomial running time,
it uses a bottom up approach to build the network graph and
uses resources and their weights as a guide throughout the
network building process.
A. Exponential Network Segmentation Algorithm: A Brute
Force Approach
The Exp-RNS algorithm uses Rto build a robust network
by computing the GCD of resource policies and using the
refinement relation on these GCDs. For simplicity, we discuss
the algorithm using singleton families of policies, and so we
refer to them as policy rather than family of policies.
10
A resource having 0Fis essentially inaccessible, as it
cannot be protected through an access control system. The
0Fwhich represents a pseudo policy cannot be enforced at
an access control point. Therefore, it cannot be part of a
robust network architecture. Hence, we assume that the input
Rdoes not contain resources with 0Fpolicies. Furthermore
by Lemma 1, having any internal node/leaf with 1Fpolicy
implies that SDD is not achievable in the network graph. By
Lemma 4(a) resources with 1Fpolicy have to be attached to
the root with 1Fpolicy. Therefore in the Exp-RNS algorithm,
we remove resources with 1Fpolicy a priori from the set R,
and as a final step add these resources to the root.
The Exp-RNS algorithm consists of five main tasks. The
first task is calculating the GCDs or common policies. The
second task is building a network graph based on the refine-
ment relation consisting of only firewalls. The third task is
adding resources to the network graph, and the fourth task
is pruning the network graph to remove superfluous firewall
chaining. Finally, the fifth task is to add all the resources with
1Fpolicy (if they exist) to the graph.
Algorithm 1 Exponential Robust Network and Segmentation
Algorithm
1: procedure EXP-SEGMENTATION(R)
2: S←set of resources having 1Fpolicy
3: R←R−S
4: GCD ←COMPUTE-GCD(R)
5: G←BUI LD -NET WORK-GRAPH(GCD, R)
6: ADD -RES OU RC ES -TO-NET(G, GCD, R)
7: OPTIMIZE-NET WORK-GRAPH(G)
8: if S6=∅then
9: ADD -1F-RESOURCES(G, S)
10: end if
11: end procedure
Below we explain the five main tasks of the above algorithm
and present detailed algorithms for each task in Appendix-B
for completeness.
Calculating GCDs: The COMPUTE-GC D function computes
the commonalities or the GCD of policies of resources. As
seen in Section V, to segment resources we need to place
them within a segment such that maximum security (access-
protection) is achieved. To achieve this, we use a brute force
approach to compute all possible segments by computing the
power set of R,P(R), (where each set in P(R)represents
a possible segment). Then we compute the commonalities in
each segment by computing the GCD of the resource policies
in that segment. For details on the COMPUTE-GCD function
we refer the reader to Appendix-B.
Building a Network Graph: The BUILD -N ET WO RK -GRA PH
function builds a network graph Gwith no resources attached.
This graph is a temporary network graph consisting of only
firewalls and might contain redundant firewalls. However,
the redundant firewalls are removed at a later stage (by the
OPTIMIZE-NET WORK-GRAPH procedure). The function uses
the GCD set =F, and the refinement relation to produce
the network graph. The vertices of the network graph are
partitioned into gcd nodes representing a gcd object (repre-
senting firewalls), and resource nodes representing resources
in the network. Each node in the graph has all the attributes
defined for a gcd object, and in addition to these it has two
more attributes: is resource and π. The attribute is resource
identifies whether the node is a resource node or a gcd node.
It is set to true if the node represents a resource, otherwise it
is set to false. The attribute πstores the set of parent(s) of
the node.
The root ris the gcd object having the least weight and
its set consists of all resources (except the resources with
1Fpolicy). It is first added to the network graph G. After
which nodes in Fhaving the same weight as the root rare
removed. Then, it computes wmax weight - the maximum
weight over the weights of all nodes in F, and computes the
set Tconsisting of all nodes with wmax weight and removes
them from F. Then each node in the set Tis added to
Gusing the ADD- NO DE SE T-TO- G procedure. The last two
steps are repeated till F=∅; that is, the last two steps are
repeatedly executed to (possibly) add all the nodes in Fto
G. For details on the BU IL D-NE TW OR K-GRAPH function and
the AD D-NO DE SE T-TO-G procedure, we refer the reader to
Appendix-B.
Adding resources to the Network Graph: The procedure ADD-
RES OU RC ES -TO-NET adds resource nodes to the network
Graph G. While adding the resource nodes, we first order
the gcd objects in GCD in descending order by weight
(GCDmax). Then we choose the gcd node having the max-
imum weight and attach all the resources in its set attribute,
and in R0(initially R0=R), to it. After which we remove
the attached resources from the set of resources R0. We
do this for each gcd node in GCDmax . In the end, all
resources are added to the network graph G. Observe that by
adding resources to gcd nodes starting with maximum weight
to minimum weight, we ensure that resources with higher
security requirements are protected with maximum layers
of protection. The ADD- RE SO UR CE S-T O-NE T procedure is
presented in Appendix-B.
Optimize GCD graph: The network graph obtained after exe-
cuting the procedure Add-Resources-To-Net could suffer from
superfluous firewall chaining. To eliminate this issue, we use
the OPTIMIZE-NE TWORK-GRAPH procedure. This procedure
performs a post-order traversal of Gusing two stacks S, T ,
so that all children of a node are evaluated before it gets
evaluated. Since our graph Gis not necessarily binary, we do
not always evaluate the children of a node from left to right
(any order is acceptable). The only criteria we follow is that
all children of a node are evaluated before it. Sis used to keep
track and evaluate all children of a node before itself, and Tis
used to store the post-order traversal of G. When Sis empty
(and Tis full), we pop nodes from Tone at a time and begin
evaluating it. When a node uis being evaluated, if uis a gcd
node and it has no children or if uhas only one child that is a
gcd node, then uand its corresponding edges are deleted from
G. If uhas only one child that is a gcd node, then the child
is attached to u’s parent. The OPTIMIZE-N ET WO RK -GRA PH
procedure is presented in Appendix-B.
Adding resources with policy 1Fto GIf S6=∅; that is, the
11
set of resources having 1Fpolicy is not empty, we add it to
the network graph using the procedure AD D-1F-RESOURCES
outlined as follows:
1) If the policy of the root ris equal to 1F, then we directly
attach all the resources in the set Sto r.
2) However, if the policy of the root ris not equal to 1F,
then we create a new node r0, set its attributes appro-
priately (as shown in Procedure AD D-1F-RESOURCES),
and add it to G. After which we attach rand all the
resources in the set Sto it. The node r0is the new root
for the network graph G.
The AD D-1F-RESOURCES procedure is presented in
Appendix-B.
Exp-RNS Algorithm: Robustness and complexity
The running time of the Exp-RNS algorithm is exponential in
the size of the set of resources R. This is due to the brute
force approach used to compute the gcd nodes, obtained by
computing the power set P(R), and using it to build the
network graph.
Theorem 1. The Exp-RNS Algorithm constructs a robust
network graph.
Proof. The proof is straight forward and is by contradiction.
We assume that at least one of the three criteria required for
a network graph to be robust (Section V), is not satisfied.
Suppose Condition 1 is not satisfied. Then there exists at
least one path in Gfrom the root to the parent of a resource,
such that the SDD strategy is not satisfied. Recall that the
GCD set computed by the COMPUTE- GC D procedure has
gcd objects with distinct policies. In Exp-RNS, gcd nodes
are added to Gonly by the BU IL D- NE TW OR K-GR AP H and
ADD -1F-RESOURCES procedures. In the BU IL D-NE TW OR K-
GRA PH procedure, a gcd node sis first added to G, and any
child of rthat refines sis disconnected from the root and
attached as a child to s. In both these cases, the SDD strategy
is satisfied. In the AD D-1F-RESOURCES procedure, the only
gcd node added to Gis the root r0having 1Fpolicy, and is
added only if r.policy 6= 1F. Clearly, SDD strategy is satisfied
as all policies 6= 1Fstrictly refine 1F. Therefore, every path
from the root to a resources’ parent satisfies the SDD strategy,
which is a contradiction.
Suppose Condition 2 is not satisfied. Then there exists a
segment S, such that a resource r∈Sand a resource r0/∈S
have commonalities with more weight than the weight of the
commonalities between elements of the segment S. If this
holds then there will be a gcd node in Gwith the policy
gcd(r, r0)and its corresponding weight. However, since we
add resources to gcd nodes starting with gcd nodes having
maximum weight to the gcd nodes having minimum weight,
the resources rand r0would be added to the node having the
policy gcd(r, r0), which is a contradiction.
Suppose Condition 3 is not satisfied; that is, superfluous
firewall chaining exists in G. Then there exists at least one
firewall with a single node that is a firewall attached. Recall
that in the procedure OPTIMIZE- NE TW OR K-GR AP H, we count
the number of children attached to each firewall. If the node
has only one child that is a firewall we remove this node and
attach its child to its parent(s). Therefore, by the end of the
Exp-RNS algorithm Ghas no superfluous firewalls, which is
a contradiction.
