See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/348333249

A Formal Approach to Network Segmentation

Article in Computers & Security · January 2021

DOI: 10.1016/j.cose.2020.102162

CITATIONS READS
13 3,086

3 authors, including:

Neerja Mhaskar
McMaster University
19 PUBLICATIONS 30 CITATIONS

SEE PROFILE

All content following this page was uploaded by Neerja Mhaskar on 09 March 2021.

The user has requested enhancement of the downloaded file.

 1

A Formal Approach to Network Segmentation

Neerja Mhaskar∗‡ , Mohammed Alabbad∗† , Ridha Khedri∗
∗ Dept. of Computing and Software

McMaster University, Hamilton, Ontario, Canada

† Communications and Information Technology Research Institute

King Abdulaziz City for Science and Technology (KACST), Riyadh, 11442, Saudi Arabia
‡ Corresponding Author: [email protected]

Abstract—Network segmentation or compartmentalization, Network segmentation states that resources of different

and layered protection are two strategies that are critical in
building a secure network. In the literature, layered protection
has been formalized and termed as the Defense in Depth (DD)
strategy. However, network segmentation has been described
vaguely, and without any formal approach, thus making the
secure design of large networks unwieldy. In this paper, we
formally define network segmentation using a formalism based
on product family algebra and guarded commands. Then we
propose two algorithms that take a set of resources and their
access control policies as input and output a robust network
topology and the policies of its firewalls. The firewall policies are
computed based on the network segmentation formalism and are
strategically placed in the network to achieve DD. Further, we
use the proposed algorithms to build Software Defined Networks
(SDN) and discuss its use in dynamic networks and Internet of
Things.
Index Terms—computer network security, network architec-
ture, network segmentation, layered protection, defence in depth,
product family algebra, guarded commands, Software Defined
Networks.
I. I NTRODUCTION
Firewalls control traffic and separate networks with different
security requirements. They are used by organizations to
protect their network resources from unauthorized access.
They inspect network traffic (packets) and perform actions
on it based on the rules, and the actions specified therein
in the policies [7], [46]. An organization could have up to
hundreds of firewalls scattered around its network [46], and
therefore the placement of firewalls and their policies play
a key role in their effectiveness. In practice network admin-
istrators decide the placement and configuration of firewalls
based on network security design principles and best practices.
However, this approach is prone to error, especially for large
networks. Therefore, a formal approach is needed to achieve
and guarantee a secure network design.
Two strategies are followed in network design: layered
protection [48], and compartmentalization [49] or segmenta-
tion [33]. The principle of layered protection [48] states that
the security of a network should not rely on one single access
control point but multiple layers complementing each other
to provide maximum security. This strategy is formalized by
the Defense in Depth (DD) strategy formally defined in [28]
and discussed in [28], [31], [53], [45]. Therefore a guaranteed
robust strategy exists to achieve DD in a network from an
access control perspective.
security levels and requirements should be placed in different
zones protected by firewalls implementing appropriate poli-
cies. Network segmentation is vital in the design of net-
works as it implements the separation of concerns principle
by putting resources with “similar” policies under the same
firewall. The concept of segmentation has so far been discussed
in an intuitive way [55]. For instance, the criteria used for
segmenting resources in a network are articulated vaguely, as
we find in [48] wordings such as “Information Technology
(IT) system resources of different sensitivity levels (i.e., dif-
ferent risk tolerance values and threat susceptibility) should be
located in different security zones.” Similar wording can be
found in [14]. While these intuitive criteria for segmentation
can be used to design smaller networks, their use for designing
a large network is impractical.
It is now a standard policy in network design to create a
special subnetwork called Demilitarized Zone (DMZ) between
the outer network and the internal network [7], [46], [47].
DMZ usually houses public facing services and systems with
similar access control requirements, thereby protecting internal
networks from outside access. It is clear that DMZ is a man-
ifestation of the strategies of DD and network segmentation.
The rest of the network ought to be segmented in a similar
systematic way. In this paper, we explore how to systematically
segment a network to enhance its security using a formal
approach.
A. Related Work and Motivation
It is evident that network segmentation mitigates security
risks [16], [38]. However, many network segmentation archi-
tectures exist even for a small network and these possibilities
grow exponentially with the increase in the number of re-
sources in the network. Due to the lack of a formal approach
to segment resources to achieve the best network segmentation,
this task is left to the discretion of the network administrators.
Furthermore, research results that address this problem are
very limited with only a handful of papers by Wagner et al.
[56], [54], [55].
In [56] Wagner et al. develop a Markov chain model to
evaluate a given network segmentation architecture which they
claim to be cost effective. The advantage of this approach is
that security practitioners can use this model to examine mul-
tiple candidate architectures and then select the most effective
 2

one. However, this solution only evaluates already designed algorithm. In Section IX, we discuss the use of the RNS
segmentation architectures and does not build them. Further, algorithm in different scenarios. Finally, in Section X, we
in [55] they present a semi-automated approach to segment conclude and discuss avenues for future work.
resources based on risk evaluation that uses heuristics to reach
the near best or in some cases the best segmentation. However, II. I LLUSTRATIVE EXAMPLE
the high cost of this solution makes it impractical for wide-
In this section, we present an example for which manual im-
scale use. Finally, in [54] they present network segmentation
plementation of the network segmentation principle is straight-
architectures optimized for multiple objectives. Their solution
forward. The example is used for illustration throughout the
is fully automated and considers the problem of optimizing
paper due to its simplicity in presenting the concepts intro-
multiple objectives of security, cost, and mission performance.
duced. Consider an organization with different departments, in
In contrast, our solution optimizes security in a network,
which resources are connected in a network. We consider the
is fully automated and generates one of the best possible
following small subset of resources: a Web server, an Email
segmentations. Furthermore, our solution can be easily scaled
server, two workstations belonging to the Engineering depart-
to build enormous networks and is also applicable to Software
ment (i.e., Engineering1 and Engineering2), two workstations
Defined Networks (SDN) Architectures and Internet of Things
and a database belonging to the Finance department (i.e.,
(IoT) (see Section VII).
Finance1, Finance2, and Finance DB), and an internal File
Other solutions exist that aim to secure existing networks.
server available to all departments. A topology of a network
For example, [1] proposes an algorithm to determine and
for the organization is shown in Figure 1.
distribute packet filtering functionality to nodes within a given
The above resources have different security requirements
network. The filtering functions are derived from given secu-
governing their access. All of them allow an established or
rity goals for a given network. The work in [1] is motivated
a related connection and drop every invalid packet. The Web
by defining the behavioural security specification in a network.
server and Email server allow every HTTP (TCP port 80)
Further, in [44] the authors propose an automated framework
and SMTP (TCP port 25) connection from any source, any
for generating network security configurations and physical
access from all internal resources, and drop everything else.
placements of security devices. Given a network topology, its
The File server rejects access requests made by the Web server
security requirements and its business constraints as inputs,
and Email server, allows all internal resources, and drops
the framework formulates the security design synthesis prob-
every other access request. The resources belonging to the
lem and solves it using the Satisfiability Modulo Theories
Engineering and Finance departments have stricter policies,
(SMT) [10]. This framework also supports placing security
which allow access only by users and resources within their
devices in an existing network. In contrast to [1], [44], we
respective department, reject all requests made by any other
focus on building a network topology that achieves security
internal resource, and drops every other access request. These
strengths by design. The approach presented in [1], [44] can
security requirements are translated into policies in the lan-
be used on the network topology built from our approach
guage of iptables∗ and are given in Figures 2, 3, 4, and 5.
to further enhance network security by ensuring that security
Throughout the paper, we use this setup to demonstrate the
goals/constraints are met.
concepts discussed or introduced.
To summarize, although many approaches and formalisms
Observe that the policies in Figures 2, 3, 4, and 5 have three
exist to build a secure network and harden security in existing
actions: ACCEPT, REJECT, and DROP. Although firewalls
networks, a formal approach to achieve network segmentation
typically perform two actions; one to let the network traffic
does not exist. Therefore, the notion of ‘similarity’ or ‘different
pass and the other to block it, some firewalls perform more
sensitivity levels’ while grouping resources has not been
actions. For example, in iptables we find the following four
precisely articulated, resulting in the inability to automate the
actions: ACCEPT, LOG, REJECT, and DROP. The action
derivation of the best solution for a network segmentation and
ACCEPT allows the packet to pass, while REJECT and DROP
prove its correctness. Motivated by these issues, in our paper
both block the packet. In addition to blocking the packet,
we present a formal approach to network segmentation, and
REJECT also sends an error message to the requester, thereby
later use it to build a robust secure network which provides
acknowledging the receipt of the packet. Finally, the action
maximum access-protection to its resources.
LOG simply records the request in the syslog files.
The outline of the paper is as follows. In Section II, we
We now consider three network structures to protect the
provide an illustrative example. In Sections III, we give the
above listed resources. The first network structure, shown in
mathematical background of the formalism used. In Sec-
Figure 1, has an outer firewall protecting all the resources.
tion IV, we summarize the Strict Defense in Depth (SDD)
Observe that the outer firewall Fw1 does not provide sufficient
strategy and present theoretical results needed for the rest of
protection to the engineering and finance resources, as it must
the paper. In Section V, we formally define segmentation. In
have a policy to enable access to Web server and Email
Section VI, we present two algorithms to build a guaranteed
server, which in turn allows access requests coming from the
robust network; the Exponential Robust Network and Seg-
Internet. As a result, the segmentation of resources in Figure 1
mentation Algorithm (Exp-RNS) and the Robust Network and
leaves the resources with stricter access policy vulnerable (for
Segmentation Algorithm (RNS). In Section VII, we discuss
the use of the RNS algorithm in an SDN architecture. In ∗ iptables is a command line utility program for configuring Linux kernel
Section VIII, we discuss few other applications of the RNS firewall
 3

Web Server Email Server Engineering1 1 −A INPUT −m s t a t e −− s t a t e RELATED, ESTABLISHED − j ACCEPT

192.168.4.1 192.168.4.2 192.168.2.1 2 −A INPUT −m s t a t e −− s t a t e INVALID − j DROP
3 −A INPUT −s 1 9 2 . 1 6 8 . 1 . 0 / 2 4 − j ACCEPT
4 −A INPUT −s 1 9 2 . 1 6 8 . 2 . 0 / 2 4 − j REJECT
5 −A INPUT −s 1 9 2 . 1 6 8 . 3 . 0 / 2 4 − j REJECT
6 −A INPUT −s 1 9 2 . 1 6 8 . 4 . 0 / 2 4 − j REJECT
7 −A INPUT −j DROP

Fw 1
Engineering2
192.168.2.2
Fig. 5: Finance workstations and database policy
Internet

are segmented to achieve better protection from external and

internal unauthorized access. The main concern is whether we
Finance1
192.168.1.1 can detect the weakness of this solution through a simple
Finance2 formal process. Furthermore, in this case we have a simple
192.168.1.2
example for illustration, however is it possible to detect the
File Server Finance DB
192.168.3.1 192.168.1.3 weaknesses of a large network?

(a) A topological representation of network (1)

Web Server Email Server Engineering1
192.168.4.1 192.168.4.2 192.168.2.1
Fw 1

Fw 3 Engineering2
Web Email File Fin 1 Fin 2 Fin DB Eng 1 Eng 2 Fw 1 192.168.2.2

Internet
Finance1
(b) A graph representation of network (1) 192.168.1.1

Fig. 1: Network Structure (1)

Fw 2

1 −A INPUT −m s t a t e −− s t a t e RELATED, ESTABLISHED − j ACCEPT

2 −A INPUT −m s t a t e −− s t a t e INVALID − j DROP File Server Finance DB Finance2
3 −A INPUT −p t c p −m s t a t e −− s t a t e NEW −m t c p −−d p o r t 80 − j 192.168.3.1 192.168.1.3 192.168.1.2
ACCEPT
4 −A INPUT −p t c p −m s t a t e −− s t a t e NEW −m t c p −−d p o r t 25 − j
ACCEPT (a) A topological representation of network (2)
5 −A INPUT −s 192.168.1.0/24 −j ACCEPT
6 −A INPUT −s 192.168.2.0/24 −j ACCEPT
Fw 1
7 −A INPUT −s 192.168.3.0/24 −j ACCEPT
8 −A INPUT −s 192.168.4.0/24 −j ACCEPT
9 −A INPUT − j DROP

Fig. 2: Web server and Email server policy Fw 2 Fw 3

1 −A INPUT −m s t a t e −− s t a t e RELATED, ESTABLISHED − j ACCEPT

2 −A INPUT −m s t a t e −− s t a t e INVALID − j DROP File Fin 1 Fin 2 Fin DB Web Email Eng 1 Eng 2
3 −A INPUT −s 1 9 2 . 1 6 8 . 1 . 0 / 2 4 − j ACCEPT
4 −A INPUT −s 1 9 2 . 1 6 8 . 2 . 0 / 2 4 − j ACCEPT
5 −A INPUT −s 1 9 2 . 1 6 8 . 3 . 0 / 2 4 − j ACCEPT
6 −A INPUT −s 1 9 2 . 1 6 8 . 4 . 0 / 2 4 − j REJECT (b) A graph representation of network (2)
7 −A INPUT −j DROP
Fig. 6: Layered Network Structure (2)
Fig. 3: File server policy
As discussed above, while building a network it is important
to adhere to segmentation and DD strategies. The second
1 −A INPUT −m s t a t e −− s t a t e RELATED, ESTABLISHED − j ACCEPT
2 −A INPUT −m s t a t e −− s t a t e INVALID − j DROP network structure shown in Figure 6 attempts to implement
3
4
−A
−A
INPUT
INPUT
−s
−s
1 9 2 . 1 6 8 . 1 . 0 / 2 4 − j REJECT
1 9 2 . 1 6 8 . 2 . 0 / 2 4 − j ACCEPT
both strategies. However, observe that in this network the outer
5 −A INPUT −s 1 9 2 . 1 6 8 . 3 . 0 / 2 4 − j REJECT firewall Fw1 and the internal firewall Fw3 would necessarily
6 −A INPUT −s 1 9 2 . 1 6 8 . 4 . 0 / 2 4 − j REJECT
7 −A INPUT −j DROP have the same policy; both of these firewalls allow traffic
from the Internet. As a result, traffic from the Internet will
Fig. 4: Engineering workstations policy not be blocked by Fw1 or Fw3, making the engineering
workstations vulnerable. An attacker from outside can easily
gain access to the same subnetwork where the engineering
example Engineering1 and Engineering2). Moreover, there is workstations reside. Therefore, although the structure seems
no protection from any internal attacks. Therefore, there is to implement segmentation and DD strategies, it does not
a need for a better network structure, in which resources provide the best protection/segmentation of resources. Simply
 4

