On synthesizing distributed firewall configurations considering risk, usability and cost constraints

Firewalls are the most deployed security devices in computer networks. Nevertheless, designing and configuring distributed firewalls, which include determining access control rules and device placement in the network, is still a significantly complex task as it requires balancing between connectivity requirements and the inherent risk and cost. Formal approaches that allow for investigating distributed firewall configuration space systematically are highly needed to optimize decision support under multiple design constraints. The objective of this paper is to automatically synthesize the implementation of distributed filtering architecture and configuration that will minimize security risk while considering connectivity requirements, user usability and budget constraints. Our automatic synthesis generates not only the complete rule configuration for each firewall to satisfy risk and connectivity constraints, but also the optimal firewall placement in the networks to minimizes spurious traffic. We define fine-grain risk, usability and cost metrics tunable to match business requirements, and formalize the configuration synthesis as an optimization problem. We then show that distributed firewall synthesis is an NP-hard problem and provide heuristic approximation algorithms. We implemented our approach in a tool called FireBlanket that were rigorously evaluated under different network sizes, topologies and budget requirements. Our evaluation study shows that the results obtained by FireBlanket are close to the theoretical lower bound and the performance is scalable with the network size.