B. Polynomial Algorithm to build a robust network segmenta-
tion
In this section we present the RNS algorithm (Algorithm 2)
to build a robust network graph G, given a set of resources
with its policies R, in polynomial time. Similar to Exp-RNS,
for this algorithm also we assume that Rdoes not contain
resources with 0Fpolicies.
The idea of the algorithm is simple. We use an approach
similar to the one used in the BU IL D- NE TW OR K-GR AP H
procedure presented in Section VI-A, where the gcd nodes
are added in non-increasing order of weights (except for the
root). However, to achieve a polynomial running time, we use
resources and their weights and create temporary nodes to
guide us through the network building process.
In the RNS algorithm, the root is added first to G, and
nodes are added in batches (set T) to Gin decreasing order
of their weights. Hence at any given time, when a node sis
evaluated to see where in Git can be added, the weight of
all the nodes in Gis greater or equal s.weight. While adding
sto G, clusters of resources are evaluated to see if they can
form a segment containing sbased on their weights. Note
that, the weight of any segment containing sis always less
than or equal to s.weight, and so the maximum weight of
any segment containing sis s.weight. Therefore, when such
a cluster of nodes is identified, we create a gcd node to protect
this segment and add it to the root of Gand attach the nodes
forming the segment to it. Otherwise, we create a temporary
node for the cluster and add it to F, so that it can be evaluated
later when the set (T) having the weight of the cluster is being
evaluated.
Temporary nodes are never added to G. While evaluating a
temporary node, if the cluster of nodes with sactually forms
a segment at that point, a new gcd node is created and added
to G. This is similar to any other gcd node. We now give the
outline of the algorithm as follows:
•The algorithm first creates the root rfor all resources in
Rusing the CR EATE-NODE procedure and adds it to the
network graph G.
•Then it creates subsets S1, S2, . . . , Sm⊂R, such that
no two subsets have resources with same ppolicies and
creates a node for each subset Si,1≤i≤m, and adds it
to F. Therefore, Fcontains either a single resource node,
or a gcd node consisting of resources, having the same
policy as the gcd node, in its set. If we assign distinct
values from 1−mtermed as key values, to each distinct
rule in R, then the subsets S1, S2, . . . , Smcan be easily
created using Bucket sort as follows: we create mbuckets
labelled from 1−m, for each distinct rule. As we traverse
through the rules in R, we simply evaluate its label and
place it in the bucket having the same label.
•After which, it computes the wmax weight - the maximum
weight over the weights of all nodes in F, and computes
the set Tconsisting of all nodes with wmax weight and
removes all these nodes from F.
12
Algorithm 2 Robust Network and Segmentation (RNS) Algo-
rithm
1: procedure SEGMENTATION(R) R ={r1, r2, . . . , rn}
2: G←NULL G = (V , E, r)
3: r←CRE ATE-N OD E(R)Create root r
4: ADD -NO DE -TO-G(G, r, ∅, f alse)Add root rto G
5: S1, S2, . . . , Sm⊂Rsuch that
m
S
i=1
Si=R, and no two
subsets have resources with same polices
6: F=∅
7: for each s∈ {S1, S2, . . . , Sm}do
8: F=F∪CRE ATE-N OD E(s)
9: end for
10: while F6=∅do
11: wmax ←maximum weight of any s∈F.
12: T← ∅
13: for each s∈Fdo
14: if s.weight =wmax then
15: T←T∪s;F←F−s
16: end if
17: end for
18: ADD -NOD ES ET-TO -G(G, F , T, wmax)
19: end while
20: end procedure
•Then the nodes in set Tare added to Gusing the AD D-
NOD ES ET-TO -G procedure.
•The above two steps are repeated till F=∅; that is, the
above two steps are repeatedly executed to (possibly) add
all the nodes in Fto G.
procedure ADD-NO DE SE T-TO-G(G, F, T , wmax)
G= (V;E;r)
if wmax =r.weight then Attach resources having
same weight as rto r
ATTACH -RESOURCES-TO- R(G, T )
else
for each s∈Tdo Add permanent nodes in T
to G
if s.temp =false then
ADD -NO DE -TO-G(G, s, ∅, f alse)
end if
end for
for each s∈Tdo Check child nodes of rto
add gcd node
cset ← ∅
cset ←CUR R-MAX-WEIGHT-SET(G, s)
if cset 6=∅then
gcd =CREATE -NO DE(cset)
if !s.temp then
if (s.weight =gcd.weight)then
ADD -NODE-T O-G(G, gcd, cset, true)
else Mark gcd as a temporary node
gcd.temp ←true;gcd.set ←s
gcd.size ←1
F←F∪ {gcd}
end if
else
if gcd.weight =s.weight then
ADD -NODE-T O-G(G, gcd, cset, true)
end if
end if
end if
end for
end if
end procedure
The AD D-NO DE SE T-TO-G procedure adds the set of nodes in
Tto G. The outline of this procedure is as follows:
•If wmax =r.weight, the ADD -NOD ES ET-TO -G pro-
cedure directly attaches to rall the resources in every
non-temporary node s∈Tand exits. Otherwise, it
implements the below steps.
•The procedure loops through each node in Tto (possibly)
add it to G. If sis not a temporary node (indicated by
the temp node attribute), it is added to Gas a child of
the root r.
•Then every child of ris evaluated to compute cset -
the set consisting of all nodes including s(or including
s.set, if sis a temporary node). cset is computed by the
CURR-MAX-WEIGHT-SE T function.
•A new gcd node gcd is computed for the set of resources
in cset, if cset 6=∅. If sis a permanent node, then it
checks if gcd.weight =s.weight. If it is, gcd is added
to G; otherwise gcd is tagged as “temporary” – to be
considered for evaluation later – and added to F. If sis
a temporary node and if the node is in s.set is still part
of the segment formed by gcd, then gcd is added to G.
Otherwise, it is automatically removed from F, as all the
nodes in Tare removed from F, before adding them to
Gin Algorithm 2.
Recall that nodes are added in batches (T) to Gin decreas-
ing order of their weights. Therefore, in the AD D- NO DE SE T-
TO-G procedure when gcd.weight < s.weight, the node
gcd is not added to G, but instead added to F(if it is not
a temporary node), to be evaluated when the set of nodes
(T) having weight =gcd.weight is processed. Furthermore,
temporary nodes are associated with a node for which they
were created. For example, when a permanent node sfrom
Tis added to G, we check to see if any child nodes of r
can form a segment with s. If the weight of this segment is
less than the weight of s, we create a temporary node for the
segment and evaluate it later when the nodes with its weight
are being evaluated.
During the execution of the AD D-NO DE SE T-TO-G func-
tion, while evaluating a set s∈T, let the root rhave
c1, c2, . . . , ckchild nodes. Let the GCD of the polices of
(c1, s),(c2, s),...,(ck, s)be g1, g2, . . . , gk. Let cmax be
the maximum weight over all the weights of the policies
g1, g2, . . . , gk. Then the primary objective of the CURR-MAX-
WEIGHT-SE T function is to compute the set (not necessarily
the largest) of all child nodes snew ={ci1, ci2, , . . . cil}, such
that snew ⊆ {c1, c2, . . . , ck}, and gcd(ci1, ci2,...cil, s)has
cmax weight.
To compute snew, CUR R-MAX-WEIGHT-SET function
maintains a stack S(this can also be achieved with an
13
array/list). Initially, Sis empty and cmax = 0. While eval-
uating the child nodes of r,Scontains the nodes having the
current/local maximum weight. Therefore, by the end of the
for loop, Scontains all the child nodes, such that the weight
of the GCD of their policies is cmax.snew contains the
largest possible set of nodes if cmax =s.weight. However,
if cmax 6=s.weight, it does not necessary store the largest
set. This is not a problem, as a node corresponding to cmax
is added as a temporary node (if sis a permanent node) to F,
in which case it is evaluated later and the maximum possible
set of nodes corresponding to it, is formed at that time.