adding extra layers of firewalls does not always guarantee we briefly describe these formalisms and their usage in our
extra protection without proper policy and proper placement of context.
resources and firewalls. More importantly, we are concerned
with the ability to reach these conclusions for large networks, A. Guarded Commands
something not readily possible via only general guidelines.
We use a variant of Dijkstra’s guarded command introduced
in [22] and used in [28], [36] to model policies. A command
Email Server
Web Server
192.168.4.1 192.168.4.2
Engineering1
192.168.2.1
Engineering2
192.168.2.2
is a transition relation from starting states to their successor
states, and a set of states that do not lead to failure, and for-
mally defined as follows: for a set Σ of states, a command over
Fw 5 Σ is a pair (R, P ), where R ⊆ Σ × Σ is a transition relation,
and P is a subset of Σ that is intended to characterize those
Fw 2 Fw 3
states from which the command cannot lead to abortion/failure.
Fw 1
Internet
The command abort is a command that offers no transition
and does not guarantee the absence of abortion/failure for any
Fw 4 def
state, and is defined as: abort = (∅, ∅).
Finance1
192.168.1.1
For a command (R, P ) and a set of states Q ⊆ Σ, the
guarded command Q −→ (R, P ) (where Q is called the
def
guard) is defined as Q −→ (R, P ) = (Q ↓ R, Q ∪ P ),
def
File Server
192.168.3.1
Finance DB
192.168.1.3
Finance2
192.168.1.2
where Q ↓R is the restriction of R to Q defined as Q ↓R =
R ∩ (Q × Σ) and Q is the complement of Q w.r.t. Σ. For the
(a) A topological representation of network (3) set of states from which the guarded command does not lead
to abortion, we augment the set P by the complement of Q;
Fw 1 that is, by Q. The reason is that outside of the set of states
Q (i.e., Q) the command cannot be executed and therefore
there is no possibility of abortion or failure. For a relation
Fw 2 Web Email
R ⊆ A × B, the domain of R that is denoted by dom(R) is
{x | x ∈ A ∧ (∃ y | y ∈ B · (x, y) ∈ R )}.
File Fw 3 Let Σ = S × P × St × Dport × A, where S is the set of
all possible source IP numbers, P is the set of all possible
protocols, St is the set of connection states, Dport is the set
Fw 4 Fw 5 of destination ports, and A is the set of actions, respectively.
The sets S, P, St, Dport, and A are called the state attributes.
We denote by L the universal relation on this space.
Fin 1 Fin 2 Fin DB Eng 1 Eng 2
In this setting, the rule on Line 1 of the policy shown in Fig-
ure 2 can be written as follows: C1 = [Q −→ (R, P )], where
(b) A graph representation of network (3) Q ⊆ Σ is the the following guard:

Fig. 7: Robust Network Structure (3) {(s, p, st, dport, a) | st ∈ {RELATED, ESTABLISHED}},

and Q is:
Finally, the third network structure shown in Figure 7
shows the ideal network architecture, which correctly follows {(s, p, st, dport, a) | st ∈
/ {RELATED, ESTABLISHED}}.
the guidelines and best practices for network design [42].
The relation R can be defined in this case as
Following such guidelines might be easy and achievable for
a small size network such as this example. However, for a R = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
large network with a huge number of resources, it is almost a0 = ACCEPT}.
impossible using only human judgment, motivating a formal
Since the domain of the relation R is Σ with no restrictions,
approach. We will show later that we can obtain it through
we cannot guarantee the absence of abortion for any state.
calculations.
Therefore, P = ∅. After restricting R to Q we have:

III. M ATHEMATICAL BACKGROUND Q↓R = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(st ∈ {RELATED, ESTABLISHED}) ∧ a0 = ACCEPT}.
To formalize network segmentation we use the theory of
Product Family Algebra (PFA) which treats policies as a and C1 = [Q −→ (R, P )] = [Q↓R, Q].
family of related products (in this case sets of policies), and We treat the other rules of the policy analogously.
the theory of Guarded Commands which deals with rules of The policy in Figure 2 can also be represented as a set of
policies and their conditions and actions. We then use it and rules or a single rule obtained by combining the relations of
the DD strategy [28] to build a robust secure network. Below the rules as follows:

Rweb = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(st ∈ {RELATED, ESTABLISHED}) ∧ a0 = ACCEPT
∨ (st ∈/ {RELATED, ESTABLISHED, NEW} ∧ a0 = DROP)
∨ (p = TCP ∧ st = NEW ∧ dport ∈ {80, 25} ∧ a0 = ACCEPT)
∨ (s ∈ {192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24}
∧ a0 = ACCEPT)
∨ (s ∈/ {192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24}
∧ p 6= TCP ∧ st = NEW ∧ a0 = DROP)
∨ (s ∈/ {192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24}
∧ p = TCP ∧ st = NEW ∧ dport ∈ / {80, 25} ∧ a0 = DROP)}
Relations can be represented in many ways. However, we
are particularly interested in representing relations as tabular
expressions [24], [26], [40], as they simplify the computation
of policies (see Appendix-D).
We say that command (R, P ) refines command (S, Q) and
def
we write (R, P ) v (S, Q) ⇔ Q ⊆ P ∧ Q↓R ⊆ S.
If we take the command C1 = [Q ↓R, Q] presented above,
we can easily verify that it is refined by C2 = [P, Q], where
P = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(st ∈ {RELATED, ESTABLISHED})
∧ dport0 = 25 ∧ a0 = ACCEPT}.
The command C2 is more restrictive than C1 as it requires a
specific port while C1 does not. In term of policies, a policy
refines another if it is more restrictive in its rules or it is more
deterministic.
Based on [12], a relation Q refines a relation R written as
Q v R iff (Q∩(dom(R)×Σ) ⊆ R) ∧ (dom(R) ⊆ dom(Q)).
Therefore, C1 given above is refined by C2 . This is clear from
the example given for the demonic join. The demonic join
R1 t R2 is refined by both R1 and R2 .
The greatest lower bound of commands (R, P ) and (S, Q)
w.r.t. v is the demonic meet which is defined as
 
(R, P ) u (S, Q) = (R ∩ S) ∪ (P ↓S) ∪ (Q↓R), P ∪ Q
The demonic meet for the commands (R, dom(R)) and
(S, dom(S)) is defined iff dom(R ∩ S) = dom(R) ∩
dom(S). In other terms, the demonic meet of the commands
(R, dom(R)) and (S, dom(S)) is defined iff R and S agree
on the action to be carried on their common domain. This
property is called integrability in [19]. The least upper bound
of commands (R, P ) and (S, Q) w.r.t. v is the demonic join
which is defined in [12] as (R, P ) t (S, Q) =
 
(R ∪ S) ∩ (dom(R) × Σ) ∩ (dom(S) × Σ), P ∩ Q
The demonic join coincides with what we call later the
Greatest Common Divisor (GCD). Let R1 and R2 be the
relations representing policies P1 and P2 respectively:
R1 = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(s = 192.168.1.0/24 ∧ a0 = ACCEPT)
∨ (s = 192.168.2.0/24 ∧ a0 = REJECT)
∨ (s = 192.168.3.0/24 ∧ a0 = ACCEPT)
R2 = {((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(s = 192.168.1.0/24 ∧ a0 = ACCEPT)
∨ (s = 192.168.2.0/24 ∧ a0 = ACCEPT)
∨ (s = 192.168.4.0/24 ∧ a0 = ACCEPT)
5
Then, the demonic join of R1 and R2 , R1 t R2 =
{((s, p, st, dport, a), (s0 , p0 , st0 , dport0 , a0 )) |
(s = 192.168.1.0/24 ∧ a0 = ACCEPT)
∨ (s = 192.168.2.0/24 ∧
(a0 = ACCEPT ∨ a0 = REJECT))
For further information on guarded commands, we refer the
reader to [22], [36].
B. Product Family Algebra
One way to handle large networks is by abstracting sub-
networks into one node that has a family of policies and not
one policy as we would do for a single resource. Consider a
room including a large number of computers that have very
similar access control policies. We can abstract this room into
one node in the global network that has a family of policies.
Moreover, we can have our global network distributed in many
buildings. In designing the subnetwork for a building, we
consider the other resources located at other buildings as nodes
each with a family of policies. Furthermore, in real world
networks, a security policy governing an access control point
consists of rules, possibly coming from different stakeholders
(for example management, security officers, or users). Clearly,
the policies derived from the perspectives of the stakeholders,
share common rules and differ on others. Therefore, we can
think of these policies as families of policies. Hence, we need
to adopt a family approach to manage similar cases illustrated
above. For this purpose, we adopt PFA as the formalism that
links the access control policies to the network.
PFA [19], [20], [21] is a commutative idempotent semiring
(S, +, ·, 0, 1), where S is a set of product families. The binary
operators + and · are interpreted as the alternative choice be-
tween two product families and the mandatory composition of
two product families, respectively. The constant 0 corresponds
to an empty product family, and the constant 1 corresponds to
a product family consisting of only a pseudo-product with no
features; that is, no access control rules. A product is a family
that is indivisible with regards to + operator. A feature is a
product that is indivisible with regards to · operator. For the
mathematical properties of products and features, we refer the
reader to [20].
We have the divisibility relation among families (a |
b) ⇐⇒ (∃ c | · b = a.c )† , which allows us to find
divisors of families. And therefore, find the GCD, which is the
common divisor that is divided by all other common divisors.
Hence, the following property holds: gcd(a, b) = d such that
the following condition is satisfied, [(d | a) ∧ (d | b) ∧
((∀ c | · (c | a) ∧ (c | b) ) =⇒ (c | d))]. Finding
the commonalities of two families is formalized by finding
the GCD. For two families a and b we say they are coprime
family if gcd(a, b) = 1. For any family a, gcd(1, a) = 1, and
gcd(a, 0) = a, as we have a · 0 = a and therefore a|0.
† In this paper, we adopt the notation used by Gries and Schneider in [17]
for quantifiers. The general form of the notation is ?(x | R : P ) where ? is the
quantifier, x is the dummy or quantified variable, R is predicate representing
the range, and P is an expression representing the body of the quantification.
An example of the notation is (+ i | 1 ≤ i ≤ 3 · i2 ) = 12 + 22 + 32 .

In the context of access control policies, an atomic rule is
a feature (and hence indivisible) and is modelled as a guarded
command. A policy is a set of rules or a single rule obtained
by combining various rules.
1) Firewall Policies as Product Families: Let IP be a set
of policies. Then, an element of P(IP) is a family of policies.
In [28] the commutative idempotent structure F is presented
as a model for PFA as follows: F = (P(IP), ⊕, , 0F , 1F )
is a product family algebra, where for every A, B ∈ P(IP),
we have
def
1) A ⊕ B = A ∪ B
def
2) A B = {a uIP b | a ∈ A ∧ b ∈ B}
def
3) 0F = ∅
def
4) 1F = { {abort} }
where ⊕ is the union of the family of policies and represents
the choice of families, and is an extended notion of the
demonic meet presented previously on the policies of the
families and it represents the integration of families. The
family 0F is the annihilator element, and 1F is the neutral
element for the operator.
The families 0F and 1F are two pseudo families of policies.
The family 0F is the empty set of policies. The singleton
family 1F includes only one policy that is modelled with
the command abort. This policy does not transform the state
space and does not have any actions to carry. Moreover, its
integration with another policy P preserves P (i.e., neutral
for policy integration as P uIP abort = P ). For instance, if
we have a “policy” that has no rules, we can model it with
the pseudo command abort. The family that includes only one
“policy” with no rules can be modelled with 1F . Hence, when
a resource has no restrictions and open to all users, we indicate
that it is protected with the family of access policies 1F .
On a product family, F denotes the natural order that
comes with the semiring structure for F . It is defined as a F
def
b ⇔ a ⊕ b = b. Then the notion of family refinement of the
elements of F is defined as follows:
def
a vF b ⇔ (∃ c | · a F b c ).
The GCD defined under PFA is equivalent to the demonic
join of the families of policies and can be restated as follows:
def
(∀ A, B | A, B ∈ P(IP) · gcd(A, B) = {a tIP b | a ∈
A ∧ b ∈ B} ), where tIP is the extension of t to accommodate
families of policies, introduced in the definition of demonic
join in Section III-A.
C. Defense in Depth
A network with an outer access control point r; that is,
a firewall, can be represented as a directed acyclic graph.
The leaves represent the resources and the internal vertices
represent firewalls. Figure 8 shows the graph model of a
network that has a root r, internal access points v1 to v5 , and
leafs v6 to v10 . The edges represent traffic links. For example
in Figure 8, the edge (v2 , v3 ) indicates the connection from
v2 to v3 .
def
Let G = (V, E, r) be a rooted connected directed acyclic
graph that represents a resource network. The set V denotes
the set of vertices or access control points that enforce access
6
r
We execute policy p(v1)
v1 v2
v3
v5
v4
v6 v7 v8 v9 v10
The leafs represent resources that also can enforce local policies
Fig. 8: A Network as a rooted connected directed acyclic graph
(figure borrowed from [28])
policies (i.e., firewalls and resources). The set E is a set of
ordered pairs of vertices that represent the link between access
control points. The vertex r is the root of the graph and
it represents the access point between the network and the
external world.
To guarantee the absence of conflicts in the policies of a
network G, any edge between two access control points should
respect the refinement property discussed in section III-A For
example if the edge (v2 , v3 ) ∈ E then the family of policies
implemented at v2 is refined by the policy implemented at v3 .
Therefore, the family of policies at a node is a refinement of
its ancestors.
def
Definition 1 (Defence in Depth Law (DDL) [28]). Let G =
(V, E, r) be a network of access control points. We denote
by p(v) the family of policies enforced at vertex v in G. The
network G employs a DD strategy if p(r) 6= 0F ∧ (∀ a, b |
(a, b) ∈ E · p(b) vF p(a) ).
def
Let G = (V, E, r) be a network of access control points,
and let T be a spanning tree of G rooted at r. Let L be the set
of leaf nodes, where each leaf l ∈ L is assigned a policy p(l).
We use the gcd operator scheme presented in [28] to define
p(v) as follows: p(v) = (gcd vi | (v, vi ) ∈ E · p(vi ) )‡ .
Obviously, a network G could have multiple spanning trees
T1 · · · Tn , where for each tree Ti , 1 ≤ i ≤ n, the family of
policies at an internal node is computed using the gcd operator
scheme. Also note that, an internal node could be a node in
multiple spanning trees, say Ti · · · Tk . In this case, the family
of policies implemented at such a node v is p(v) = (gcd i |
1 ≤ i ≤ k · pi (v) ), where pi (v) is the family of policies for
the node v in the spanning tree Ti .
IV. S TRICT D EFENSE IN D EPTH AS A BASE FOR OUR
ROBUST N ETWORK A RCHITECTURE
In this section, we discuss the Strict Defense in Depth
strategy SDD which is a more strict form of DD strategy (Def-
inition 1) achieved by strengthening the refinement condition.
We use the SDD strategy to place nodes in our robust network
graph.
‡ If the range of the quantification is empty then the quantification returns
the neutral value L for gcd; that is, gcd(x, L) = x, which is the universal
relation on the space of the policies, as mentioned in Section III-A.