Note that, we do not consider swhile computing this set,
because gcd(s, s)≥gcd(ci, s), where 1≤i≤k. Hence, if
sis included in the set, cmax =s.weight. This would be
a problem if snew ={s}, as we cannot form a segment
with only one element. Therefore, we compute Swithout
considering sand if S6=∅we add sto it. Furthermore, if
cmax is equal to the weight of the root, it is pointless to create
another sub segment with its weight =r.weight. Therefore,
we disregard this case.
function CURR-MAX-WEIGHT-SE T(G, s)
S← ∅;snew ← ∅
Sgcd ← ∅ gcd of policies of the nodes in S
cmax ←0Current Max.weight of gcd of policies
flag ←f alse
for each child cof rdo
if s.temp ∧c∈s.set then
flag ←true
end if
if (!s.temp ∧c6=s)∨(s.temp ∧c6∈ s.set)then
tempp ←gcd(c.p, s.p)
tempw ←weight of tempp
if cmax < tempw then
Empty S;P ush(S, c)
Sgcd ←gcd(s, c)
cmax ←tempw
else if cmax =tempw then
Sgcd ←gcd(Sgcd, c)
Sgcdweight ←weight of Sgcd
if Sgcdweight =cmax then
P ush(S, c)
end if
end if
end if
end for
if !S.isempty ∧cmax 6=r.weight ∧s.temp ∧f lag
then
P ush(S, s.set)
while S6=∅do
snew ←snew ∪P op(S)
end while
end if
if !S.isempty ∧cmax 6=r.weight ∧!s.temp then
P ush(S, s)
while S6=∅do
snew ←snew ∪P op(S)
end while
end if
return snew
end function
The ATTACH -RESOURCES-TO- R procedure attaches re-
sources having the same weight as rto r.
procedure ATTAC H-RESOURCES-TO-R(G, T )
G= (V;E;r)
for each s∈T∧!s.temp do
if !s.isresource then
for each res ∈s.set do
res =CREATE-NODE(res)
ADD -NO DE -TO-G(G, res, ∅, false)
end for
else
ADD -NO DE -TO-G(G, s, ∅, f alse)
end if
end for
end procedure
We present the auxiliary CREATE-N OD E function, and the
ADD -NO DE -TO-G procedure in Appendix C, for clarity and
completeness.
gcd 1
gcd 4 gcd 5
Eng 1 Fin 1 Fin 2 Fin DBEng 2
(a) Net. graph after 1st iteration
of AD D-NOD ES ET-TO -G
gcd 1
gcd 3
gcd 4 gcd 5
Eng 1 Fin 1 Fin 2 Fin DBEng 2
(b) Net. graph after 2nd itera-
tion of AD D-NO DESET-TO -G
gcd 1
gcd 2
File gcd 3
gcd 4 gcd 5
Eng 1 Fin 1 Fin 2 Fin DBEng 2
(c) Net. graph after 3rd iteration
of AD D-NOD ES ET-TO -G
Fig. 10: Progression of RNS for the illustrative example
Figure 10 shows the progression of executing the RNS
algorithm on the illustrative example. The last iteration
generates the network shown in Figure 15.
RNS Algorithm: Robustness and complexity
Theorem 2. The RNS Algorithm constructs a robust network
graph.
14
Proof. The proof is by contradiction. We assume that at least
one of the three criteria required for a network graph to be
robust (Section V), is not satisfied.
Suppose Condition 1 is not satisfied. Then there exists
at least one path in Gfrom the root to the parent of a
resource, such that the SDD strategy is not satisfied. In the
RNS algorithm, the root is added first to an empty graph G.
After which nodes both resource and gcd nodes are added in
non-increasing order of their weights to Gby first attaching
them to the root only in the AD D-NODESET-TO- G procedure.
In AD D-NODESET-TO-G, when a gcd node gcd is added to the
root r,cset contains all its child nodes. The policy at gcd is
equal to the GCD of policies of all nodes in cset. Furthermore,
while adding child nodes from cset to gcd, we check if any
child node’s weight is equal to gcd.weight, in which case we
delete the child node (if its not a resource) and attach all its
children to gcd. Therefore, in all the cases the SDD strategy
is satisfied while adding resources and gcd nodes. Therefore,
the SDD strategy is satisfied in all paths from the root to the
node of the parent of a resource, which is a contraction.
Suppose Condition 2 is not satisfied. Then, the condition
stated under Definition 3 is not satisfied; that is, there exists a
segment S, such that a resource r∈Sand a resource r0/∈S
have commonalities with more weight than the weight of the
commonalities between elements of the segment S.
Without loss of generality, let us assume that w(p(r)) ≤
w(p(r0)). Nodes are added to Gin non-increasing order of
their weights. Therefore, when ris added to G, all the existing
nodes in Ghave weight greater than or equal to r.weight.
Since r.weight ≤r0.weight,Gmust include r0. Furthermore,
while evaluating clusters of resources (having weight greater
than or equal to r.weight) including r, we choose a cluster
having the maximum weight (and possibly the maximum size)
among all such clusters evaluated, as the segment S. Therefore,
it must be the case that a cluster having rand r0is evaluated.
Since rand r0have commonalities with higher weight, then
the chosen cluster forming a segment must contain rand r0.
Therefore, the segment Smust contain both r, r0, which is a
contradiction.
Suppose Condition 3 is not satisfied; that is, superfluous
firewall chaining exists in G. Then there exists at least one
firewall/ gcd node with a single node that is a firewall attached.
Recall that gcd nodes are added to Gonly when more than
one node can be attached to them. Therefore, by the end of
the RNS algorithm, Ghas no superfluous firewalls, which is
a contradiction.
Theorem 3. Let R={r1, r2, . . . , rn}be the input of size nto
the RNS Algorithm. Then, the running time of RNS is O(n2).
Proof. Using numeral key values between 1−mas labels
for distinct rules in R, and Bucket sort, the time required to
compute the subsets S1, S2, . . . , Sm, where m≤nis O(n).
Since gcd nodes (either permanent or temporary) are created
for each set s∈S1, S2, . . . , Smexactly once, the number of
gcd nodes in the network graph is at most n. Analogously,
the number of temporary nodes created during the execution
of the RNS algorithm is also at most n. Hence the total time
required for the the RNS algorithm is O(n), plus the total time
required to execute the AD D-NODESET-TO-G procedure.
Let t≤nbe the number of distinct weights of policies in
the resource set R. Then, the ADD-NODESET-TO- G procedure
is executed ttimes, and the total number of nodes processed
by it is at most 2n(since |F| ≤ 2n). Hence the time taken by
ADD -NODESET-TO -G is 2nplus the time taken by the CU RR -
MAX-WEIGHT-SE T for each node sin Fwhere s.weight >
r.weight.
The total time required by the CURR -MAX-WEIGHT-SET
procedure is equal to the number of child nodes of rthe
procedure evaluates to construct the snew set for all nodes in
F. The maximum number of such nodes is at most 2n(total
number of nodes in G) at each execution of the CU RR -MAX-
WEIGHT-SE T procedure. Further, the CU RR -MAX-WEIGHT-
SE T procedure is executed at most 2ntimes (number of nodes
in F). Hence, the total time required by the CURR-MAX-
WEIGHT-SE T procedure is at most O(n2).
Therefore the total running time for the RNS Algorithm is
O(n2).
VII. APP LI CATI ON O F RNS ALGORITHM IN SDN
OpenFlow [34] protocol has emerged as an approach to
remotely program switches while having a global view. When
a switch has no entries in its flow tables to handle a packet, it
forwards it to a controller which instructs the switch on how
to handle such packets. This approach of decoupling control
of traffic from the data plane is referred to as SDN [15], [39].
SDN can be characterised by the separation of the control
plane from the data plane in a network: the physical movement
of data (packet forwarding) in a network is separated from
the logic and control governing this movement. Hence, the
decoupling leads to a separation of concerns, which simplifies
the network control design and its maintenance.
In a typical SDN architecture, a central controller residing
in the the control plane governs the movement of data while
the switches residing in the data plane strictly forward packets
as directed by the controller. In the literature, we find the
following architectures for implementing firewalls in the SDN:
(a) Single centralised firewall: In [25], [30], [50] the authors
propose an architecture where the entire network is gov-
erned by a stateless centralised firewall at the control
plane. In this architecture, the policy resides at the firewall
and switches forward all traffic to the controller which
checks the policy and instructs the switch to drop or
forward the packets.
(b) Distributed firewalls at control plane: In [27], [37], [41],
[51] the authors propose an architecture with distributed
firewall at the control plane. The firewalls implemented
in this architecture are stateless firewalls. Each switch is
assigned a firewall at the controller. The firewall reads
the policy and inserts deny rules into the flow table of
the switch. The denied traffic is then dropped by the
switch, and all other traffic is forwarded to the controller
which instructs the switch on how to forward the packet.
The proposed architectures in [52] and [18] are stateful
firewalls that follow a similar process.
15
(c) Distributed firewalls at the data plane: In [6], [8] the
authors propose an architecture that transforms the data
plane switches into stateful firewalls. These approaches
take advantage of stateful data plane technologies to allow
switches to act as stateful firewalls without the need to
forward packets to the controller.
As we shall explain in the following section, the RNS
algorithm is used to generate the network topology and specific
firewall policies for each segment that we put under a switch
in the date plane (see Figure 11). In this section we adopt a
distributed stateful firewall architecture that combines Archi-
tecture (b) with stateful firewall. Our approach is illustrated in
Figure 12.
RNS algorithm
Resource 1
Policy
Topology File
Resource 1
Policy
Resource
Policies
Resource 1
Policy
Resource 1
Policy
Firewall
Policies
Fig. 11: RNS algorithm
A. Use of RNS in SDN
We start by running the RNS algorithm on the set of
resources of a network and their policies to obtain a secure
and robust network topology and the policies of its firewalls.
The design process involves two stages. In the first stage,
the policies of the resources as well as a predefined weight
function are fed as input to the RNS algorithm.
In the second stage, we use mininet (an SDN emulation
tool) [11] and POX controller [2] to create and simulate the
network corresponding to the topology obtained from the first
stage. In the SDN controller to handle each switch in the
network we create a stateful firewall object. Each firewall
object has a state table, a module to communicate with the
actual switch, and a package consisting of modules to handle
(referred to as handlers) different protocols such as TCP, UDP,
or ICMP. Each firewall object fetches its policy, generated by
the RNS algorithm, and stores it (See Figure 12).