def
Definition 2 (SDD [28]). Let G = (V, E, r) be a network of
access control points. The network G employs an SDD strategy
if
p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) ),
where p(b) @F p(a) ⇐⇒ (p(b) vF p(a) ∧ p(a) 6= p(b)).
The SDD is a stronger form of DD. We obtain SDD from
DD by replacing vF by its stricter form @F . By using SDD
to build the network graph we exclude the case where the
families of policies on successive nodes are equal. This allows
us to ensure that firewalls with the same policies do not exist
in any path from the root to a leaf node.
def
Let G = (V, E, r) be a network of access control points
def
and S = {v | v ∈ V ∧ (r, v) ∈ E} be the set of vertices
connected to the root r. Let T be a spanning tree of G rooted
at r. Every leaf node l ∈ L is assigned a family of policies p(l).
If we want to generate the families of policies of the internal
vertices such that G implements SDD, the below lemmas
present cases when SDD is not achievable in the network.
The proofs of these lemmas are in Appendix-A.
Lemma 1. Let T be a spanning tree of G having a height
greater than 2. If T has a leaf l ∈
/ S, such that p(l) = 1F ,
then it is impossible to have an SDD implementation on G.
Formally,
(∃ l | l ∈ L · p(l) = 1F )
=⇒
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) ))
Lemma 1 states that if a leaf node exists such that it is not
directly attached to the root and has a family of policies equal
to 1F , then the family of policies executed at its ancestors
will be 1F . For example in Figure 9, if p(v6 ) = 1F then the
policies at nodes v2 and r will also be 1F ; that is p(v2 ) = 1F
and p(r) = 1F . This case does not meet the requirements of
the SDD strategy which states that each child node should
strictly refine its parent.
r
V1 V2
V3 V4 V5 V6
Fig. 9: A network graph
Having a leaf node with a family of policies equal to 1F
deep in the network will result in no security control in the
chain of firewalls from the root to that node. Thereby allowing
unauthorized users access deep into the network without any
line of defense. Consequently, this will hinder the overall
security of the network. To prevent this case we need to isolate
7
the nodes having 1F and move them closer to the outer edge.
A resource with 1F is open to be accessed by everyone.
Therefore by segregating and moving the nodes with 1F close
to the root we can protect the resources with stricter policies
efficiently.
A resource protected by 1F is interpreted as being protected
by a policy with no rules (an empty policy). Therefore, it
is open to any user. Hence, it should be attached to the
root. Any resources with stricter policy than 1F should be
at a level higher than one (assuming the level of the root is
zero). Resources in what is commonly referred to as DMZ are
resources that have some level of protection stricter than 1F .
However, they are primarily public facing resources. Hence
they should be connected to the root or to a child of the root.
Lemma 2. Let T be a spanning tree of G having a height
greater than 2. If T has two leaves l1 , l2 belonging to the
same subtree having coprime families of policies, then it is
impossible to have an SDD implementation on G.
Formally,
(∃ l1 , l2 , s, n, m | s ∈ S ∧ n ≥ 1 ∧ m ≥ 1 ∧ (s, l1 ) ∈ E n
∧ (s, l2 ) ∈ E m · gcd(l1 , l2 ) = 1F )
=⇒
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) ))
(a, b) ∈ E k indicates a path with k edges from a to b.
Lemma 2 states that if a subtree of T has two nodes such that
their families of policies have nothing in common, then the
family of policies of their common ancestors, including the
root of the subtree and the root of the tree, is equal to 1F . In
this case, the SDD strategy is not satisfied. For example, in
Figure 9, if p(v4 ) and p(v6 ) are coprime families of policies
such that gcd(p(v4 ), p(v6 )) = 1F , then p(v2 ) = 1F and
p(r) = 1F .
Having nodes with coprime families of policies under a
subtree will result in no security control in the chain of
firewalls from their common ancestor to the root. This in turn
affects the overall security of the network. Therefore a well
designed network adhering to the SDD, groups resources that
share common policies (e.g., resources belonging to the same
department) in a common segment, and places resources hav-
ing nothing in common into different segments/subnetworks.
This approach allows for greater security and protection than
grouping nodes randomly.
Lemma 3. If we have a family of policies at a node that is
equal to the GCD of the family of policies of its siblings, then
it is impossible to have an SDD implementation on G.
Formally,
(∃ v | (u, v) ∈ E · p(v) = (gcd vi | (u, vi ) ∈ E · p(vi ))
=⇒
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) ))
Lemma 3 states that if we have a node such that its family
of policies is equal to the commonality of its siblings, then
the family of policies of its parent is the same as that of the

node. Clearly in this case the SDD strategy is not satisfied.
For example in Figure 9, if p(v4 ) = gcd(p(v5 ), p(v6 )), then
the family of policies of their parent v2 ; that is, p(v2 ) = p(4).
Based on the above lemmas we propose an approach to
network segmentation that implements SDD in the following
section.
V. N ETWORK S EGMENTATION AND ROBUST N ETWORK
A RCHITECTURE
In this section, we formally define the notions of network
segmentation and robust network architecture. We introduce a
weight function to quantify the different security requirements
of an access control policy. We then use this function to
formally define network segmentation.
Recall that an atomic rule is modelled as a guarded com-
mand, which is a transition relation from the starting state to
end state(s). Therefore, we compute the weight of an atomic
rule based on the weights of the end state(s). One way of
doing this is by assigning weights to the different values of
chosen state attributes and using them to compute the weight
of an end state, such that the values having higher security
requirements are assigned higher weights. Furthermore, since
a chain is as secure as its weakest link, an atomic rule with a
relation that maps a starting state to multiple end states has a
weight equal to the minimum weight of its end states.
Formally, let SAi , where 1 ≤ i ≤ m, be the different state
attributes, and let VSAi = {ai1 , ai2 , . . . , ain } be the set of
all possible values assigned to SAi . Then wVSAi : VSAi → Z
is the weight function that assigns an integer value to each
element in VSAi , such that for any two elements aik , ail ∈ VSAi
if the security requirement of aik is less than that of ail ,
then wVSAi (aik ) < wVSAi (ail ). Let R be the set of all
atomic rules for all the resources in the organization. Then
wR : R → N ∪ {−1}, is the weight function which assigns
to an atomic rule r ∈ R its corresponding weight. The
weight of 1F is taken to be −1, as it is a rule that does
not bring any security constraints. Furthermore, the weight
of a rule (r) with its domain mapped to multiple end states
(say p), is the minimum of the weights assigned to its
end states. For each end state si , where 1 ≤ i ≤ p, we
take vsi = eval(wVSA1 , wVSA2 , . . . , wVSAp ), where wVSAi is the
weight of the assigned value to the state attribute SAi . For a
state si , the eval function takes the weight of the attributes
of si , and assigns to it and overall security weight vsi . Then
to compute the weight of such an atomic rule, we take the
minimum of all the values vsi . Therefore, for an atomic rule
r that has p end states, we have wR (r) = min(vs1 , · · · , vsp ).
For the illustrative example, we compute the weights of
our atomic rules based on the state attribute ACTION (AC).
The set of values of this attribute as given by the set AC =
{ACCEPT, REJECT, DROP}. As discussed in Section I, the
three actions in AC contribute differently to the confidentiality
of the resources of the network, and so DROP has a higher
weight than REJECT, which in turn has a higher weight than
ACCEPT. Based on this we assign the following weights to
each element in AC: wAC (ACCEPT) = 0, wAC (REJECT) = 1,
and wAC (DROP) = 2. Then for example, a rule that maps an
8
initial state to two end states (s1 and s2 ) where the action
attribute in s1 is assigned the value ACCEPT and the action
attribute in s2 is assigned the value REJECT, then the rule
has a weight equal to the minimum weight of the two; that is,
0.
The weight of a policy or a combined rule r that is formed
by the set Ar of atomic rules is the sum of the weights of the
atomic rules in Ar . Let P be the set of all policies composed
of the atomic rules in R. Then wP : P → N ∪ {−1}, is the
weight function that assigns an integer value to each element
in P based on wR . We assign −1 as the weight of the 1F
policy, and +∞ as the weight of the 0F policy.
In a typical firewall policy, rules are executed sequentially.
Such rules usually are not atomic. For example, Rule 9 in
the policy of Figure 2 can be divided by all other rules in
the policy. Therefore, a rule might be followed by another
that includes it. If we apply the weight function on these
rules, we can have double counting of weights. Therefore,
to avoid any problem we transform policies into a set of
rules that are (relative) atomic (or, relative prime). A relative
atomic/prime rule in this context is a rule that is indivisible
by any other given rule (i.e., it is only divisible by 0 and
itself). The weight function takes such a rule and assigns
a weight to it. For example, consider the policy shown in
Figure 4 which is transformed to a relative atomic policy with
270 rules: two rules with ACCEPT actions, three rules with
REJECT actions, and 265 rules with DROP actions. Therefore,
the weight assigned to the policy is 2∗0+3∗1+265∗2 = 533.
Figure 16 in Appendix E shows a snippet of the relative
atomic policy. These generated relative atomic rules are only
to calculate the weight and identify the commonalities among
policies. Once the commonalities are calculated we discard
them.
As can be seen we measure the level of security require-
ments of a resource by the weight of the policy governing it,
such that its security requirements are directly proportional to
the weight of its policies. For example, consider two resources
v1 and v2 , where the weights of their policies are wP (p(v1 ))
and wP (p(v2 )), respectively. If wP (p(v2 )) < wP (p(v1 )), it
means that v1 has higher level of security requirement than
v2 .
Let wR be the partial order on the atomic rules based on
their weights and wP be the total order on the policies based
also on their weights. Then there exists an order preserving
map f : wR → wP satisfying the following condition:
(∀ i | 1 ≤ i ≤ n ∧ xi , yi are atomic rules · xi <wR yi )
⇔ f (P (x1 , x2 , . . . , xn )) <wP f (P (y1 , y2 , . . . , yn )),
P (x1 , x2 , . . . , xn ), and P (y1 , y2 , . . . , yn ) are the policies con-
sisting of atomic rules x1 , x2 , . . . , xn and y1 , y2 , . . . , yn re-
spectively. Since wR is a partial order, some values of the
atomic rules might not have a weight assigned. In this case,
the mapping f assigns zero, the neutral value for addition.
We now define segmentation formally based on the weights
of the commonalities among the policies of the resources in a
segment.
 9

Definition 3 (Segment). Let R be a set of resources. A set We now define a robust network, which provides maximum
S ⊆ R is said to be a segment of R iff access-protection to its resources using minimum firewalls. It
achieves this by implementing the SDD strategy and segmen-
(∀ r, r0 | r ∈ S ∧ r0 ∈ (R − S) · wP (gcd(p(r), p(r0 ))) ≤
tation defined in Definition 4.
wP (gcd( r | r ∈ S · p(r) )) ). A network graph G is said to be (access control) robust if
the following criteria hold:
Our definition of a segment forces us to have at least two 1) G satisfies SDD strategy in every path from the root to
elements in a segment, as the GCD is a 2-arity operator. the parent of a resource,
2) G has a segmentation as defined in Definition 4, and
Definition 4 (Segmentation). Let R be a set of resources, and 3) G has no superfluous firewall chaining.
let F be a set of subsets of R such that (∪ A | A ∈ F · A ) =
The first criterion for a robust network ensures that any two
R. Then F is a segmentation of R iff
internal nodes strictly refine each other. However, it allows a
(∀ A | A ∈ F · A is a segment of R ).
leaf node and its parent to have the same policy. This can be
In our definition of segmentation, a resource is placed within seen when resources have 1F policy, and as a result the fire-
a group of resources if and only if the commonalities it has wall protecting them; that is, the root will also have 1F policy.
with the members of the group is more strict than with any The second criterion ensures that resources are segmented in a
outside resource; that is, the commonalities have equal or way such that maximum access-protection is provided to them.
more weight than the weight of the commonalities it has These segments are then placed in the network at varying
with any other resource not in the segment. As a result, depths depending on their levels of security requirements.
this segmentation provides maximum access-protection to its Segments with high levels of security requirements are placed
resources. deep down in the network and protected by layers of firewalls
each adding an extra level of security. And the segments
Lemma 4.
with low levels of security are placed closer to the root;
(a) Let S ⊆ R be a set of resources formed by only mutually that is, the outer firewall. Therefore, traffic going from the
co-prime policies that are 6= 1F . S forms a segment only Internet to an internal segment is faced by layers of firewalls
if (∀ r | r ∈ (R − S) · p(r) = 1F ). and traffic from segment to segment is managed by internal
(b) Let S ⊆ R, and there exists resources r, r0 ∈ S such that firewalls. Consequently, segments consisting of resources with
p(r) = 1F and p(r0 ) @ 1F , and high levels of security requirements are protected from internal
0 0 0 and external threats. Furthermore, if an unauthorized agent
(∀ r, r | r ∈ S ∧ r ∈ (R−S) · gcd(p(r), p(r )) = 1F ).
gains access to an internal segment, it will not be able to easily
Then S is a segment. gain access to another segment. Finally, the third criterion
ensures that we have the most effective strict defense in depth
By requiring DD, resources with 1F policy are directly
and segmentation at a minimum cost.
attached to the root having 1F policy, thus forming elements
of a DMZ. If a segment satisfying the condition in Lemma 4(a)
exists then the root of this segment will have 1F policy. VI. A LGORITHMS TO B UILD A ROBUST N ETWORK
Consequently, the root of the global network will have 1F In this section, we present two algorithms to build a robust
policy. To achieve SDD all the resources and internal nodes network. In Section VI-A we present the Exp-RNS algorithm
attached to the root of the segment S will be attached to which uses a brute force approach to build a robust network,
the global root. By Lemma 4(b) S is not a segment, if resulting in an exponential running time. The purpose of
S 6⊆ R, or there do not exist resources r, r0 ∈ S, such that presenting this algorithm is that it is easy to grasp the use
p(r) = 1F and p(r0 ) @ 1F , or there exists resources r ∈ S of the formalism presented in Section III in constructing
and r0 ∈ (R−S) such that gcd(p(r), p(r0 )) 6= 1F . This means the network graph. Then, in Section VI-B, we present the
that if S is a segment that has some resources with 1F policy RNS algorithm that uses a similar approach presented in
and others resources with policies different than 1F , then the the B UILD -N ETWORK -G RAPH procedure of the Exp-RNS
commonality of each resource in S with a resource out of S algorithm. However, to achieve a polynomial running time,
has to be 1F . Otherwise, S cannot be a segment. The proof it uses a bottom up approach to build the network graph and
of Lemma 4 is in Appendix-A. uses resources and their weights as a guide throughout the
Superfluous Firewall Chaining exists in a network when a network building process.
firewall has only a single firewall attached to it. For example,
when firewalls are connected forming a chain, and resources
are attached only at the bottom of the chain, thus in this A. Exponential Network Segmentation Algorithm: A Brute
case firewalls only exist to protect other firewalls. Therefore, Force Approach
superfluous firewall chaining is a waste of network resources, The Exp-RNS algorithm uses R to build a robust network
as it is possible to replace all the firewalls forming a chain by computing the GCD of resource policies and using the
with the firewall at the bottom of the chain with resources refinement relation on these GCDs. For simplicity, we discuss
attached, as it has the most restrictive policies among all the the algorithm using singleton families of policies, and so we
other firewalls in the chain. refer to them as policy rather than family of policies.