We use the network of the example given in Section II
to illustrate the stages of designing SDN based on the RNS
algorithm. We obtain the topology given in Figure 12. To
Mininet (topology.py)Mininet (topology.py)
File Server
192.168.3.1
Engineering1
192.168.2.1
Finance1
192.168.1.1
Finance DB
192.168.1.3
Engineering2
192.168.2.2
Finance2
192.168.1.2
Sw 5
Fw 5
Fw 4
Fw 2
Fw 1
Web Server
192.168.4.1
Email Server
192.168.4.2
Fw1
policy
Fw2
policy
Fw5
policy
Fw4
policy
Sw 2
Sw 4
Sw 1
Fw 3
Fw3
policy
POX SDN Controller
Sw 3
RNS algorithm
Topology
File
Resource
1 Policy
Resource
1 Policy
Firewall
Policies
Fig. 12: SDN simulation
assess whether the traffic in the network is governed according
to the policies set by the RNS algorithm, we run a reachability
test as shown in Figure 13. The reachability test is performed
using the command pingall, which allows every data plane
host to ping every other host. In Figure 13, the first line of
the system response to pingall command starts with eng2,
which is the name of the resource initiating the ping request.
Then we have the arrow -> followed by resource names such
as eng2,file,email, and web indicating a successful
communication of eng2 with these resources. An xindicates
that the initiating host is failing to establish a communication
with the target host.
Fig. 13: Reachability Test of the illustrative example Resources
VIII. OTHE R APP LI CATI ON S OF R NS A LGORITHM
The RNS algorithm can be applied to build computer
networks in several conceivable scenarios. Here we highlight
some of the scenarios where traditional networks fail, but the
RNS algorithm is applicable.
A. Internet of things
IoT (e.g., [32]) is a vision for developments that would
touch many aspects of our daily lives. At its core IoT aims at
having heterogeneous physical objects, for example sensors,
16
devices, tools, machines, wearable items and software compo-
nents, connect and communicate through the Internet, forming
several cooperating eco-systems delivering a global activity.
Many organizations all over the world are initiating IoT driven
ventures to improve their business suppleness or to better
meet the demands of their customers. Networking a large
number of elements of IoT, while ensuring the security of each
element is one of the many challenges [5], [9]. Many existing
models (e.g., [5]) require devices to be resources which rely on
the manufacturer’s cloud-based servers to function. The manu-
facturer’s cloud clusters these resources into network segments
to enable them to securely communicate with other resources
within or outside the cloud. The RNS algorithm would play
a significant role in achieving an automatic and systematic
segmentation of the manufacturer’s networks. Moreover, our
proposed approach for segmentation builds a secure network
by default.
B. On-the-fly-networks/Dynamic networks:
In a secure dynamic networking environment, it is vital
that the reasoning required to cope with the changing security
needs, and communicating the attained security decisions to
the concerned access control nodes is automated. Moreover,
this automation is critical for large networks with a consid-
erable number of dynamic resources. The RNS algorithm,
generates an on-the-fly best segmentation, and policy-based
protection to the network’s components, while ensuring con-
sistency among the resource policies.
For example in an SDN setting, the RNS algorithm is
re-executed to generate an updated topology. The updated
topology is compared to the old topology to decide on which
hosts, switches, links to be added or deleted. To implement
this, the differences are written in a python script that exe-
cutes mininet Command-line interface (CLI) to carry out the
changes. The topology is then updated on-the-fly by running
the script on the mininet CLI. After which the controller is
notified of the changes, which then creates new firewalls and
updates policies of affected ones accordingly.
Further, in real networks a resource might be accessed from
several entry points or used from other networks. Therefore,
in dynamic configuration of networks, special care needs to
be taken in handling such resources. If a resource is deemed
out of service in one network, it should not be automatically
remove without considering its usage from outside of the
network under consideration. In our paper [3], we discuss
the usage of the RNS algorithm to segment networks having
several entry points.
IX. DISCUSSION
We proposed two algorithms, Exp-RNS and RNS, for
building a robust network topology. The Exp-RNS algorithm
has an exponential running time, and RNS has a polynomial
running time. Despite its exponential complexity, we presented
the Exp-RNS algorithm for its simplicity in demonstrating the
usage of the formalism in building a robust network. We later
introduced RNS, which can easily meet the needs of the most
of real-time network configuration in dynamic networks.
The restriction in the superfluous firewall chaining concept
mentioned in Section V can be further tightened, where a
firewall having no resources attached to it (irrespective of
the number of firewalls attached to it) is removed from the
network. This would not only simplifies the network, but
also significantly economize it by minimizing the number of
firewalls required to produce a secure and robust network. The
Exp-RNS and RNS algorithms can be easily modified with mi-
nor changes to adapt to the tighter version of firewall chaining.
Both these versions have its advantages and drawbacks. The
superfluous firewall chaining mentioned in Section V would
result in a network having more firewalls and more number
of layers protecting the resources, however building such a
network could be expensive. The tighter version, results in a
network having less firewalls and fewer layers protecting the
resources; however, it is economical.
Our approach is for designing and building networks, and
is not focused on improving the security in existing networks.
Quantified attack graphs ([57], [23], [13], [4], [43], [35]), and
similar formalisms (e.g., [44]) have been proposed to harden
the security of existing networks. However, our approach can
be used to assess the security robustness of an existing network
in the following ways. One way is to use the GCD to calculate
the best policy for each of the segments of the existing
networks. Then, we compare the calculated firewall policy for
each segment to the existing policy. This would reveal any
missing rules or any flaws in the policy of the existing firewall.
The second way is to verify whether the existing network
implements DD strategy. A third way is to use RNS to get
the appropriate robust network for the resources that are in the
existing network. Then, we compare the topologies (existing
and calculated) with regard to their effectiveness in protecting
the resources. This comparison might lead the network security
officer to better tune the existing network for an enhanced
security.
Today’s networks are very large in terms of the number of
their nodes. The abstraction adopted in the family approach
allows to collapse a subset of nodes into one node that is
protected by a family of policies obtained from the policies of
the abstracted nodes. This approach for example allows us to
focus on the design of a network in a geographic area while
considering the rest of the network in another geographic area
as a node running a family of policies. It is a direct usage of
the principle of divide and conquer.
It is also important to put our results in perspective with
Network Address Translation (NAT) which is a translation
mechanism executed by a firewall that is in contact with
the Internet outside of a private network. It assigns public
addresses to a computer inside a network. Its purpose is to
limit the number of public addresses that internal nodes within
a network need to know about external resources. In our work,
we assume that only the node that we call root will have
this translation capabilities. Our purpose is to design local
networks and NAT can be placed on the boundary between the
local network to be designed and the external Internet (i.e., on
the entry points (roots) of the network). Hence, our policies
use only local addresses to the designed network.
We executed the RNS algorithm on a network with 100
17
resources, on an Apple MacBook Pro with a CPU 2.7 GHz
Intel Core i5 and a memory of 8 GB 1867 MHz DDR3.
The algorithm took 24.40 seconds to calculate the network
topology and the policies to be enforced at its firewalls.
Then, we inactivated ten resources out of the previous 100
resources, and executed the RNS algorithm to recalculate the
new network topology and the policies of its firewalls. The
machine took 24.36 seconds. While the above performance
numbers do not constitute, by any stretch an empirical as-
sessment – a definitive real performance indicator, they give
an idea about the range of time needed. Although the two
numbers do not differ much, we want to emphasize that in
both these cases; that is, with 100 resources and 90 resources,
we re-calculate the whole network topology. Many targeted
strategies can be conceived by considering the characteristics
of the resources that are added or removed. For instance, when
a resource is added/removed, if this change affects only a
subnetwork, we could re-calculate the new topology only for
the subnetwork affected by this change. This would require
running the RNS algorithm for a small number of resources
that are part of the subnetwork as input. In this situation, we
will see enhanced performance which is appropriate for real-
time network reconfiguration. In many situations, however, the
performance of the RNS algorithm when used to recalculate
the whole topology of the network for each network change
is acceptable to reconfigure the network, for example, re-
configuring the network in response to several security threats.
Therefore, a comprehensive empirical study to further assess
this aspect is needed. Moreover, we also need further research
related to the usage of RNS algorithm in many networks such
as mesh networks.
X. CONCLUSION AND FUTURE WOR K
In this paper, we formally define network segmentation.
Then, we propose novel algorithms to build a robust network
architecture which segments resources such that maximum
access protection is provided to its resources. Our formalism is
based on the mathematical framework of PFA, where a policy
is treated as a product and the sets of policies governing a
firewall are equivalent to product families, and an atomic rule
in a policy is equivalent to a feature, and are modelled as
a guarded command. Both the Exp-RNS and RNS algorithms
uses the gcd and the refinement relations to segment resources
and build a robust network.
The advantage of building a robust network using the RNS
algorithm is that public facing resources are placed close to
the edge of the network and have limited access to internal
resources. Resources requiring more security are placed far-
ther from the edge of the network and protected by many
layers. Furthermore, access from one segment to the other is
controlled by internal firewalls. This is a common practice
in network segmentation that is driven by intuition. We give
the mathematical rationale for it. Moreover, the advantage of
having a formal treatment of the problem allows for automated
solutions enabling handling of huge networks.
The RNS algorithm could be scaled to enforce additional
requirements/constraints on the segmentation to achieve the
desired protection. For example, an organization can limit the
number of levels required. Furthermore, additional measures
can be added to achieve the desired segmentation, for example
risk assessment measures [55] such as: infection spread ratio,
and cleansing time. A future research work could incorporate
these additional factors in the weight function discussed in V.
We note that a huge body of work focusing on experimental
evaluation in several contexts; for example evaluating the RNS
algorithm in dynamic networks and IoT would be another im-
portant area of research. Furthermore, based on the evaluations
in different settings, one could propose improvements to the
algorithm to better meet the needs of some settings.
COMPLIANCE WITH ETHICAL STANDARDS
Conflict of Interest: All authors declare that they have no
conflict of interest.
Funding: This study was funded by Natural Sciences and
Engineering Research Council of Canada –NSERC– (CA)
(RGPIN-2020-06859).
Ethical approval: This article does not contain any studies
with human participants or animals performed by any of the
authors.
REFERENCES
[1] P. Ad˜
ao, R. Focardi, J. D. Guttman, and F. L. Luccio, “Localizing
firewall security policies,” in 2016 IEEE 29th Computer Security Foun-
dations Symposium (CSF), June 2016, pp. 194–209.
[2] A. Al-Shabibi and M. McCauley, “Pox controller,” Available: https://
noxrepo.github.io/pox-doc/html (Accessed: Mar 23, 2020).
[3] M. Alabbad, N. Mhaskar, and R. Khedri, “Segmentation and architecture
of networks with multiple entry points,” Computer Networks, 2020,
submitted.
[4] M. Albanese, S. Jajodia, and S. Noel, “Time-efficient and cost-effective
network hardening using attack graphs,” in 42nd Annual IEEE/IFIP
International Conference on Dependable Systems and Networks, 2012,
pp. 1–12.
[5] M. Ammar, G. Russello, and B. Crispoa, “Internet of things: A survey
on the security of IoT frameworks,” Journal of Information Security
and Applications, vol. 38, pp. 8–27, February 2018. [Online]. Available:
https://doi.org/10.1016/j.jisa.2017.11.002
[6] M. Caprolu, S. Raponi, and R. Di Pietro, “Fortress: an efficient and
distributed firewall for stateful data plane sdn,” Security and Communi-
cation Networks, vol. 2019, 2019.
[7] W. R. Cheswick and S. M. Bellovin, Firewalls and Internet Security:
Repelling the Wily Hacker. Addison-Wesley, 1994.
[8] A. Chowdhary, D. Huang, A. Alshamrani, A. Sabur, M. Kang, A. Kim,
and A. Velazquez, “Sdfw: sdn-based stateful distributed firewall,” arXiv
preprint arXiv:1811.00634, 2018.
[9] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of
things security and forensics: Challenges and opportunities,” Future
Generation Computer Systems, vol. 78, pp. 544–546, January 2018.
[Online]. Available: https://doi.org/10.1016/j.future.2017.07.060
[10] L. de Moura and N. Bjørner, “Satisfiability modulo theories: An ap-
petizer,” in Formal Methods: Foundations and Applications, M. V. M.
Oliveira and J. Woodcock, Eds. Berlin, Heidelberg: Springer Berlin
Heidelberg, 2009, pp. 23–36.
[11] R. L. S. de Oliveira, C. M. Schweitzer, A. A. Shinoda, and Ligia
Rodrigues Prete, “Using mininet for emulation and prototyping software-
defined networks,” in 2014 IEEE Colombian Conference on Communi-
cations and Computing (COLCOM), June 2014, pp. 1–6.
[12] J. Desharnais, N. Belkhiter, S. B. M. Sghaier, F. Tchier, A. Jaoua,
A. Mili, and N. Zaguia, “Embedding a demonic semilattice in a relation
algebra,” Theoretical Computer Science, vol. 149, no. 2, pp. 333 – 360,
1995. [Online]. Available: http://www.sciencedirect.com/science/article/
pii/030439759400271J
[13] R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, “Optimal security
hardening using multi-objective optimization on attack tree models of
networks,” in Proc. 14th ACM Conf. Comput. Commun. Security, 2007,
pp. 204–213.
18
[14] T. E. Fægri and S. O. Hallsteinsen, “A software product line
reference architecture for security,” in Software Product Lines
- Research Issues in Engineering and Management. Springer
Berlin Heidelberg, 2006, pp. 275–326. [Online]. Available: https:
//doi.org/10.1007/978-3-540-33253-4 8
[15] N. Feamster, J. Rexford, and E. Zegura, “The road to sdn: an intel-
lectual history of programmable networks,” ACM SIGCOMM Computer
Communication Review, vol. 44, no. 2, pp. 87–98, 2014.
[16] Google Inc., “Google’s approach to it security,” Google, Tech. Rep.,
2012.
[17] D. Gries and F. Schenider, A Logical Approach to Discrete Math, ser.
Springer Texts And Monographs In Computer Science. New York:
Springer-Verlag, 1993.
[18] V. Gupta, S. Kaur, and K. Kaur, “Implementation of stateful firewall
using pox controller,” in 2016 3rd International Conference on Com-
puting for Sustainable Global Development (INDIACom). IEEE, 2016,
pp. 1093–1096.
[19] P. H¨
ofner, R. Khedri, and B. M¨
oller, “Feature algebra,” in FM 2006: For-
mal Methods, ser. Lecture Notes in Computer Science series, J. Misra,
T. Nipkow, and E. Sekerinski, Eds., vol. 4085. 14th International Sym-
posium on Formal Methods, McMaster University, Hamilton, Ontario,
Canada: Springer, August 21 – 27 2006, pp. 300 – 315.
[20] ——, “Algebraic view reconciliation,” in 6th IEEE International Con-
ferences on Software Engineering and Formal Methods. Cape Town,
South Africa, November 10 – 14, 2008, pp. 85 – 94.
[21] ——, “An algebra of product families,” Software & Systems Modeling,
vol. 10, no. 2, pp. 161–182, 2011.
[22] ——, “Supplementing product families with behaviour,” International
Journal of Software and Informatics, pp. 245–266, 2011.
[23] K. Ingols, R. Lippmann, and K. Piwowarski, “Practical attack graph
generation for network defense,” in Proc. Comput. Security Appl. Conf.,
2006, pp. 121—30.
[24] R. Janicki and R. Khedri, “On a formal semantics of tabular expres-
sions,” Science of Computer Programming, vol. 39, no. 1-2, pp. 189–
213, March 2001.
[25] T. Javid, T. Riaz, and A. Rasheed, “A layer2 firewall for software defined
network,” in 2014 Conference on Information Assurance and Cyber
Security (CIACS). IEEE, 2014, pp. 39–42.
[26] Y. Jin and D. L. Parnas, “Defining the meaning of tabular mathematical
expressions,” Science of Computer Programming, vol. 75, no. 11, pp. 980
– 1000, 2010, special Section on the Programming Languages Track at
the 23rd ACM Symposium on Applied Computing. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S0167642309001762
[27] K. Kaur, K. Kumar, J. Singh, and N. S. Ghumman, “Programmable
firewall using software defined networking,” in 2015 2nd International
Conference on Computing for Sustainable Global Development (INDI-
ACom). IEEE, 2015, pp. 2125–2129.
[28] R. Khedri, O. Jones, and M. Alabbad, “Defense in depth formulation
and usage in dynamic access control,” in Principles of Security
and Trust: 6th International Conference, POST 2017, Held as
Part of the European Joint Conferences on Theory and Practice
of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017,
Proceedings, M. Maffei and M. Ryan, Eds. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2017, pp. 253–274. [Online]. Available:
https://doi.org/10.1007/978-3-662-54455-6 12
[29] R. Khedri, N. Mhaskar, and M.Alabbad, “On the segmentation of
networks,” McMaster University, Tech. Rep., 2019. [Online]. Available:
https://www.cas.mcmaster.ca/tech reports/0reports/CAS-19- 01-RK.pdf
[30] A. Kumar and N. Srinath, “Implementing a firewall functionality for
mesh networks using sdn controller,” in 2016 International Conference
on Computation System and Information Technology for Sustainable
Solutions (CSITSS). IEEE, 2016, pp. 168–173.
[31] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz,
M. Artz, and R. Cunningham, “Validating and restoring defense in
depth using attack graphs,” in MILCOM 2006 - 2006 IEEE Military
Communications conference, Oct 2006, pp. 1 – 10.
[32] S. Madakam, R. Ramaswamy, and S. Tripathi, “Internet of things
(IoT): A literature review,” Journal of Computer and Communications,
vol. 3, no. 5, pp. 164–173, May 2015. [Online]. Available:
http://www.scirp.org/journal/jcc
[33] C. J. May, J. Hammerstein, J. Mattson, and K. Rush, “Defense in depth:
Foundations for secure and resilient it enterprises,” Carnegie Mellon
University, Tech. Rep., 2006.