A resource having 0F is essentially inaccessible, as it
cannot be protected through an access control system. The
0F which represents a pseudo policy cannot be enforced at
an access control point. Therefore, it cannot be part of a
robust network architecture. Hence, we assume that the input
R does not contain resources with 0F policies. Furthermore
by Lemma 1, having any internal node/leaf with 1F policy
implies that SDD is not achievable in the network graph. By
Lemma 4(a) resources with 1F policy have to be attached to
the root with 1F policy. Therefore in the Exp-RNS algorithm,
we remove resources with 1F policy a priori from the set R,
and as a final step add these resources to the root.
The Exp-RNS algorithm consists of five main tasks. The
first task is calculating the GCDs or common policies. The
second task is building a network graph based on the refine-
ment relation consisting of only firewalls. The third task is
adding resources to the network graph, and the fourth task
is pruning the network graph to remove superfluous firewall
chaining. Finally, the fifth task is to add all the resources with
1F policy (if they exist) to the graph.
Algorithm 1 Exponential Robust Network and Segmentation
Algorithm
1: procedure E XP -S EGMENTATION(R)
2: S ← set of resources having 1F policy
3: R←R−S
4: GCD ← C OMPUTE -GCD(R)
5: G ← B UILD -N ETWORK -G RAPH(GCD, R)
6: A DD -R ESOURCES - TO -N ET(G, GCD, R)
7: O PTIMIZE -N ETWORK -G RAPH(G)
8: if S 6= ∅ then
9: A DD -1F- RESOURCES(G, S)
10: end if
11: end procedure
Below we explain the five main tasks of the above algorithm
and present detailed algorithms for each task in Appendix-B
for completeness.
Calculating GCDs: The C OMPUTE -GCD function computes
the commonalities or the GCD of policies of resources. As
seen in Section V, to segment resources we need to place
them within a segment such that maximum security (access-
protection) is achieved. To achieve this, we use a brute force
approach to compute all possible segments by computing the
power set of R, P(R), (where each set in P(R) represents
a possible segment). Then we compute the commonalities in
each segment by computing the GCD of the resource policies
in that segment. For details on the C OMPUTE -GCD function
we refer the reader to Appendix-B.
Building a Network Graph: The B UILD -N ETWORK -G RAPH
function builds a network graph G with no resources attached.
This graph is a temporary network graph consisting of only
firewalls and might contain redundant firewalls. However,
the redundant firewalls are removed at a later stage (by the
O PTIMIZE -N ETWORK -G RAPH procedure). The function uses
the GCD set = F , and the refinement relation to produce
the network graph. The vertices of the network graph are
10
partitioned into gcd nodes representing a gcd object (repre-
senting firewalls), and resource nodes representing resources
in the network. Each node in the graph has all the attributes
defined for a gcd object, and in addition to these it has two
more attributes: is resource and π. The attribute is resource
identifies whether the node is a resource node or a gcd node.
It is set to true if the node represents a resource, otherwise it
is set to f alse. The attribute π stores the set of parent(s) of
the node.
The root r is the gcd object having the least weight and
its set consists of all resources (except the resources with
1F policy). It is first added to the network graph G. After
which nodes in F having the same weight as the root r are
removed. Then, it computes wmax weight - the maximum
weight over the weights of all nodes in F , and computes the
set T consisting of all nodes with wmax weight and removes
them from F . Then each node in the set T is added to
G using the A DD -N ODESET- TO -G procedure. The last two
steps are repeated till F = ∅; that is, the last two steps are
repeatedly executed to (possibly) add all the nodes in F to
G. For details on the B UILD -N ETWORK -G RAPH function and
the A DD -N ODESET- TO -G procedure, we refer the reader to
Appendix-B.
Adding resources to the Network Graph: The procedure A DD -
R ESOURCES - TO -N ET adds resource nodes to the network
Graph G. While adding the resource nodes, we first order
the gcd objects in GCD in descending order by weight
(GCDmax ). Then we choose the gcd node having the max-
imum weight and attach all the resources in its set attribute,
and in R0 (initially R0 = R), to it. After which we remove
the attached resources from the set of resources R0 . We
do this for each gcd node in GCDmax . In the end, all
resources are added to the network graph G. Observe that by
adding resources to gcd nodes starting with maximum weight
to minimum weight, we ensure that resources with higher
security requirements are protected with maximum layers
of protection. The A DD -R ESOURCES - TO -N ET procedure is
presented in Appendix-B.
Optimize GCD graph: The network graph obtained after exe-
cuting the procedure Add-Resources-To-Net could suffer from
superfluous firewall chaining. To eliminate this issue, we use
the O PTIMIZE -N ETWORK -G RAPH procedure. This procedure
performs a post-order traversal of G using two stacks S, T ,
so that all children of a node are evaluated before it gets
evaluated. Since our graph G is not necessarily binary, we do
not always evaluate the children of a node from left to right
(any order is acceptable). The only criteria we follow is that
all children of a node are evaluated before it. S is used to keep
track and evaluate all children of a node before itself, and T is
used to store the post-order traversal of G. When S is empty
(and T is full), we pop nodes from T one at a time and begin
evaluating it. When a node u is being evaluated, if u is a gcd
node and it has no children or if u has only one child that is a
gcd node, then u and its corresponding edges are deleted from
G. If u has only one child that is a gcd node, then the child
is attached to u’s parent. The O PTIMIZE -N ETWORK -G RAPH
procedure is presented in Appendix-B.
Adding resources with policy 1F to G If S 6= ∅; that is, the

set of resources having 1F policy is not empty, we add it to
the network graph using the procedure A DD -1F- RESOURCES
outlined as follows:
1) If the policy of the root r is equal to 1F , then we directly
attach all the resources in the set S to r.
2) However, if the policy of the root r is not equal to 1F ,
then we create a new node r0 , set its attributes appro-
priately (as shown in Procedure A DD -1F- RESOURCES),
and add it to G. After which we attach r and all the
resources in the set S to it. The node r0 is the new root
for the network graph G.
The A DD -1F- RESOURCES procedure is presented in
Appendix-B.
Exp-RNS Algorithm: Robustness and complexity
The running time of the Exp-RNS algorithm is exponential in
the size of the set of resources R. This is due to the brute
force approach used to compute the gcd nodes, obtained by
computing the power set P(R), and using it to build the
network graph.
Theorem 1. The Exp-RNS Algorithm constructs a robust
network graph.
Proof. The proof is straight forward and is by contradiction.
We assume that at least one of the three criteria required for
a network graph to be robust (Section V), is not satisfied.
Suppose Condition 1 is not satisfied. Then there exists at
least one path in G from the root to the parent of a resource,
such that the SDD strategy is not satisfied. Recall that the
GCD set computed by the C OMPUTE -GCD procedure has
gcd objects with distinct policies. In Exp-RNS, gcd nodes
are added to G only by the B UILD -N ETWORK -G RAPH and
A DD -1F- RESOURCES procedures. In the B UILD -N ETWORK -
G RAPH procedure, a gcd node s is first added to G, and any
child of r that refines s is disconnected from the root and
attached as a child to s. In both these cases, the SDD strategy
is satisfied. In the A DD -1F- RESOURCES procedure, the only
gcd node added to G is the root r0 having 1F policy, and is
added only if r.policy 6= 1F . Clearly, SDD strategy is satisfied
as all policies 6= 1F strictly refine 1F . Therefore, every path
from the root to a resources’ parent satisfies the SDD strategy,
which is a contradiction.
Suppose Condition 2 is not satisfied. Then there exists a
segment S, such that a resource r ∈ S and a resource r0 ∈ / S
have commonalities with more weight than the weight of the
commonalities between elements of the segment S. If this
holds then there will be a gcd node in G with the policy
gcd(r, r0 ) and its corresponding weight. However, since we
add resources to gcd nodes starting with gcd nodes having
maximum weight to the gcd nodes having minimum weight,
the resources r and r0 would be added to the node having the
policy gcd(r, r0 ), which is a contradiction.
Suppose Condition 3 is not satisfied; that is, superfluous
firewall chaining exists in G. Then there exists at least one
firewall with a single node that is a firewall attached. Recall
that in the procedure O PTIMIZE -N ETWORK -G RAPH, we count
the number of children attached to each firewall. If the node
has only one child that is a firewall we remove this node and
11
attach its child to its parent(s). Therefore, by the end of the
Exp-RNS algorithm G has no superfluous firewalls, which is
a contradiction.
B. Polynomial Algorithm to build a robust network segmenta-
tion
In this section we present the RNS algorithm (Algorithm 2)
to build a robust network graph G, given a set of resources
with its policies R, in polynomial time. Similar to Exp-RNS,
for this algorithm also we assume that R does not contain
resources with 0F policies.
The idea of the algorithm is simple. We use an approach
similar to the one used in the B UILD -N ETWORK -G RAPH
procedure presented in Section VI-A, where the gcd nodes
are added in non-increasing order of weights (except for the
root). However, to achieve a polynomial running time, we use
resources and their weights and create temporary nodes to
guide us through the network building process.
In the RNS algorithm, the root is added first to G, and
nodes are added in batches (set T ) to G in decreasing order
of their weights. Hence at any given time, when a node s is
evaluated to see where in G it can be added, the weight of
all the nodes in G is greater or equal s.weight. While adding
s to G, clusters of resources are evaluated to see if they can
form a segment containing s based on their weights. Note
that, the weight of any segment containing s is always less
than or equal to s.weight, and so the maximum weight of
any segment containing s is s.weight. Therefore, when such
a cluster of nodes is identified, we create a gcd node to protect
this segment and add it to the root of G and attach the nodes
forming the segment to it. Otherwise, we create a temporary
node for the cluster and add it to F , so that it can be evaluated
later when the set (T ) having the weight of the cluster is being
evaluated.
Temporary nodes are never added to G. While evaluating a
temporary node, if the cluster of nodes with s actually forms
a segment at that point, a new gcd node is created and added
to G. This is similar to any other gcd node. We now give the
outline of the algorithm as follows:
• The algorithm first creates the root r for all resources in
R using the C REATE - NODE procedure and adds it to the
network graph G.
• Then it creates subsets S1 , S2 , . . . , Sm ⊂ R, such that
no two subsets have resources with same ppolicies and
creates a node for each subset Si , 1 ≤ i ≤ m, and adds it
to F . Therefore, F contains either a single resource node,
or a gcd node consisting of resources, having the same
policy as the gcd node, in its set. If we assign distinct
values from 1 − m termed as key values, to each distinct
rule in R, then the subsets S1 , S2 , . . . , Sm can be easily
created using Bucket sort as follows: we create m buckets
labelled from 1−m, for each distinct rule. As we traverse
through the rules in R, we simply evaluate its label and
place it in the bucket having the same label.
• After which, it computes the wmax weight - the maximum
weight over the weights of all nodes in F , and computes
the set T consisting of all nodes with wmax weight and
removes all these nodes from F .
 12

Algorithm 2 Robust Network and Segmentation (RNS) Algo- if gcd.weight = s.weight then
rithm A DD - NODE - TO -G(G, gcd, cset, true)
1: procedure S EGMENTATION (R) . R = {r1 , r2 , . . . , rn } end if
2: G ← N U LL . G = (V, E, r) end if
3: r ← C REATE - NODE(R) . Create root r end if
4: A DD - NODE - TO -G(G, r, ∅, f alse) . Add root r to G end for
m
5: S1 , S2 , . . . , Sm ⊂ R such that
S
Si = R, and no two end if
i=1 end procedure
subsets have resources with same polices
6: F =∅ The A DD -N ODESET- TO -G procedure adds the set of nodes in
7: for each s ∈ {S1 , S2 , . . . , Sm } do T to G. The outline of this procedure is as follows:
8: F = F ∪ C REATE - NODE(s) • If wmax = r.weight, the A DD -N ODESET- TO -G pro-
9: end for cedure directly attaches to r all the resources in every
10: while F 6= ∅ do non-temporary node s ∈ T and exits. Otherwise, it
11: wmax ← maximum weight of any s ∈ F . implements the below steps.
12: T ←∅ • The procedure loops through each node in T to (possibly)
13: for each s ∈ F do add it to G. If s is not a temporary node (indicated by
14: if s.weight = wmax then the temp node attribute), it is added to G as a child of
15: T ← T ∪ s; F ← F − s the root r.
16: end if • Then every child of r is evaluated to compute cset -
17: end for the set consisting of all nodes including s (or including
18: A DD -N ODESET- TO -G(G, F, T, wmax ) s.set, if s is a temporary node). cset is computed by the
19: end while C URR - MAX - WEIGHT- SET function.
20: end procedure • A new gcd node gcd is computed for the set of resources
in cset, if cset 6= ∅. If s is a permanent node, then it
checks if gcd.weight = s.weight. If it is, gcd is added
• Then the nodes in set T are added to G using the A DD - to G; otherwise gcd is tagged as “temporary” – to be
N ODESET- TO -G procedure. considered for evaluation later – and added to F . If s is
• The above two steps are repeated till F = ∅; that is, the a temporary node and if the node is in s.set is still part
above two steps are repeatedly executed to (possibly) add of the segment formed by gcd, then gcd is added to G.
all the nodes in F to G. Otherwise, it is automatically removed from F , as all the
nodes in T are removed from F , before adding them to
procedure A DD -N ODESET- TO -G(G, F, T, wmax ) .
G in Algorithm 2.
G = (V ; E; r)
if wmax = r.weight then . Attach resources having Recall that nodes are added in batches (T ) to G in decreas-
same weight as r to r ing order of their weights. Therefore, in the A DD -N ODESET-
ATTACH - RESOURCES - TO -R(G, T ) TO -G procedure when gcd.weight < s.weight, the node
else gcd is not added to G, but instead added to F (if it is not
for each s ∈ T do . Add permanent nodes in T a temporary node), to be evaluated when the set of nodes
to G (T ) having weight = gcd.weight is processed. Furthermore,
if s.temp = f alse then temporary nodes are associated with a node for which they
A DD - NODE - TO -G(G, s, ∅, f alse) were created. For example, when a permanent node s from
end if T is added to G, we check to see if any child nodes of r
end for can form a segment with s. If the weight of this segment is
for each s ∈ T do . Check child nodes of r to less than the weight of s, we create a temporary node for the
add gcd node segment and evaluate it later when the nodes with its weight
cset ← ∅ are being evaluated.
cset ← C URR - MAX - WEIGHT- SET(G, s) During the execution of the A DD -N ODESET- TO -G func-
if cset 6= ∅ then tion, while evaluating a set s ∈ T , let the root r have
gcd = C REATE - NODE(cset) c1 , c2 , . . . , ck child nodes. Let the GCD of the polices of
if !s.temp then (c1 , s), (c2 , s), . . . , (ck , s) be g1 , g2 , . . . , gk . Let cmax be
if (s.weight = gcd.weight) then the maximum weight over all the weights of the policies
A DD - NODE - TO -G(G, gcd, cset, true) g1 , g2 , . . . , gk . Then the primary objective of the C URR - MAX -
else . Mark gcd as a temporary node WEIGHT- SET function is to compute the set (not necessarily
gcd.temp ← true; gcd.set ← s the largest) of all child nodes snew = {ci1 , ci2 , , . . . cil }, such
gcd.size ← 1 that snew ⊆ {c1 , c2 , . . . , ck }, and gcd(ci1 , ci2 , . . . cil , s) has
F ← F ∪ {gcd} cmax weight.
end if To compute snew, C URR - MAX - WEIGHT- SET function
else maintains a stack S (this can also be achieved with an
 13