[34] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson,
J. Rexford, S. Shenker, and J. Turner, “Openflow: enabling innovation in
campus networks,” ACM SIGCOMM Computer Communication Review,
vol. 38, no. 2, pp. 69–74, 2008.
[35] H. M.J. Almohri, L. T. Watson, D. Yao, and X. Ou, “Security opti-
mization of dynamic networks with probabilistic graph modeling and
linear programming,” in IEEE Transactions on Dependable and Secure
Computing, vol. 13, 2016, pp. 474–487.
[36] B. M¨
oller and G. Struth, “wp is wlp,” in Relational Methods in Com-
puter Science, ser. Lecture Notes in Computer Science, W. MacCaull,
M. Winter, and I. D¨
untsch, Eds. Springer Berlin Heidelberg, 2006, vol.
3929, pp. 200–211.
[37] S. Morzhov, I. Alekseev, and M. Nikitinskiy, “Firewall application for
floodlight sdn controller,” in 2016 International Siberian Conference on
Control and Communications (SIBCON). IEEE, 2016, pp. 1–5.
[38] National Security Agency (NSA), “Top 10 information assurance miti-
gation strategies,” NSA, Tech. Rep., 2013.
[39] B. A. A. Nunes, M. Mendonca, X.-N. Nguyen, K. Obraczka, and
T. Turletti, “A survey of software-defined networking: Past, present, and
future of programmable networks,” IEEE Communications Surveys &
Tutorials, vol. 16, no. 3, pp. 1617–1634, 2014.
[40] D. L. Parnas, “Tabular representation of relations,” Communications
Research Laboratory, Faculty of Engineering, McMaster University,
Hamilton, Ontario, Canada, CRL Report 260, October 1992.
[41] J. G. V. Pena and W. E. Yu, “Development of a distributed firewall
using software defined networking technology,” in 2014 4th IEEE In-
ternational Conference on Information Science and Technology. IEEE,
2014, pp. 449–452.
[42] R. Peteanu, Best Practices for Secure Development, 2001.
[43] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk manage-
ment using bayesian attack graphs,” in IEEE Transactions on Depend-
able and Secure Computing, vol. 9, 2012, pp. 61–74.
[44] M. Rahman and E. Al-Shaer, “A formal framework for network security
design synthesis,” in 2013 IEEE 33rd International Conference on
Distributed Computing Systems (ICDCS), 2013, pp. 560 – 70. [Online].
Available: http://dx.doi.org/10.1109/ICDCS.2013.70
[45] P. Rubel, M. Ihde, S. Harp, and C. Payne, “Generating policies for
defense in depth,” in 21st Annual Computer Security Applications
Conference (ACSAC’05), Dec 2005, pp. 10 pp.–514.
[46] J. R.Vacca and S. Ellis, Firewalls Jumpstart for Network and Systems
Administrators. Elsevier, 2005.
[47] K. Scarfone and P. Hoffman, “Guidelines on firewalls and firewall
policy,” National Institute of Standards and Technology (NIST), Tech.
Rep., 2009.
[48] M. Stawowski, “The principles of network security design,” ISSA, 2007.
[49] ——, “Network security architecture,” ISSA, 2009.
[50] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over the
software-defined network controller,” in 16th International Conference
on Advanced Communication Technology. IEEE, 2014, pp. 744–748.
[51] T. V. Tran and H. Ahn, “A network topology-aware selectively dis-
tributed firewall control in sdn,” in 2015 International Conference
on Information and Communication Technology Convergence (ICTC).
IEEE, 2015, pp. 89–94.
[52] ——, “Flowtracker: A sdn stateful firewall solution with adaptive
connection tracking and minimized controller processing,” in 2016
International Conference on Software Networking (ICSN). IEEE, 2016,
pp. 1–5.
[53] U.S. Department of Homeland Security, Recommended Practice: Im-
proving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies, September 2016.
[54] N. Wagner, C. S¸. S¸ ahin, J. Pena, and W. W. Streilein, “Automatic
generation of cyber architectures optimized for security, cost, and mis-
sion performance: A nature-inspired approach,” in Advances in Nature-
Inspired Computing and Applications, N. A. Shandilya S., Shandilya S.,
Ed. Springer, Cham, 2019.
[55] N. Wagner, C. S¸ . S¸ ahin, M. Winterrose, J. Riordan, J. Pena, D. Hanson,
and W. W. Streilein, “Towards automated cyber decision support: A case
study on network segmentation for security,” in 2016 IEEE Symposium
Series on Computational Intelligence (SSCI), Dec 2016, pp. 1–10.
[56] N. Wagner, C. S¸ . S¸ ahin, J. Pena, J. Riordan, and S. Neumayer, “Captur-
ing the security effects of network segmentation via a continuous-time
markov chain model,” in Proceedings of the 50th Annual Simulation
Symposium, ser. ANSS ’17. San Diego, CA, USA: Society for
Computer Simulation International, 2017, pp. 1–12.
[57] L. Wang, S. Noel, and S. Jajodia, “Minimum-cost network hardening
using attack graphs,” Comput. Commun., vol. 29, pp. 3812–3824, 2006.
19
APPENDIX A
PROO FS O F LEM MA S.
Proof of Lemma 1.
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
⇐⇒ h De Morgan Law i
(p(r)=0F)∨(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
=⇒ h Strengthening i
(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
⇐=h(v, l)∈Ei
p(l)6@Fp(v)
⇐⇒ h p(v) = gcd(p(v), p(l)) i
p(l)6@Fgcd(p(v), p(l))
⇐⇒ h From the hypothesis p(l)=1Fi
1F6@Fgcd(p(v),1F)
⇐⇒ h Because gcd(p(v),1F)=1F,vis parent
of li
1F6@F1F
⇐=hFrom the definition of @Fi
true
Proof of Lemma 2.
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
⇐⇒ h De Morgan Law i
(p(r)=0F)∨(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
=⇒ h Strengthening i
(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
⇐=h(r, s)∈Ei
p(s)6@Fp(r)
⇐⇒ h p(s) = gcd(p(s),gcd(p(l1), p(l2))) and
p(r) = gcd(p(r), p(s)) and from the hy-
pothesis gcd(l1, l2) = 1Fi
1F6@F1F
⇐=hFrom the definition of @Fi
true
Proof of Lemma 3.
¬(p(r)6= 0F∧(∀a, b |(a, b)∈E·p(b)@Fp(a) ))
⇐⇒ h De Morgan Law i
p(r)=0F∨(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
=⇒ h Strengthening i
(∃a, b |(a, b)∈E·p(b)6@Fp(a) )
⇐=h(u, v)∈Ei
p(v)6@Fp(u)
⇐⇒ h From hypothesis p(u) = (gcd vi|
(v, vi)∈E·p(vi) ) = p(v)i
p(v)6@Fp(v)
⇐=hFrom the definition of @Fi
true
Proof of Lemma 4 (a).
S is a segment
⇐⇒ h Definition 3 i
(∀r, r0|r∈S∧r0∈(R−
S)·wP(gcd(p(r), p(r0))) ≤wP(gcd( r|r∈
S·p(r) )) )
⇐⇒ h Sis a set consisting of resources having
co-prime policies, gcd of co-prime poli-
cies = 1Fi
(∀r, r0|r∈S∧r0∈(R−
S)·wP(gcd(p(r), p(r0))) ≤wP(1F) )
⇐=hFrom hypothesis p(r0) = 1Fi
(∀r, r0|r∈S∧r0∈(R−S)·wP(gcd(p(r),1F)) ≤
wP(1F) )
⇐⇒ h Because (∀a|·gcd(a, 1F)=1F)i
(∀r, r0|r∈S∧r0∈(R−S)·wP(1F)≤wP(1F) )
⇐=hreflexivity of ≤ i
true
Proof of Lemma 4 (b).
S is a segment
⇐⇒ h Definition 3 i
(∀r, r0|r∈S∧r0∈(R−S)·
wP(gcd(p(r), p(r0))) ≤wP(gcd( r|r∈S·p(r) )) )
⇐=hFrom hypothesis: (∀r, r0|r∈S∧r0∈
(R−S)·gcd(p(r), p(r0)) = 1F)i
(∀r, r0|r∈S∧r0∈(R−S)·wP(1F)≤
wP(gcd( r|r∈S·p(r) )) )
⇐=hr∈Sand p(r) = 1F, which makes
gcd( r|r∈S·p(r) ) = 1Fi
(∀r, r0|r∈S∧r0∈(R−S)·wP(1F)≤wP(1F) )
⇐=hreflexivity of ≤ i
true
APPENDIX B
EXP -RNS ALGORITHM FUNCTIONS
In this section we present detailed algorithms for the
five main tasks listed in the Exp-RNS algorithm (see Sec-
tion VI-A).
A. COMPUTE-GCD Function
Here we explain the COMPUTE-GCD function in detail. The
function first computes the power set of the set of resources R,
P(R). It then computes the GCD for each set in P(R). While
computing the GCDs, the function maintains a set GCD,
consisting of objects called the gcd objects. Each gcd object
has the following attributes: p,set,weight, and size. Attribute
set represents the set of resources, which is a set in P(R).