array/list). Initially, S is empty and cmax = 0. While eval- end if

uating the child nodes of r, S contains the nodes having the return snew
current/local maximum weight. Therefore, by the end of the end function
for loop, S contains all the child nodes, such that the weight The ATTACH - RESOURCES - TO -R procedure attaches re-
of the GCD of their policies is cmax. snew contains the sources having the same weight as r to r.
largest possible set of nodes if cmax = s.weight. However,
procedure ATTACH - RESOURCES - TO -R(G, T ) .
if cmax 6= s.weight, it does not necessary store the largest
G = (V ; E; r)
set. This is not a problem, as a node corresponding to cmax
for each s ∈ T ∧!s.temp do
is added as a temporary node (if s is a permanent node) to F ,
if !s.isresource then
in which case it is evaluated later and the maximum possible
for each res ∈ s.set do
set of nodes corresponding to it, is formed at that time.
res = C REATE - NODE(res)
Note that, we do not consider s while computing this set, A DD - NODE - TO -G(G, res, ∅, f alse)
because gcd(s, s) ≥ gcd(ci , s), where 1 ≤ i ≤ k. Hence, if end for
s is included in the set, cmax = s.weight. This would be else
a problem if snew = {s}, as we cannot form a segment A DD - NODE - TO -G(G, s, ∅, f alse)
with only one element. Therefore, we compute S without end if
considering s and if S 6= ∅ we add s to it. Furthermore, if end for
cmax is equal to the weight of the root, it is pointless to create end procedure
another sub segment with its weight = r.weight. Therefore, We present the auxiliary C REATE - NODE function, and the
we disregard this case. A DD - NODE - TO -G procedure in Appendix C, for clarity and
function C URR - MAX - WEIGHT- SET(G, s) completeness.
S ← ∅; snew ← ∅
Sgcd ← ∅ . gcd of policies of the nodes in S
cmax ← 0 . Current Max.weight of gcd of policies gcd 1

f lag ← f alse
for each child c of r do gcd 1 gcd 3

if s.temp ∧ c ∈ s.set then

f lag ← true gcd 4 gcd 5 gcd 4 gcd 5

end if
if (!s.temp ∧ c 6= s) ∨ (s.temp ∧ c 6∈ s.set) then Eng 1 Eng 2 Fin 1 Fin 2 Fin DB Eng 1 Eng 2 Fin 1 Fin 2 Fin DB

tempp ← gcd(c.p, s.p)

tempw ← weight of tempp (a) Net. graph after 1st iteration (b) Net. graph after 2nd itera-
if cmax < tempw then of A DD -N ODESET- TO -G tion of A DD -N ODESET- TO -G
Empty S; P ush(S, c) gcd 1

Sgcd ← gcd(s, c)
cmax ← tempw
else if cmax = tempw then gcd 2

Sgcd ← gcd(Sgcd, c)
Sgcdweight ← weight of Sgcd File gcd 3

if Sgcdweight = cmax then

P ush(S, c) gcd 4 gcd 5

end if
end if Eng 1 Eng 2 Fin 1 Fin 2 Fin DB
end if
end for
(c) Net. graph after 3rd iteration
if !S.isempty ∧ cmax 6= r.weight ∧ s.temp ∧ f lag of A DD -N ODESET- TO -G
then
P ush(S, s.set) Fig. 10: Progression of RNS for the illustrative example
while S 6= ∅ do
snew ← snew ∪ P op(S) Figure 10 shows the progression of executing the RNS
end while algorithm on the illustrative example. The last iteration
end if generates the network shown in Figure 15.
if !S.isempty ∧ cmax 6= r.weight ∧!s.temp then
P ush(S, s) RNS Algorithm: Robustness and complexity
while S 6= ∅ do
snew ← snew ∪ P op(S) Theorem 2. The RNS Algorithm constructs a robust network
end while graph.

Proof. The proof is by contradiction. We assume that at least
one of the three criteria required for a network graph to be
robust (Section V), is not satisfied.
Suppose Condition 1 is not satisfied. Then there exists
at least one path in G from the root to the parent of a
resource, such that the SDD strategy is not satisfied. In the
RNS algorithm, the root is added first to an empty graph G.
After which nodes both resource and gcd nodes are added in
non-increasing order of their weights to G by first attaching
them to the root only in the A DD - NODESET- TO -G procedure.
In A DD - NODESET- TO -G, when a gcd node gcd is added to the
root r, cset contains all its child nodes. The policy at gcd is
equal to the GCD of policies of all nodes in cset. Furthermore,
while adding child nodes from cset to gcd, we check if any
child node’s weight is equal to gcd.weight, in which case we
delete the child node (if its not a resource) and attach all its
children to gcd. Therefore, in all the cases the SDD strategy
is satisfied while adding resources and gcd nodes. Therefore,
the SDD strategy is satisfied in all paths from the root to the
node of the parent of a resource, which is a contraction.
Suppose Condition 2 is not satisfied. Then, the condition
stated under Definition 3 is not satisfied; that is, there exists a
segment S, such that a resource r ∈ S and a resource r0 ∈ / S
have commonalities with more weight than the weight of the
commonalities between elements of the segment S.
Without loss of generality, let us assume that w(p(r)) ≤
w(p(r0 )). Nodes are added to G in non-increasing order of
their weights. Therefore, when r is added to G, all the existing
nodes in G have weight greater than or equal to r.weight.
Since r.weight ≤ r0 .weight, G must include r0 . Furthermore,
while evaluating clusters of resources (having weight greater
than or equal to r.weight) including r, we choose a cluster
having the maximum weight (and possibly the maximum size)
among all such clusters evaluated, as the segment S. Therefore,
it must be the case that a cluster having r and r0 is evaluated.
Since r and r0 have commonalities with higher weight, then
the chosen cluster forming a segment must contain r and r0 .
Therefore, the segment S must contain both r, r0 , which is a
contradiction.
Suppose Condition 3 is not satisfied; that is, superfluous
firewall chaining exists in G. Then there exists at least one
firewall/ gcd node with a single node that is a firewall attached.
Recall that gcd nodes are added to G only when more than
one node can be attached to them. Therefore, by the end of
the RNS algorithm, G has no superfluous firewalls, which is
a contradiction.
Theorem 3. Let R = {r1 , r2 , . . . , rn } be the input of size n to
the RNS Algorithm. Then, the running time of RNS is O(n2 ).
Proof. Using numeral key values between 1 − m as labels
for distinct rules in R, and Bucket sort, the time required to
compute the subsets S1 , S2 , . . . , Sm , where m ≤ n is O(n).
Since gcd nodes (either permanent or temporary) are created
for each set s ∈ S1 , S2 , . . . , Sm exactly once, the number of
gcd nodes in the network graph is at most n. Analogously,
the number of temporary nodes created during the execution
of the RNS algorithm is also at most n. Hence the total time
14
required for the the RNS algorithm is O(n), plus the total time
required to execute the A DD - NODESET- TO -G procedure.
Let t ≤ n be the number of distinct weights of policies in
the resource set R. Then, the A DD - NODESET- TO -G procedure
is executed t times, and the total number of nodes processed
by it is at most 2n (since |F | ≤ 2n). Hence the time taken by
A DD - NODESET- TO -G is 2n plus the time taken by the C URR -
MAX - WEIGHT- SET for each node s in F where s.weight >
r.weight.
The total time required by the C URR - MAX - WEIGHT- SET
procedure is equal to the number of child nodes of r the
procedure evaluates to construct the snew set for all nodes in
F . The maximum number of such nodes is at most 2n (total
number of nodes in G) at each execution of the C URR - MAX -
WEIGHT- SET procedure. Further, the C URR - MAX - WEIGHT-
SET procedure is executed at most 2n times (number of nodes
in F ). Hence, the total time required by the C URR - MAX -
WEIGHT- SET procedure is at most O(n2 ).
Therefore the total running time for the RNS Algorithm is
O(n2 ).
VII. A PPLICATION OF RNS A LGORITHM IN SDN
OpenFlow [34] protocol has emerged as an approach to
remotely program switches while having a global view. When
a switch has no entries in its flow tables to handle a packet, it
forwards it to a controller which instructs the switch on how
to handle such packets. This approach of decoupling control
of traffic from the data plane is referred to as SDN [15], [39].
SDN can be characterised by the separation of the control
plane from the data plane in a network: the physical movement
of data (packet forwarding) in a network is separated from
the logic and control governing this movement. Hence, the
decoupling leads to a separation of concerns, which simplifies
the network control design and its maintenance.
In a typical SDN architecture, a central controller residing
in the the control plane governs the movement of data while
the switches residing in the data plane strictly forward packets
as directed by the controller. In the literature, we find the
following architectures for implementing firewalls in the SDN:
(a) Single centralised firewall: In [25], [30], [50] the authors
propose an architecture where the entire network is gov-
erned by a stateless centralised firewall at the control
plane. In this architecture, the policy resides at the firewall
and switches forward all traffic to the controller which
checks the policy and instructs the switch to drop or
forward the packets.
(b) Distributed firewalls at control plane: In [27], [37], [41],
[51] the authors propose an architecture with distributed
firewall at the control plane. The firewalls implemented
in this architecture are stateless firewalls. Each switch is
assigned a firewall at the controller. The firewall reads
the policy and inserts deny rules into the flow table of
the switch. The denied traffic is then dropped by the
switch, and all other traffic is forwarded to the controller
which instructs the switch on how to forward the packet.
The proposed architectures in [52] and [18] are stateful
firewalls that follow a similar process.
 15

(c) Distributed firewalls at the data plane: In [6], [8] the

authors propose an architecture that transforms the data Resource
Resource
Firewall
11Policy
Policy
Policies

plane switches into stateful firewalls. These approaches RNS algorithm

take advantage of stateful data plane technologies to allow Topology

File

switches to act as stateful firewalls without the need to POX SDN Controller
Fw2 Fw5
forward packets to the controller. policy
Fw 5
policy
Fw 2
As we shall explain in the following section, the RNS Fw1 Fw4
policy policy
algorithm is used to generate the network topology and specific Fw 1 Fw 4
firewall policies for each segment that we put under a switch Fw3
policy
in the date plane (see Figure 11). In this section we adopt a Fw 3
Mininet (topology.py)
distributed stateful firewall architecture that combines Archi- Engineering1
192.168.2.1
tecture (b) with stateful firewall. Our approach is illustrated in
Engineering2
Figure 12. Sw 1
Sw 2 Sw 3 192.168.2.2
Sw 5

Sw 4

Web Server Email Server File Server Finance DB Finance2 Finance1

192.168.4.1 192.168.4.2 192.168.3.1 192.168.1.3 192.168.1.2 192.168.1.1
Resource
Resource 11
Resource
Policy
Policy
Policies
Fig. 12: SDN simulation

assess whether the traffic in the network is governed according

RNS algorithm to the policies set by the RNS algorithm, we run a reachability
test as shown in Figure 13. The reachability test is performed
using the command pingall, which allows every data plane
host to ping every other host. In Figure 13, the first line of
the system response to pingall command starts with eng2,
which is the name of the resource initiating the ping request.
Resource
Resource 1
Firewall1
Policy Then we have the arrow -> followed by resource names such
Policy
Policies Topology File
as eng2, file, email, and web indicating a successful
communication of eng2 with these resources. An x indicates
that the initiating host is failing to establish a communication
with the target host.
Fig. 11: RNS algorithm

A. Use of RNS in SDN

We start by running the RNS algorithm on the set of
resources of a network and their policies to obtain a secure
and robust network topology and the policies of its firewalls.
The design process involves two stages. In the first stage,
the policies of the resources as well as a predefined weight Fig. 13: Reachability Test of the illustrative example Resources
function are fed as input to the RNS algorithm.
In the second stage, we use mininet (an SDN emulation
tool) [11] and POX controller [2] to create and simulate the
network corresponding to the topology obtained from the first VIII. OTHER A PPLICATIONS OF RNS A LGORITHM
stage. In the SDN controller to handle each switch in the The RNS algorithm can be applied to build computer
network we create a stateful firewall object. Each firewall networks in several conceivable scenarios. Here we highlight
object has a state table, a module to communicate with the some of the scenarios where traditional networks fail, but the
actual switch, and a package consisting of modules to handle RNS algorithm is applicable.
(referred to as handlers) different protocols such as TCP, UDP,
or ICMP. Each firewall object fetches its policy, generated by
the RNS algorithm, and stores it (See Figure 12). A. Internet of things
We use the network of the example given in Section II IoT (e.g., [32]) is a vision for developments that would
to illustrate the stages of designing SDN based on the RNS touch many aspects of our daily lives. At its core IoT aims at
algorithm. We obtain the topology given in Figure 12. To having heterogeneous physical objects, for example sensors,

devices, tools, machines, wearable items and software compo-
nents, connect and communicate through the Internet, forming
several cooperating eco-systems delivering a global activity.
Many organizations all over the world are initiating IoT driven
ventures to improve their business suppleness or to better
meet the demands of their customers. Networking a large
number of elements of IoT, while ensuring the security of each
element is one of the many challenges [5], [9]. Many existing
models (e.g., [5]) require devices to be resources which rely on
the manufacturer’s cloud-based servers to function. The manu-
facturer’s cloud clusters these resources into network segments
to enable them to securely communicate with other resources
within or outside the cloud. The RNS algorithm would play
a significant role in achieving an automatic and systematic
segmentation of the manufacturer’s networks. Moreover, our
proposed approach for segmentation builds a secure network
by default.
B. On-the-fly-networks/Dynamic networks:
In a secure dynamic networking environment, it is vital
that the reasoning required to cope with the changing security
needs, and communicating the attained security decisions to
the concerned access control nodes is automated. Moreover,
this automation is critical for large networks with a consid-
erable number of dynamic resources. The RNS algorithm,
generates an on-the-fly best segmentation, and policy-based
protection to the network’s components, while ensuring con-
sistency among the resource policies.
For example in an SDN setting, the RNS algorithm is
re-executed to generate an updated topology. The updated
topology is compared to the old topology to decide on which
hosts, switches, links to be added or deleted. To implement
this, the differences are written in a python script that exe-
cutes mininet Command-line interface (CLI) to carry out the
changes. The topology is then updated on-the-fly by running
the script on the mininet CLI. After which the controller is
notified of the changes, which then creates new firewalls and
updates policies of affected ones accordingly.
Further, in real networks a resource might be accessed from
several entry points or used from other networks. Therefore,
in dynamic configuration of networks, special care needs to
be taken in handling such resources. If a resource is deemed
out of service in one network, it should not be automatically
remove without considering its usage from outside of the
network under consideration. In our paper [3], we discuss
the usage of the RNS algorithm to segment networks having
several entry points.
IX. D ISCUSSION
We proposed two algorithms, Exp-RNS and RNS, for
building a robust network topology. The Exp-RNS algorithm
has an exponential running time, and RNS has a polynomial
running time. Despite its exponential complexity, we presented
the Exp-RNS algorithm for its simplicity in demonstrating the
usage of the formalism in building a robust network. We later
introduced RNS, which can easily meet the needs of the most
of real-time network configuration in dynamic networks.
16
The restriction in the superfluous firewall chaining concept
mentioned in Section V can be further tightened, where a
firewall having no resources attached to it (irrespective of
the number of firewalls attached to it) is removed from the
network. This would not only simplifies the network, but
also significantly economize it by minimizing the number of
firewalls required to produce a secure and robust network. The
Exp-RNS and RNS algorithms can be easily modified with mi-
nor changes to adapt to the tighter version of firewall chaining.
Both these versions have its advantages and drawbacks. The
superfluous firewall chaining mentioned in Section V would
result in a network having more firewalls and more number
of layers protecting the resources, however building such a
network could be expensive. The tighter version, results in a
network having less firewalls and fewer layers protecting the
resources; however, it is economical.
Our approach is for designing and building networks, and
is not focused on improving the security in existing networks.
Quantified attack graphs ([57], [23], [13], [4], [43], [35]), and
similar formalisms (e.g., [44]) have been proposed to harden
the security of existing networks. However, our approach can
be used to assess the security robustness of an existing network
in the following ways. One way is to use the GCD to calculate
the best policy for each of the segments of the existing
networks. Then, we compare the calculated firewall policy for
each segment to the existing policy. This would reveal any
missing rules or any flaws in the policy of the existing firewall.
The second way is to verify whether the existing network
implements DD strategy. A third way is to use RNS to get
the appropriate robust network for the resources that are in the
existing network. Then, we compare the topologies (existing
and calculated) with regard to their effectiveness in protecting
the resources. This comparison might lead the network security
officer to better tune the existing network for an enhanced
security.
Today’s networks are very large in terms of the number of
their nodes. The abstraction adopted in the family approach
allows to collapse a subset of nodes into one node that is
protected by a family of policies obtained from the policies of
the abstracted nodes. This approach for example allows us to
focus on the design of a network in a geographic area while
considering the rest of the network in another geographic area
as a node running a family of policies. It is a direct usage of
the principle of divide and conquer.
It is also important to put our results in perspective with
Network Address Translation (NAT) which is a translation
mechanism executed by a firewall that is in contact with
the Internet outside of a private network. It assigns public
addresses to a computer inside a network. Its purpose is to
limit the number of public addresses that internal nodes within
a network need to know about external resources. In our work,
we assume that only the node that we call root will have
this translation capabilities. Our purpose is to design local
networks and NAT can be placed on the boundary between the
local network to be designed and the external Internet (i.e., on
the entry points (roots) of the network). Hence, our policies
use only local addresses to the designed network.
We executed the RNS algorithm on a network with 100

resources, on an Apple MacBook Pro with a CPU 2.7 GHz
Intel Core i5 and a memory of 8 GB 1867 MHz DDR3.
The algorithm took 24.40 seconds to calculate the network
topology and the policies to be enforced at its firewalls.
Then, we inactivated ten resources out of the previous 100
resources, and executed the RNS algorithm to recalculate the
new network topology and the policies of its firewalls. The
machine took 24.36 seconds. While the above performance
numbers do not constitute, by any stretch an empirical as-
sessment – a definitive real performance indicator, they give
an idea about the range of time needed. Although the two
numbers do not differ much, we want to emphasize that in
both these cases; that is, with 100 resources and 90 resources,
we re-calculate the whole network topology. Many targeted
strategies can be conceived by considering the characteristics
of the resources that are added or removed. For instance, when
a resource is added/removed, if this change affects only a
subnetwork, we could re-calculate the new topology only for
the subnetwork affected by this change. This would require
running the RNS algorithm for a small number of resources
that are part of the subnetwork as input. In this situation, we
will see enhanced performance which is appropriate for real-
time network reconfiguration. In many situations, however, the
performance of the RNS algorithm when used to recalculate
the whole topology of the network for each network change
is acceptable to reconfigure the network, for example, re-
configuring the network in response to several security threats.
Therefore, a comprehensive empirical study to further assess
this aspect is needed. Moreover, we also need further research
related to the usage of RNS algorithm in many networks such
as mesh networks.
X. C ONCLUSION AND F UTURE W ORK
In this paper, we formally define network segmentation.
Then, we propose novel algorithms to build a robust network
architecture which segments resources such that maximum
access protection is provided to its resources. Our formalism is
based on the mathematical framework of PFA, where a policy
is treated as a product and the sets of policies governing a
firewall are equivalent to product families, and an atomic rule
in a policy is equivalent to a feature, and are modelled as
a guarded command. Both the Exp-RNS and RNS algorithms
uses the gcd and the refinement relations to segment resources
and build a robust network.
The advantage of building a robust network using the RNS
algorithm is that public facing resources are placed close to
the edge of the network and have limited access to internal
resources. Resources requiring more security are placed far-
ther from the edge of the network and protected by many
layers. Furthermore, access from one segment to the other is
controlled by internal firewalls. This is a common practice
in network segmentation that is driven by intuition. We give
the mathematical rationale for it. Moreover, the advantage of
having a formal treatment of the problem allows for automated
solutions enabling handling of huge networks.
The RNS algorithm could be scaled to enforce additional
requirements/constraints on the segmentation to achieve the
17
desired protection. For example, an organization can limit the
number of levels required. Furthermore, additional measures
can be added to achieve the desired segmentation, for example
risk assessment measures [55] such as: infection spread ratio,
and cleansing time. A future research work could incorporate
these additional factors in the weight function discussed in V.
We note that a huge body of work focusing on experimental
evaluation in several contexts; for example evaluating the RNS
algorithm in dynamic networks and IoT would be another im-
portant area of research. Furthermore, based on the evaluations
in different settings, one could propose improvements to the
algorithm to better meet the needs of some settings.
C OMPLIANCE WITH E THICAL S TANDARDS
Conflict of Interest: All authors declare that they have no
conflict of interest.
Funding: This study was funded by Natural Sciences and
Engineering Research Council of Canada –NSERC– (CA)
(RGPIN-2020-06859).
Ethical approval: This article does not contain any studies
with human participants or animals performed by any of the
authors.
R EFERENCES
[1] P. Adão, R. Focardi, J. D. Guttman, and F. L. Luccio, “Localizing
firewall security policies,” in 2016 IEEE 29th Computer Security Foun-
dations Symposium (CSF), June 2016, pp. 194–209.
[2] A. Al-Shabibi and M. McCauley, “Pox controller,” Available: https://
noxrepo.github.io/pox-doc/html (Accessed: Mar 23, 2020).
[3] M. Alabbad, N. Mhaskar, and R. Khedri, “Segmentation and architecture
of networks with multiple entry points,” Computer Networks, 2020,
submitted.
[4] M. Albanese, S. Jajodia, and S. Noel, “Time-efficient and cost-effective
network hardening using attack graphs,” in 42nd Annual IEEE/IFIP
International Conference on Dependable Systems and Networks, 2012,
pp. 1–12.
[5] M. Ammar, G. Russello, and B. Crispoa, “Internet of things: A survey
on the security of IoT frameworks,” Journal of Information Security
and Applications, vol. 38, pp. 8–27, February 2018. [Online]. Available:
https://doi.org/10.1016/j.jisa.2017.11.002
[6] M. Caprolu, S. Raponi, and R. Di Pietro, “Fortress: an efficient and
distributed firewall for stateful data plane sdn,” Security and Communi-
cation Networks, vol. 2019, 2019.
[7] W. R. Cheswick and S. M. Bellovin, Firewalls and Internet Security:
Repelling the Wily Hacker. Addison-Wesley, 1994.
[8] A. Chowdhary, D. Huang, A. Alshamrani, A. Sabur, M. Kang, A. Kim,
and A. Velazquez, “Sdfw: sdn-based stateful distributed firewall,” arXiv
preprint arXiv:1811.00634, 2018.
[9] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of
things security and forensics: Challenges and opportunities,” Future
Generation Computer Systems, vol. 78, pp. 544–546, January 2018.
[Online]. Available: https://doi.org/10.1016/j.future.2017.07.060
[10] L. de Moura and N. Bjørner, “Satisfiability modulo theories: An ap-
petizer,” in Formal Methods: Foundations and Applications, M. V. M.
Oliveira and J. Woodcock, Eds. Berlin, Heidelberg: Springer Berlin
Heidelberg, 2009, pp. 23–36.
[11] R. L. S. de Oliveira, C. M. Schweitzer, A. A. Shinoda, and Ligia
Rodrigues Prete, “Using mininet for emulation and prototyping software-
defined networks,” in 2014 IEEE Colombian Conference on Communi-
cations and Computing (COLCOM), June 2014, pp. 1–6.
[12] J. Desharnais, N. Belkhiter, S. B. M. Sghaier, F. Tchier, A. Jaoua,
A. Mili, and N. Zaguia, “Embedding a demonic semilattice in a relation
algebra,” Theoretical Computer Science, vol. 149, no. 2, pp. 333 – 360,
1995. [Online]. Available: http://www.sciencedirect.com/science/article/
pii/030439759400271J
[13] R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, “Optimal security
hardening using multi-objective optimization on attack tree models of
networks,” in Proc. 14th ACM Conf. Comput. Commun. Security, 2007,
pp. 204–213.