Attribute prepresents the GCD of the policies of the resources
in set. Attribute weight is the weight of the policy p, and
attribute size represents the cardinality of set. To minimize
the number of gcd objects stored in GCD, each object in
GCD has a unique policy p. To achieve this, if the GCD
of two sets in P(R)is the same, then we store the gcd
object corresponding to the larger set. Further for any two
20
sets s1, s2∈P(R), if the GCD of policies of s1refines the
GCD of policies of s2, and if both these policies have the
same weight, then we only store the gcd object corresponding
to s2.
procedure COMPUTE-GCD(R)
P(R)←power set of Rminus all singleton sets and
empty set.
GCD ← ∅ initialize GCD set.
for each s∈P(R)do
Create gcd s object
gcd s.p ←Calculate the GCD of the policies of
resources in s
gcd s.weight ←weight of gcd s.p
flag ←f alse
for each gcd ∈GCD do
if gcd.p =gcd s.p then
flag ←true
if gcd.size < |s|then
gcd.size ← |s|
gcd.set ←s
end if
else if gcd.p @gcd s.p ∧gcd.weight =
gcd s.weight then
GCD =GCD − {gcd}
else if gcd s.p @gcd.p ∧gcd.weight =
gcd s.weight then
flag ←true
end if
end for
if flag =f alse then
gcd s.set ←s
gcd s.size ← |s|
gcd s.weight ←weight of gcd s.p
GCD ←GCD ∪ {gcd s}
end if
end for
return GCD
end procedure
Table I gives all the gcd objects in the GCD set, and the set
of resources in set for the illustrative example after procedure
COMPUTE-GCD is executed. In Appendix-D, we present the
computation of policy for gcd 3 (we refer the reader to [29,
Section 2.2] for details on the computation of policies for all
the gcd objects given in Table I).
gcd objects
in GCD
set
Set of Resources
gcd 1{W eb ser ver, Email ser ver, Fil e server,
F in.DB, F in.1, F in.2, Eng.1, E ng.2}
gcd 2{F ile server, F in.D B, F in.1, F in.2, E ng.1,
Eng.2}
gcd 3{Eng .1, Eng .2, Fin.D B, F in.1, F in.2}
gcd 4{Eng .1, Eng .2}
gcd 5{F in.DB , F in.1, F in.2}
TABLE I: gcd objects in GCD set, and their corresponding
set of resources.
B. BUI LD -NET WORK-GRAPH Function
In this section, we present algorithms for the BU IL D-
NET WORK-GRAPH function and the ADD -NOD ES ET-TO -G
procedure.
procedure BUIL D-NE TW OR K-GR AP H(F, R)
G← ∅ G = (E;V;r)
r←gcd object that has all resources Rin its set
attribute
r.π ← ∅;r.resource ←false
V←V∪ {r}
F←F−minus gcd objects with the same weight as
the root r
while F6=∅do
wmax ←maximum weight of any s∈F.
T← ∅
for each s∈Fdo
if s.weight =wmax then
T←T∪s;F←F−s
end if
end for
ADD -NOD ES ET-TO -G(G, F , T, wmax)
end while
return G
end procedure
1) Adding gcd Nodes in Tto the Network Graph: The gcd
nodes are added to the network graph based on the weight
attribute of the gcd object. We add nodes to Gin batches (set
T) starting with maximum weight to minimum weight. The
ADD -NOD ES ET-TO -G procedure adds the set of nodes in T
in non-increasing order by their size attribute; that is, nodes
in Thaving the largest size is processed first, followed by
a node with next (or same) largest size is processed to add
it to G. During the execution of the procedure, at all times
we maintain the resT set that contains the set of resources
for which gcd nodes have not been added. Initially, resT
contains all resources contained in all the gcd nodes in T.
Then the procedure loops through each node sin Tand if s.set
still contains resources unaccounted for in G, it is evaluated.
During this evaluation, every child cof the root rthat refines
sis added to cset. Then v s is added to Gby attaching
it to r. If cset is not empty, then all nodes in it are attached
to v s as its children, and their connection to ris removed.
Finally, the resources in s.set are removed from resT (if they
exist).
procedure ADD-NO DE SE T-TO-G(G, F, T , wmax)
G= (V;E;r)
resT ← ∅
for each s∈Tdo
resT ←resT ∪s.set
end for
T←Tnodes ordered in non-increasing order by their
size attribute.
for each s∈T∧(s.set ∩resT 6=∅)do
cset ← ∅
for each child cof rdo
if c.p @s.p then
cset ←cset ∪ {c}
21
end if
end for
V←V∪ {s}
E←E∪ {(r, s)}
s.π ← {r}
if cset 6=∅then
for each c∈cset do
E←E− {(r, c)}∪{(s, c)}
c.π ←c.π − {r}∪{s}
end for
end if
resT ←resT −s.set
end for
end procedure
Figure 14 shows the network graph for the illustrative ex-
ample produced by the BU IL D-NE TW OR K-GR AP H procedure.
Observe that in the graph each path represents a refinement
chain (e.g., gcd4@Fgcd3@Fgcd2@Fgcd1).
gcd 1
gcd 2
gcd 3
gcd 4 gcd 5
Fig. 14: The network graph of the illustrative example after
BUI LD -NET WORK-GRAPH procedure
C. ADD -RES OU RC ES -TO-NET procedure
In this section, we present an algorithm for the AD D-
RES OU RC ES -TO-NET procedure.
procedure ADD-RE SO UR CE S-T O-NE T(G, GCD, R)
GCDmax ←ordered list of gcd ∈GCD in descend-
ing order by weights.
R0=R
for each gcd ∈GCDmax do
for each s∈gcd.set do
if s∈R0then
s.is resource ←true
s.π ←s.π ∪ {gcd}
V←V∪ {s}
E←E∪ {(gcd, s)}
R0←R0− {s}
end if
end for
end for
end procedure
D. OPTIMIZE-NET WORK-GRAPH procedure
In this section, we present an algorithm for the OPTIMIZE-
NET WORK-GRAPH procedure.
procedure OPTIMIZE-NE TW OR K-GR AP H(G)
G = (V;E;r)
S← ∅;T← ∅ S, T are stack
P ush(S, r)
while S6=∅do
u←P op(S)
P ush(T, u)
for each cchild of udo
P ush(S, c)
end for
end while
while T6=∅do
u←P op(T)
child count ←0
f flag ←false
for each cchild of udo
child count ←child count + 1
if c.is resource =f alse then
f flag ←true
end if
end for
if child count = 0 ∧u.is resource =f alse
then
V←V− {u}
for each x∈u.π do
E←E− {(x, u)}
end for
else if (child count = 1 ∧f flag =true)then
V←V− {u}
c.π ←c.π − {u}
c.π ←c.π ∪ {u.π}
E←E− {(u, c)}
for each x∈u.π do
E←E− {(x, u)}
E←E∪ {(x, c)}
end for
end if
end while
end procedure
The robust network graph with resources attached for the
illustrative example is shown in Figure 15.
E. ADD -1F-RESOURCES procedure
In this section, we present an algorithm for the AD D-1F-
RESOURCES procedure.
procedure ADD-1F-RESOURCES(G, S )
if S=∅then return error
end if
if r.p = 1Fthen
r.set ←r.set ∪S;r.size ←r.size +|S|
for each s∈Sdo
s.is resource ←true
s.π ← {r}
V←V∪ {s}
22
gcd 1
Webgcd 2 Email
File gcd 3
gcd 4 gcd 5
Eng 1 Fin 1 Fin 2 Fin DBEng 2
Fig. 15: The network graph of the illustrative example after
adding resources
E←E∪ {(r, s)}
end for
else
Create node r0Create new root r0of G
r0.set ←r.set ∪S;r0.size ←r.size +|S|
r0.p ←1F;r0.weight ←weight of 1Fpolicy
r0.π ← ∅
V←V∪ {r0}Add new root r0to G
r.π ← {r0}Attach rto r0
E←E∪ {(r0, r)}
for each s∈Sdo
s.is resource ←true
s.π ← {r0}
V←V∪ {s}
E←E∪ {(r0, s)}
end for
end if
end procedure
APPENDIX C
AUXILIARY FUNCTIONS FOR RNS ALGORITHM
In this section we present the auxiliary procedure ADD-
NO DE -TO-G and the function CRE ATE-NODE used by the
RNS algorithm presented in Section VI-B.