[14] T. E. Fægri and S. O. Hallsteinsen, “A software product line
reference architecture for security,” in Software Product Lines
- Research Issues in Engineering and Management. Springer
Berlin Heidelberg, 2006, pp. 275–326. [Online]. Available: https:
//doi.org/10.1007/978-3-540-33253-4 8
[15] N. Feamster, J. Rexford, and E. Zegura, “The road to sdn: an intel-
lectual history of programmable networks,” ACM SIGCOMM Computer
Communication Review, vol. 44, no. 2, pp. 87–98, 2014.
[16] Google Inc., “Google’s approach to it security,” Google, Tech. Rep.,
2012.
[17] D. Gries and F. Schenider, A Logical Approach to Discrete Math, ser.
Springer Texts And Monographs In Computer Science. New York:
Springer-Verlag, 1993.
[18] V. Gupta, S. Kaur, and K. Kaur, “Implementation of stateful firewall
using pox controller,” in 2016 3rd International Conference on Com-
puting for Sustainable Global Development (INDIACom). IEEE, 2016,
pp. 1093–1096.
[19] P. Höfner, R. Khedri, and B. Möller, “Feature algebra,” in FM 2006: For-
mal Methods, ser. Lecture Notes in Computer Science series, J. Misra,
T. Nipkow, and E. Sekerinski, Eds., vol. 4085. 14th International Sym-
posium on Formal Methods, McMaster University, Hamilton, Ontario,
Canada: Springer, August 21 – 27 2006, pp. 300 – 315.
[20] ——, “Algebraic view reconciliation,” in 6th IEEE International Con-
ferences on Software Engineering and Formal Methods. Cape Town,
South Africa, November 10 – 14, 2008, pp. 85 – 94.
[21] ——, “An algebra of product families,” Software & Systems Modeling,
vol. 10, no. 2, pp. 161–182, 2011.
[22] ——, “Supplementing product families with behaviour,” International
Journal of Software and Informatics, pp. 245–266, 2011.
[23] K. Ingols, R. Lippmann, and K. Piwowarski, “Practical attack graph
generation for network defense,” in Proc. Comput. Security Appl. Conf.,
2006, pp. 121—30.
[24] R. Janicki and R. Khedri, “On a formal semantics of tabular expres-
sions,” Science of Computer Programming, vol. 39, no. 1-2, pp. 189–
213, March 2001.
[25] T. Javid, T. Riaz, and A. Rasheed, “A layer2 firewall for software defined
network,” in 2014 Conference on Information Assurance and Cyber
Security (CIACS). IEEE, 2014, pp. 39–42.
[26] Y. Jin and D. L. Parnas, “Defining the meaning of tabular mathematical
expressions,” Science of Computer Programming, vol. 75, no. 11, pp. 980
– 1000, 2010, special Section on the Programming Languages Track at
the 23rd ACM Symposium on Applied Computing. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S0167642309001762
[27] K. Kaur, K. Kumar, J. Singh, and N. S. Ghumman, “Programmable
firewall using software defined networking,” in 2015 2nd International
Conference on Computing for Sustainable Global Development (INDI-
ACom). IEEE, 2015, pp. 2125–2129.
[28] R. Khedri, O. Jones, and M. Alabbad, “Defense in depth formulation
and usage in dynamic access control,” in Principles of Security
and Trust: 6th International Conference, POST 2017, Held as
Part of the European Joint Conferences on Theory and Practice
of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017,
Proceedings, M. Maffei and M. Ryan, Eds. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2017, pp. 253–274. [Online]. Available:
https://doi.org/10.1007/978-3-662-54455-6 12
[29] R. Khedri, N. Mhaskar, and M.Alabbad, “On the segmentation of
networks,” McMaster University, Tech. Rep., 2019. [Online]. Available:
https://www.cas.mcmaster.ca/tech reports/0reports/CAS-19-01-RK.pdf
[30] A. Kumar and N. Srinath, “Implementing a firewall functionality for
mesh networks using sdn controller,” in 2016 International Conference
on Computation System and Information Technology for Sustainable
Solutions (CSITSS). IEEE, 2016, pp. 168–173.
[31] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz,
M. Artz, and R. Cunningham, “Validating and restoring defense in
depth using attack graphs,” in MILCOM 2006 - 2006 IEEE Military
Communications conference, Oct 2006, pp. 1 – 10.
[32] S. Madakam, R. Ramaswamy, and S. Tripathi, “Internet of things
(IoT): A literature review,” Journal of Computer and Communications,
vol. 3, no. 5, pp. 164–173, May 2015. [Online]. Available:
http://www.scirp.org/journal/jcc
[33] C. J. May, J. Hammerstein, J. Mattson, and K. Rush, “Defense in depth:
Foundations for secure and resilient it enterprises,” Carnegie Mellon
University, Tech. Rep., 2006.
[34] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson,
J. Rexford, S. Shenker, and J. Turner, “Openflow: enabling innovation in
campus networks,” ACM SIGCOMM Computer Communication Review,
vol. 38, no. 2, pp. 69–74, 2008.
18
[35] H. M.J. Almohri, L. T. Watson, D. Yao, and X. Ou, “Security opti-
mization of dynamic networks with probabilistic graph modeling and
linear programming,” in IEEE Transactions on Dependable and Secure
Computing, vol. 13, 2016, pp. 474–487.
[36] B. Möller and G. Struth, “wp is wlp,” in Relational Methods in Com-
puter Science, ser. Lecture Notes in Computer Science, W. MacCaull,
M. Winter, and I. Düntsch, Eds. Springer Berlin Heidelberg, 2006, vol.
3929, pp. 200–211.
[37] S. Morzhov, I. Alekseev, and M. Nikitinskiy, “Firewall application for
floodlight sdn controller,” in 2016 International Siberian Conference on
Control and Communications (SIBCON). IEEE, 2016, pp. 1–5.
[38] National Security Agency (NSA), “Top 10 information assurance miti-
gation strategies,” NSA, Tech. Rep., 2013.
[39] B. A. A. Nunes, M. Mendonca, X.-N. Nguyen, K. Obraczka, and
T. Turletti, “A survey of software-defined networking: Past, present, and
future of programmable networks,” IEEE Communications Surveys &
Tutorials, vol. 16, no. 3, pp. 1617–1634, 2014.
[40] D. L. Parnas, “Tabular representation of relations,” Communications
Research Laboratory, Faculty of Engineering, McMaster University,
Hamilton, Ontario, Canada, CRL Report 260, October 1992.
[41] J. G. V. Pena and W. E. Yu, “Development of a distributed firewall
using software defined networking technology,” in 2014 4th IEEE In-
ternational Conference on Information Science and Technology. IEEE,
2014, pp. 449–452.
[42] R. Peteanu, Best Practices for Secure Development, 2001.
[43] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk manage-
ment using bayesian attack graphs,” in IEEE Transactions on Depend-
able and Secure Computing, vol. 9, 2012, pp. 61–74.
[44] M. Rahman and E. Al-Shaer, “A formal framework for network security
design synthesis,” in 2013 IEEE 33rd International Conference on
Distributed Computing Systems (ICDCS), 2013, pp. 560 – 70. [Online].
Available: http://dx.doi.org/10.1109/ICDCS.2013.70
[45] P. Rubel, M. Ihde, S. Harp, and C. Payne, “Generating policies for
defense in depth,” in 21st Annual Computer Security Applications
Conference (ACSAC’05), Dec 2005, pp. 10 pp.–514.
[46] J. R.Vacca and S. Ellis, Firewalls Jumpstart for Network and Systems
Administrators. Elsevier, 2005.
[47] K. Scarfone and P. Hoffman, “Guidelines on firewalls and firewall
policy,” National Institute of Standards and Technology (NIST), Tech.
Rep., 2009.
[48] M. Stawowski, “The principles of network security design,” ISSA, 2007.
[49] ——, “Network security architecture,” ISSA, 2009.
[50] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over the
software-defined network controller,” in 16th International Conference
on Advanced Communication Technology. IEEE, 2014, pp. 744–748.
[51] T. V. Tran and H. Ahn, “A network topology-aware selectively dis-
tributed firewall control in sdn,” in 2015 International Conference
on Information and Communication Technology Convergence (ICTC).
IEEE, 2015, pp. 89–94.
[52] ——, “Flowtracker: A sdn stateful firewall solution with adaptive
connection tracking and minimized controller processing,” in 2016
International Conference on Software Networking (ICSN). IEEE, 2016,
pp. 1–5.
[53] U.S. Department of Homeland Security, Recommended Practice: Im-
proving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies, September 2016.
[54] N. Wagner, C. Ş. Şahin, J. Pena, and W. W. Streilein, “Automatic
generation of cyber architectures optimized for security, cost, and mis-
sion performance: A nature-inspired approach,” in Advances in Nature-
Inspired Computing and Applications, N. A. Shandilya S., Shandilya S.,
Ed. Springer, Cham, 2019.
[55] N. Wagner, C. Ş. Şahin, M. Winterrose, J. Riordan, J. Pena, D. Hanson,
and W. W. Streilein, “Towards automated cyber decision support: A case
study on network segmentation for security,” in 2016 IEEE Symposium
Series on Computational Intelligence (SSCI), Dec 2016, pp. 1–10.
[56] N. Wagner, C. Ş. Şahin, J. Pena, J. Riordan, and S. Neumayer, “Captur-
ing the security effects of network segmentation via a continuous-time
markov chain model,” in Proceedings of the 50th Annual Simulation
Symposium, ser. ANSS ’17. San Diego, CA, USA: Society for
Computer Simulation International, 2017, pp. 1–12.
[57] L. Wang, S. Noel, and S. Jajodia, “Minimum-cost network hardening
using attack graphs,” Comput. Commun., vol. 29, pp. 3812–3824, 2006.
 19

A PPENDIX A (∀ r, r0 | r ∈ S ∧ r0 ∈ (R −
P ROOFS OF L EMMAS . 0
S) · wP (gcd(p(r), p(r ))) ≤ wP (gcd( r | r ∈
Proof of Lemma 1. S · p(r) )) )
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) )) ⇐⇒ h S is a set consisting of resources having
⇐⇒ h De Morgan Law i co-prime policies, gcd of co-prime poli-
cies = 1F i
( p(r) = 0F ) ∨ (∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) )
(∀ r, r0 | r ∈ S ∧ r0 ∈ (R −
=⇒ h Strengthening i 0
S) · wP (gcd(p(r), p(r ))) ≤ wP (1F ) )
(∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) ) ⇐= h From hypothesis p(r0 ) = 1F i
⇐= h (v, l) ∈ E i (∀ r, r | r ∈ S ∧r0 ∈ (R −S) · wP (gcd(p(r), 1F )) ≤
0
p(l) 6@F p(v)
wP (1F ) )
⇐⇒ h p(v) = gcd(p(v), p(l)) i
⇐⇒ h Because (∀ a | · gcd(a, 1F ) = 1F ) i
p(l) 6@F gcd(p(v), p(l))
⇐⇒ h From the hypothesis p(l) = 1F i (∀ r, r0 | r ∈ S ∧ r0 ∈ (R − S) · wP (1F ) ≤ wP (1F ) )
1F 6@F gcd(p(v), 1F ) ⇐= h reflexivity of ≤ i
⇐⇒ h Because gcd(p(v), 1F ) = 1F , v is parent true
of l i
1F 6@F 1F
⇐= h From the definition of @F i Proof of Lemma 4 (b).
true S is a segment
⇐⇒ h Definition 3 i
(∀ r, r0 | r ∈ S ∧ r0 ∈ (R − S) ·
Proof of Lemma 2. wP (gcd(p(r), p(r0 ))) ≤ wP (gcd( r | r ∈ S · p(r) )) )
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) )) ⇐= h From hypothesis: (∀ r, r0 | r ∈ S ∧ r0 ∈
⇐⇒ h De Morgan Law i (R − S) · gcd(p(r), p(r0 )) = 1F ) i
( p(r) = 0F ) ∨ (∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) ) (∀ r, r0 | r ∈ S ∧ r0 ∈ (R − S) · wP (1F ) ≤
=⇒ h Strengthening i
wP (gcd( r | r ∈ S · p(r) )) )
(∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) )
⇐= h r ∈ S and p(r) = 1F , which makes
⇐= h (r, s) ∈ E i
gcd( r | r ∈ S · p(r) ) = 1F i
p(s) 6@F p(r)
⇐⇒ h p(s) = gcd(p(s), gcd(p(l1 ), p(l2 ))) and (∀ r, r0 | r ∈ S ∧ r0 ∈ (R − S) · wP (1F ) ≤ wP (1F ) )
p(r) = gcd(p(r), p(s)) and from the hy- ⇐= h reflexivity of ≤ i
pothesis gcd(l1 , l2 ) = 1F i true
1F 6@F 1F
⇐= h From the definition of @F i
true A PPENDIX B
E XP -RNS A LGORITHM F UNCTIONS
In this section we present detailed algorithms for the
Proof of Lemma 3.
five main tasks listed in the Exp-RNS algorithm (see Sec-
¬(p(r) 6= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) @F p(a) )) tion VI-A).
⇐⇒ h De Morgan Law i
p(r) = 0F ∨ (∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) ) A. C OMPUTE -GCD Function
=⇒ h Strengthening i Here we explain the C OMPUTE -GCD function in detail. The
(∃ a, b | (a, b) ∈ E · p(b) 6@F p(a) ) function first computes the power set of the set of resources R,
⇐= h (u, v) ∈ E i P(R). It then computes the GCD for each set in P(R). While
p(v) 6@F p(u) computing the GCDs, the function maintains a set GCD,
⇐⇒ h From hypothesis p(u) = (gcd vi | consisting of objects called the gcd objects. Each gcd object
(v, vi ) ∈ E · p(vi ) ) = p(v) i has the following attributes: p, set, weight, and size. Attribute
p(v) 6@F p(v) set represents the set of resources, which is a set in P(R).
⇐= h From the definition of @F i Attribute p represents the GCD of the policies of the resources
true in set. Attribute weight is the weight of the policy p, and
attribute size represents the cardinality of set. To minimize
the number of gcd objects stored in GCD, each object in
Proof of Lemma 4 (a). GCD has a unique policy p. To achieve this, if the GCD
S is a segment of two sets in P(R) is the same, then we store the gcd
⇐⇒ h Definition 3 i object corresponding to the larger set. Further for any two
 20

sets s1 , s2 ∈ P(R), if the GCD of policies of s1 refines the B. B UILD -N ETWORK -G RAPH Function
GCD of policies of s2 , and if both these policies have the
In this section, we present algorithms for the B UILD -
same weight, then we only store the gcd object corresponding
N ETWORK -G RAPH function and the A DD -N ODESET- TO -G
to s2 .
procedure.
procedure C OMPUTE -GCD(R)
procedure B UILD -N ETWORK -G RAPH(F, R)
P(R) ← power set of R minus all singleton sets and
G←∅ . G = (E; V ; r)
empty set.
r ← gcd object that has all resources R in its set
GCD ← ∅ . initialize GCD set.
attribute
for each s ∈ P(R) do
r.π ← ∅; r.resource ← f alse
Create gcd s object
V ← V ∪ {r}
gcd s.p ← Calculate the GCD of the policies of
F ← F − minus gcd objects with the same weight as
resources in s
the root r
gcd s.weight ← weight of gcd s.p
while F 6= ∅ do
f lag ← f alse
wmax ← maximum weight of any s ∈ F .
for each gcd ∈ GCD do
T ←∅
if gcd.p = gcd s.p then
for each s ∈ F do
f lag ← true
if s.weight = wmax then
if gcd.size < |s| then
T ← T ∪ s; F ← F − s
gcd.size ← |s|
end if
gcd.set ← s
end for
end if
A DD -N ODESET- TO -G(G, F, T, wmax )
else if gcd.p @ gcd s.p ∧ gcd.weight =
end while
gcd s.weight then
return G
GCD = GCD − {gcd}
end procedure
else if gcd s.p @ gcd.p ∧ gcd.weight =
gcd s.weight then 1) Adding gcd Nodes in T to the Network Graph: The gcd
f lag ← true nodes are added to the network graph based on the weight
end if attribute of the gcd object. We add nodes to G in batches (set
end for T ) starting with maximum weight to minimum weight. The
if f lag = f alse then A DD -N ODESET- TO -G procedure adds the set of nodes in T
gcd s.set ← s in non-increasing order by their size attribute; that is, nodes
gcd s.size ← |s| in T having the largest size is processed first, followed by
gcd s.weight ← weight of gcd s.p a node with next (or same) largest size is processed to add
GCD ← GCD ∪ {gcd s} it to G. During the execution of the procedure, at all times
end if we maintain the resT set that contains the set of resources
end for for which gcd nodes have not been added. Initially, resT
return GCD contains all resources contained in all the gcd nodes in T .
end procedure Then the procedure loops through each node s in T and if s.set
still contains resources unaccounted for in G, it is evaluated.
Table I gives all the gcd objects in the GCD set, and the set During this evaluation, every child c of the root r that refines
of resources in set for the illustrative example after procedure s is added to cset. Then v s is added to G by attaching
C OMPUTE -GCD is executed. In Appendix-D, we present the it to r. If cset is not empty, then all nodes in it are attached
computation of policy for gcd 3 (we refer the reader to [29, to v s as its children, and their connection to r is removed.
Section 2.2] for details on the computation of policies for all Finally, the resources in s.set are removed from resT (if they
the gcd objects given in Table I). exist).
procedure A DD -N ODESET- TO -G(G, F, T, wmax ) .
gcd objects Set of Resources G = (V ; E; r)
in GCD resT ← ∅
set
gcd 1 {W eb server, Email server, F ile server,
for each s ∈ T do
F in.DB, F in.1, F in.2, Eng.1, Eng.2} resT ← resT ∪ s.set
gcd 2 {F ile server, F in.DB, F in.1, F in.2, Eng.1, end for
Eng.2}
gcd 3 {Eng.1, Eng.2, F in.DB, F in.1, F in.2}
T ← T nodes ordered in non-increasing order by their
gcd 4 {Eng.1, Eng.2} size attribute.
gcd 5 {F in.DB, F in.1, F in.2} for each s ∈ T ∧ (s.set ∩ resT 6= ∅) do
TABLE I: gcd objects in GCD set, and their corresponding cset ← ∅
set of resources. for each child c of r do
if c.p @ s.p then
cset ← cset ∪ {c}
 21