The auxiliary AD D-N OD E-T O-G procedure encapsulates the
steps to add nodes (and any resources not already added to G
in its set attribute) to G. The AD D-N OD E-TO-G procedure
always adds the node sto the root of r(if it exists). If sis a
gcd node and has children that are resource nodes not added
to Gyet (indicated by exist =false), then sis added to G
and all the resources in its s.set are created as new nodes and
added to Gas children of s. If sis a gcd node object, which is
created to be a gcd node for existing nodes in G(indicated by
exist =true), then sis added to Gand all nodes in cset are
added as its children (this includes removing their connection
with r, and attaching them to s). In this case, it is possible
for cset to contain a node having the same weight as that of
s, in which case, we delete that node from G, and attach its
children to s.
procedure ADD-N OD E-T O-G(G, s, cset, exist)
if G6=NULL then
V←V∪s;E=E∪ {(r, s)}
s.π ←s.π ∪ {r}
else
if s.set =Rthen
V←V∪s;r←s
end if
end if
if s.set 6=empty ∧s6=r∧!exist then Add gcd
node with only resources not yet added to Gas children
for each res ∈s.set do
res =CREATE-NODE(res, ∅, f alse)
V←V∪res
E←E∪ {(s, res)}
res.π ←res.π ∪ {s}
end for
else if cset 6=empty ∧s6=r∧exist then Adding
gcd node with children already added to Gand possibly
having gcd nodes as children.
for each res ∈cset do
if res.isresource =false ∧s.weight =
res.weight then
V←V− {res}
E←E− {(r, res)}
for each child cof res do
E←E− {(res, c)}∪{(s, c)}
res.π ←res.π − {res}∪{s}
end for
else
E←E− {(r, res)}∪{(s, r es)}
res.π ←res.π − {r}∪{s}
end if
end for
end if
end procedure
The auxiliary CREATE-NODE function creates nodes so that
they can be added to the graph G. While building G, two types
of nodes, namely the resource nodes, and the GCD (firewall)
nodes are created, and their attributes set according to the code
given in the CREATE -NO DE function. Since we mark nodes as
temporary (nodes that are added to Fand evaluated later) we
introduce a new attribute –temp– which is added to all nodes.
For permanent nodes temp is set to false, and for temporary
nodes temp is set to true.
function CRE ATE-N OD E(s)
Create node v Create node and initialize attribute
values
if |s|= 1 ∧s6=Rthen Adding a resource
v.p ←policy of resource s
v.weight ←weight of v.p
v.set ← ∅;v.size ←0
v.isresource ←true;v.temp ←f alse
else
v.p ←GCD of all resource policies in s
23
v.weight ←weight of v.p
v.isresource ←false;v.temp ←f alse
for each node ∈sdo
if !node.isresource then
v.set ←v.set ∪node.set
v.size ←v.size +node.size
else
v.set ←v.set ∪node
v.size ←v.size + 1
end if
end for
end if
return v
end function
APPENDIX D
TABULAR EXPRESSIONS AND GCD COM PU TATION
Tabular expressions are mathematical expressions in tabular
form. They were formalized by Parnas [26]. As defined
in [24], a tabular expression table is an organized sets of cells,
where each cell contains a mathematical expression [24]. This
table contains a collection of headers and a grid indexed by
these headers. A tabular expression representing a policy has
two headers, H1which specifies the source IP numbers and
protocols and H2which specifies the states and destination
ports, and an internal grid Gwhich specifies actions. Each
grid cell represents a rule of the policy and specifies the
ACTION state attribute value for its end state. For an example
see Table II, which is the tabular expression representation
of the Finance workstations and database policy (defined in
Section II).
We now outline the algorithm to compute the GCD of
two policies represented as tabular expressions. For simplicity,
we demonstrate it using an example. Consider the tabular
expression representations of the Finance workstations and
database policy Table II, and the Engineering workstations
policy Table III as the input to the gcd function. The algorithm
first modifies these input tables to have matching headers.
While creating the matching headers it is possible to have
empty cells in the grids of the modified tables. These cells
are filled with a value – false which indicates that no rule
exists corresponding to such cells in the policy. Since our input
Tables II and III already have matching headers, we ignore
this step. The algorithm then creates the GCD table layout
by having the same headers as the matching headers of the
(modified) input tables. After which, the value of each grid
cell of the GCD table is computed starting with the first cell
as follows:
1) If either of the corresponding input table cells have a
value false, then its value is false.
2) Otherwise it is the union of their values. For example, if
the corresponding input table cells have different values
as seen in the grid cell [1,5] of Table II with value a0=
ACCEPT, and Table III with value a0=REJECT, then its
value is the union of their values; that is, a0=ACCEPT∨
a0=REJECT.
The GCD of the Finance workstations and database policy and
the Engineering workstations policy is given in Table IV.
s= 192.168.1.0/24 s= 192.168.2.0/24 s= 192.168.3.0/24 s= 192.168.4.0/24 s /∈ {192.168.1.0/24,
192.168.2.0/24,
192.168.3.0/24,
192.168.4.0/24}
p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP
st ∈ {RELATED,
ESTABLISHED}
dport ∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
dport /∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
st =INVALID dport ∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
dport /∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
st =NEW dport ∈ {80,25}a0=ACCEPT a0=ACCEPT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
dport /∈ {80,25}a0=ACCEPT a0=ACCEPT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
TABLE II: Finance workstations and database policy represented as a tabular expression.
24
s= 192.168.1.0/24 s= 192.168.2.0/24 s= 192.168.3.0/24 s= 192.168.4.0/24 s /∈ {192.168.1.0/24,
192.168.2.0/24,
192.168.3.0/24,
192.168.4.0/24}
p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP
st ∈ {RELATED,
ESTABLISHED}
dport ∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
dport /∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
st =INVALID dport ∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
dport /∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
st =NEW dport ∈ {80,25}a0=REJECT a0=REJECT a0=ACCEPT a0=ACCEPT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
dport /∈ {80,25}a0=REJECT a0=REJECT a0=ACCEPT a0=ACCEPT a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
TABLE III: Engineering workstations policy represented as a tabular expression.
s= 192.168.1.0/24 s= 192.168.2.0/24 s= 192.168.3.0/24 s= 192.168.4.0/24 s /∈ {192.168.1.0/24,
192.168.2.0/24,
192.168.3.0/24,
192.168.4.0/24}
p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP p=TCP p6=TCP
st ∈ {RELATED,
ESTABLISHED}
dport ∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
dport /∈ {80,25}a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT a0=ACCEPT
st =INVALID dport ∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
dport /∈ {80,25}a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP a0=DROP
st =NEW dport ∈ {80,25}a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
dport /∈ {80,25}a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=ACCEPT ∨
a0=REJECT
a0=REJECT a0=REJECT a0=REJECT a0=REJECT a0=DROP a0=DROP
TABLE IV: Tabular expression representation of the GCD of Finance Workstations and Database policy, and Engineering Workstations
policy.
25
APPENDIX E
RELATIVE ATOMICITY
1−A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2−A INPUT −m s t a t e −−s t a t e INVAL ID −j DROP
3−A INPUT −s 192.168.1.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0 : 6 5 5 3 5 −p a l l −j REJECT
4−A INPUT −s 192.168.2.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0 : 6 5 5 3 5 −p a l l −j ACCEPT
5−A INPUT −s 192.168.3.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0 : 6 5 5 3 5 −p a l l −j REJECT
6−A INPUT −s 192.168.4.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0 : 6 5 5 3 5 −p a l l −j REJECT
7−A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p u dp −j DROP
8−A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p icmp −j DROP
9−A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p t c p −j DROP
10 −A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p t c p −j DROP
11 −A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p ud p −j DROP
12 −A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p ud p −j DROP
13 −A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p icmp −j DROP
14 −A INPUT −s 0.0.0.0/1 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p icmp −j DROP
15 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p u dp −j DROP
16 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p icmp −j DROP
17 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p t c p −j DROP
18 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p t c p −j DROP
19 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p ud p −j DROP
20 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p ud p −j DROP
21 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p icmp −j DROP
22 −A INPUT −s 128.0.0.0/2 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p icmp −j DROP
23 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p u dp −j DROP
24 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
0: 7 9 −p icmp −j DROP
25 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p t c p −j DROP
26 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p t c p −j DROP
27 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p ud p −j DROP
28 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p ud p −j DROP
29 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
80:80 −p icmp −j DROP
30 −A INPUT −s 192.0.0.0/9 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−dport
81 : 6 5 5 3 5 −p icmp −j DROP
31 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p ud p −j DROP
32 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p icmp −j DROP
33 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p t c p −j DROP
34 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p t c p −j DROP
35 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p u dp −j DROP
36 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p ud p −j DROP
37 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p icmp −j DROP
38 −A INPUT −s 192.128.0.0/11 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p icmp −j DROP
39 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p ud p −j DROP
40 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p icmp −j DROP
41 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p t c p −j DROP
42 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p t c p −j DROP
43 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p u dp −j DROP
44 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p ud p −j DROP
45 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p icmp −j DROP
46 −A INPUT −s 192.160.0.0/13 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p icmp −j DROP
47 −A INPUT −s 192.168.0.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p ud p −j DROP
48 −A INPUT −s 192.168.0.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 0: 7 9 −p icmp −j DROP
49 −A INPUT −s 192.168.0.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 80 : 8 0 −p t c p −j DROP
50 −A INPUT −s 192.168.0.0/24 −−sp o r t 0: 6 5 5 3 5 −d 0.0.0.0/0 −−
dp o r t 8 1 : 6 5 5 3 5 −p t c p −j DROP
51 . . . .
Fig. 16: Snippet of Engineering workstations relative atomic
policy