end if D. O PTIMIZE -N ETWORK -G RAPH procedure

end for In this section, we present an algorithm for the O PTIMIZE -
V ← V ∪ {s} N ETWORK -G RAPH procedure.
E ← E ∪ {(r, s)} procedure O PTIMIZE -N ETWORK -G RAPH(G)
s.π ← {r} . G = (V ; E; r)
if cset 6= ∅ then S ← ∅; T ← ∅ . S, T are stack
for each c ∈ cset do P ush(S, r)
E ← E − {(r, c)} ∪ {(s, c)} while S 6= ∅ do
c.π ← c.π − {r} ∪ {s} u ← P op(S)
end for P ush(T, u)
end if for each c child of u do
resT ← resT − s.set P ush(S, c)
end for end for
end procedure end while
Figure 14 shows the network graph for the illustrative ex- while T 6= ∅ do
ample produced by the B UILD -N ETWORK -G RAPH procedure. u ← P op(T )
Observe that in the graph each path represents a refinement child count ← 0
chain (e.g., gcd4 @F gcd3 @F gcd2 @F gcd1). f f lag ← f alse
for each c child of u do
child count ← child count + 1
gcd 1 if c.is resource = f alse then
f f lag ← true
end if
gcd 2
end for
if child count = 0 ∧ u.is resource = f alse
then
V ← V − {u}
gcd 3
for each x ∈ u.π do
E ← E − {(x, u)}
end for
gcd 4 gcd 5
else if (child count = 1 ∧ f f lag = true) then
V ← V − {u}
c.π ← c.π − {u}
Fig. 14: The network graph of the illustrative example after c.π ← c.π ∪ {u.π}
B UILD -N ETWORK -G RAPH procedure E ← E − {(u, c)}
for each x ∈ u.π do
E ← E − {(x, u)}
E ← E ∪ {(x, c)}
C. A DD -R ESOURCES - TO -N ET procedure end for
end if
In this section, we present an algorithm for the A DD -
end while
R ESOURCES - TO -N ET procedure.
end procedure
procedure A DD -R ESOURCES - TO -N ET(G, GCD, R)
The robust network graph with resources attached for the
GCDmax ← ordered list of gcd ∈ GCD in descend-
illustrative example is shown in Figure 15.
ing order by weights.
R0 = R
for each gcd ∈ GCDmax do E. A DD -1F- RESOURCES procedure
for each s ∈ gcd.set do In this section, we present an algorithm for the A DD -1F-
if s ∈ R0 then RESOURCES procedure.
s.is resource ← true procedure A DD -1F- RESOURCES(G, S)
s.π ← s.π ∪ {gcd} if S = ∅ then return error
V ← V ∪ {s} end if
E ← E ∪ {(gcd, s)} if r.p = 1F then
R0 ← R0 − {s} r.set ← r.set ∪ S; r.size ← r.size + |S|
end if for each s ∈ S do
end for s.is resource ← true
end for s.π ← {r}
end procedure V ← V ∪ {s}
 22

s, in which case, we delete that node from G, and attach its

gcd 1 children to s.
procedure A DD - NODE - TO -G(G, s, cset, exist)
if G 6= N U LL then
gcd 2 Web Email V ← V ∪ s; E = E ∪ {(r, s)}
s.π ← s.π ∪ {r}
else
File gcd 3
if s.set = R then
V ← V ∪ s; r ← s
end if
end if
gcd 4 gcd 5
if s.set 6= empty ∧ s 6= r ∧!exist then . Add gcd
node with only resources not yet added to G as children
for each res ∈ s.set do
Eng 1 Eng 2 Fin 1 Fin 2 Fin DB
res = C REATE - NODE(res, ∅, f alse)
V ← V ∪ res
Fig. 15: The network graph of the illustrative example after E ← E ∪ {(s, res)}
adding resources res.π ← res.π ∪ {s}
end for
else if cset 6= empty ∧ s 6= r ∧ exist then . Adding
E ← E ∪ {(r, s)} gcd node with children already added to G and possibly
end for having gcd nodes as children.
else for each res ∈ cset do
Create node r0 . Create new root r0 of G if res.isresource = f alse ∧ s.weight =
0 0
r .set ← r.set ∪ S; r .size ← r.size + |S| res.weight then
r0 .p ← 1F ; r0 .weight ← weight of 1F policy V ← V − {res}
r0 .π ← ∅ E ← E − {(r, res)}
V ← V ∪ {r0 } . Add new root r0 to G for each child c of res do
r.π ← {r } 0
. Attach r to r0 E ← E − {(res, c)} ∪ {(s, c)}
0
E ← E ∪ {(r , r)} res.π ← res.π − {res} ∪ {s}
for each s ∈ S do end for
s.is resource ← true else
s.π ← {r0 } E ← E − {(r, res)} ∪ {(s, res)}
V ← V ∪ {s} res.π ← res.π − {r} ∪ {s}
E ← E ∪ {(r0 , s)} end if
end for end for
end if end if
end procedure end procedure

The auxiliary C REATE - NODE function creates nodes so that

A PPENDIX C
AUXILIARY F UNCTIONS FOR RNS A LGORITHM
In this section we present the auxiliary procedure A DD -
NODE - TO -G and the function C REATE - NODE used by the
RNS algorithm presented in Section VI-B.
The auxiliary A DD - NODE - TO -G procedure encapsulates the
steps to add nodes (and any resources not already added to G
in its set attribute) to G. The A DD - NODE - TO -G procedure
always adds the node s to the root of r (if it exists). If s is a
gcd node and has children that are resource nodes not added
to G yet (indicated by exist = f alse), then s is added to G
and all the resources in its s.set are created as new nodes and
added to G as children of s. If s is a gcd node object, which is
created to be a gcd node for existing nodes in G (indicated by
exist = true), then s is added to G and all nodes in cset are
added as its children (this includes removing their connection
with r, and attaching them to s). In this case, it is possible
for cset to contain a node having the same weight as that of
they can be added to the graph G. While building G, two types
of nodes, namely the resource nodes, and the GCD (firewall)
nodes are created, and their attributes set according to the code
given in the C REATE - NODE function. Since we mark nodes as
temporary (nodes that are added to F and evaluated later) we
introduce a new attribute –temp– which is added to all nodes.
For permanent nodes temp is set to false, and for temporary
nodes temp is set to true.
function C REATE - NODE(s)
Create node v . Create node and initialize attribute
values
if |s| = 1 ∧ s 6= R then . Adding a resource
v.p ← policy of resource s
v.weight ← weight of v.p
v.set ← ∅; v.size ← 0
v.isresource ← true; v.temp ← f alse
else
v.p ← GCD of all resource policies in s
 23

a0 = ACCEPT a0 = ACCEPT
a0 = ACCEPT a0 = ACCEPT
v.weight ← weight of v.p

a0 = DROP
a0 = DROP
a0 = DROP
a0 = DROP
p 6= TCP
v.isresource ← f alse; v.temp ← f alse

/ {192.168.1.0/24,
for each node ∈ s do

192.168.4.0/24}
192.168.2.0/24,
192.168.3.0/24,
if !node.isresource then

a0 = DROP
a0 = DROP
a = DROP
a = DROP
p = TCP
v.set ← v.set ∪ node.set

TABLE II: Finance workstations and database policy represented as a tabular expression.
v.size ← v.size + node.size

s∈

0
0
else

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
p 6= TCP
v.set ← v.set ∪ node

s = 192.168.4.0/24
v.size ← v.size + 1

0
0
end if

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
p = TCP
end for
end if

0
0
return v

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
end function

p 6= TCP
s = 192.168.3.0/24
A PPENDIX D

0
0
TABULAR EXPRESSIONS AND GCD COMPUTATION

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
p = TCP
Tabular expressions are mathematical expressions in tabular
form. They were formalized by Parnas [26]. As defined

0
0
in [24], a tabular expression table is an organized sets of cells,

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
p 6= TCP
where each cell contains a mathematical expression [24]. This

s = 192.168.2.0/24
table contains a collection of headers and a grid indexed by

0
0
these headers. A tabular expression representing a policy has

a0 = ACCEPT
a0 = ACCEPT

a = REJECT
a = REJECT
a0 = DROP
a0 = DROP
p = TCP
two headers, H1 which specifies the source IP numbers and
protocols and H2 which specifies the states and destination

0
0
ports, and an internal grid G which specifies actions. Each

a0 = ACCEPT
a0 = ACCEPT

a = ACCEPT
a = ACCEPT
a0 = DROP
a0 = DROP
grid cell represents a rule of the policy and specifies the

p 6= TCP
s = 192.168.1.0/24
ACTION state attribute value for its end state. For an example

0
0
see Table II, which is the tabular expression representation

a0 = ACCEPT
a0 = ACCEPT

a = ACCEPT
a = ACCEPT
of the Finance workstations and database policy (defined in

a0 = DROP
a0 = DROP
Section II). p = TCP
We now outline the algorithm to compute the GCD of
0
0
two policies represented as tabular expressions. For simplicity,
dport ∈ {80, 25}
/ {80, 25}
dport ∈ {80, 25}
/ {80, 25}
dport ∈ {80, 25}
/ {80, 25}
we demonstrate it using an example. Consider the tabular
dport ∈

dport ∈

dport ∈
expression representations of the Finance workstations and
database policy Table II, and the Engineering workstations
policy Table III as the input to the gcd function. The algorithm
ESTABLISHED}
st ∈ {RELATED,

st = INVALID

first modifies these input tables to have matching headers.

st = NEW

While creating the matching headers it is possible to have

empty cells in the grids of the modified tables. These cells
are filled with a value – f alse which indicates that no rule
exists corresponding to such cells in the policy. Since our input
Tables II and III already have matching headers, we ignore
this step. The algorithm then creates the GCD table layout
by having the same headers as the matching headers of the
(modified) input tables. After which, the value of each grid
cell of the GCD table is computed starting with the first cell
as follows:
1) If either of the corresponding input table cells have a
value f alse, then its value is f alse.
2) Otherwise it is the union of their values. For example, if
the corresponding input table cells have different values
as seen in the grid cell [1, 5] of Table II with value a0 =
ACCEPT, and Table III with value a0 = REJECT, then its
value is the union of their values; that is, a0 = ACCEPT∨
a0 = REJECT.
The GCD of the Finance workstations and database policy and
the Engineering workstations policy is given in Table IV.
 s = 192.168.1.0/24 s = 192.168.2.0/24 s = 192.168.3.0/24 s = 192.168.4.0/24 s∈ / {192.168.1.0/24,
192.168.2.0/24,
192.168.3.0/24,
192.168.4.0/24}
p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP
st ∈ {RELATED, dport ∈ {80, 25} a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT
0 0 0 0 0 0 0 0 0 0
ESTABLISHED} dport ∈
/ {80, 25} a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT a = ACCEPT
dport ∈ {80, 25} a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP
st = INVALID
dport ∈
/ {80, 25} a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP
dport ∈ {80, 25} a0 = REJECT a0 = REJECT a0 = ACCEPT a0 = ACCEPT a0 = REJECT a0 = REJECT a0 = REJECT a0 = REJECT a0 = DROP a0 = DROP
st = NEW 0 0 0 0 0 0 0 0 0
dport ∈
/ {80, 25} a = REJECT a = REJECT a = ACCEPT a = ACCEPT a = REJECT a = REJECT a = REJECT a = REJECT a = DROP a0 = DROP

TABLE III: Engineering workstations policy represented as a tabular expression.

s = 192.168.1.0/24 s = 192.168.2.0/24 s = 192.168.3.0/24 s = 192.168.4.0/24 s∈ / {192.168.1.0/24,

192.168.2.0/24,
192.168.3.0/24,
192.168.4.0/24}
p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP p = TCP p 6= TCP
st ∈ {RELATED, dport ∈ {80, 25} a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT
ESTABLISHED} dport ∈
/ {80, 25} a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT a0 = ACCEPT
0
dport ∈ {80, 25} a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a = DROP a0 = DROP
st = INVALID
dport ∈
/ {80, 25} a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP a0 = DROP
0
dport ∈ {80, 25} a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = REJECT a0 = REJECT a0 = REJECT a0 = REJECT a = DROP a0 = DROP
st = NEW
a0 = REJECT a0 = REJECT a0 = REJECT a0 = REJECT
dport ∈
/ {80, 25} a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = ACCEPT ∨ a0 = REJECT a0 = REJECT a0 = REJECT a0 = REJECT a0 = DROP a0 = DROP
a0 = REJECT a0 = REJECT a0 = REJECT a0 = REJECT

TABLE IV: Tabular expression representation of the GCD of Finance Workstations and Database policy, and Engineering Workstations
policy.
24
 25

A PPENDIX E
R ELATIVE ATOMICITY

1 −A INPUT −m s t a t e −− s t a t e RELATED, ESTABLISHED − j ACCEPT

2 −A INPUT −m s t a t e −− s t a t e INVALID − j DROP
3 −A INPUT −s 1 9 2 . 1 6 8 . 1 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 6 5 5 3 5 −p a l l − j REJECT
4 −A INPUT −s 1 9 2 . 1 6 8 . 2 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 6 5 5 3 5 −p a l l − j ACCEPT
5 −A INPUT −s 1 9 2 . 1 6 8 . 3 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 6 5 5 3 5 −p a l l − j REJECT
6 −A INPUT −s 1 9 2 . 1 6 8 . 4 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 6 5 5 3 5 −p a l l − j REJECT
7 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p udp − j DROP
8 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p icmp − j DROP
9 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p t c p − j DROP
10 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p t c p − j DROP
11 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p udp − j DROP
12 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p udp − j DROP
13 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p icmp − j DROP
14 −A INPUT −s 0 . 0 . 0 . 0 / 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p icmp − j DROP
15 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p udp − j DROP
16 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p icmp − j DROP
17 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p t c p − j DROP
18 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p t c p − j DROP
19 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p udp − j DROP
20 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p udp − j DROP
21 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p icmp − j DROP
22 −A INPUT −s 1 2 8 . 0 . 0 . 0 / 2 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p icmp − j DROP
23 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p udp − j DROP
24 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
0 : 7 9 −p icmp − j DROP
25 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p t c p − j DROP
26 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p t c p − j DROP
27 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p udp − j DROP
28 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p udp − j DROP
29 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 0 : 8 0 −p icmp − j DROP
30 −A INPUT −s 1 9 2 . 0 . 0 . 0 / 9 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−d p o r t
8 1 : 6 5 5 3 5 −p icmp − j DROP
31 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p udp − j DROP
32 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p icmp − j DROP
33 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p t c p − j DROP
34 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p t c p − j DROP
35 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p udp − j DROP
36 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p udp − j DROP
37 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p icmp − j DROP
38 −A INPUT −s 1 9 2 . 1 2 8 . 0 . 0 / 1 1 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p icmp − j DROP
39 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p udp − j DROP
40 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p icmp − j DROP
41 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p t c p − j DROP
42 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p t c p − j DROP
43 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p udp − j DROP
44 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p udp − j DROP
45 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p icmp − j DROP
46 −A INPUT −s 1 9 2 . 1 6 0 . 0 . 0 / 1 3 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p icmp − j DROP
47 −A INPUT −s 1 9 2 . 1 6 8 . 0 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p udp − j DROP
48 −A INPUT −s 1 9 2 . 1 6 8 . 0 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 0 : 7 9 −p icmp − j DROP
49 −A INPUT −s 1 9 2 . 1 6 8 . 0 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 0 : 8 0 −p t c p − j DROP
50 −A INPUT −s 1 9 2 . 1 6 8 . 0 . 0 / 2 4 −−s p o r t 0 : 6 5 5 3 5 −d 0 . 0 . 0 . 0 / 0 −−
d p o r t 8 1 : 6 5 5 3 5 −p t c p − j DROP
51 . . . .

Fig. 16: Snippet of Engineering workstations relative atomic

policy

View publication stats