近年來資料被駭客竊取事件層出不窮，防火牆乃是網路安全中重要的環節之一，負責篩選不必要的網路連線來保護組織內部網路。防火牆過濾封包的機制是透過存取控制清單(Access Control List; ACL)內紀錄的規則做決定，當有兩條或是兩條以上的規則符合過濾條件，以優先權較大的規則做為執行動作，故對於存取控制清單內的規則、規則的順序與存取控制清單的部署都必須要小心謹慎。當防火牆過濾規則產生了非預期的行為，本文將會造成此現象的規則稱為異常規則(Anomaly Rule)。本論文的目標是在知道多防火牆間網路拓樸的狀況下，透過抽象防火牆模型，將網路拓樸中的各個防火牆轉化成對應的抽象防火牆(Abstract Firewall; AFW)，再將各個抽象防火牆經由循序路徑驗證及平行路徑驗證，去驗證多防火牆間的規則是否有異常規則存在，若存在異常規則，通知網路管理人員修改，修改完成後即為代表此網路拓樸的抽象防火牆。藉由此抽象防火牆作為中介，讓網管人員可以透過此抽象防火牆檢驗防火牆網路的正確性。

In recent years, data theft by hackers continuously occurrence. Firewall is an important part of network security, it is responsible for filtering unnecessary network connections to protect organization's internal network.Firewall mechanism for filtering packets is through the records rules in the ACL to make a decision.Firewall mechanism for filtering packets is through the records rules in the ACL to make a decision.therefore, the rules in the ACL and the rules order and the ACL deployment all must have to be careful. Unexpected behavior when the firewall filtering rules, in this article we call the rule as Anomaly Rule.The goal of this paper is in knowing the multi-firewalls under the condition of network topology, by the abstract firewall model, we transforms each firewall in network topology to the correspondence abstract firewall (AFW), then each AFW by way of sequential path validation and parallel path validation to verify rules between multi-firewalls whether there exists anomaly rules, if exists anomaly rules,notify the network administrators to modify, after the modification is completed, it's represent the AFW of this network topology. By this AFW as an intermediary, enabling the network administrators to go through this AFW to ckeck accuracy of firewalls network.

目錄
第一章 緒論	1
1.1	研究動機	1
1.2	研究目的	2
第二章 異常規則之討論及文獻探討	3
2.1.	防火牆運作方式	3
2.2.	防火牆規則間關係	5
2.3.	防火牆規則轉換	6
2.4.	防火牆規則正規表達式	8
2.5.	異常規則之分類	10
2.6.	二元決策圖	20
第三章 驗證模型	22
3.1.	驗證模型	22
3.2.	建立驗證區	23
3.3.	選定來源端及目的端	24
3.4.	列舉可能路徑	24
3.5.	路徑驗證	25
3.5.1. 驗證循序路徑	26
3.5.2. 驗證平行路徑	34
3.6.	錯誤回報及校正	34
3.7.	建立抽象防火牆列表	36
第四章 系統實作	38
4.1.	實作平台	38
4.2.	系統展示	38
第五章 結論與未來展望	43
參考文獻	44

圖目錄
圖 1：存取控制清單過濾封包之步驟	4
圖 2：表(X1˅X2)˄X3之決策圖(資料來源 Byrant, 1992)	21
圖 3：左圖表移除重複終端節點，中間圖表移除重複非終端節點，右圖表移除冗餘測試(資料來源 Byrant, 1992)	21
圖 4：驗證架構圖	23
圖 5：網路拓樸圖欲驗之證驗證區	24
圖 6：路徑簡化	26
圖 7：單防火牆一對一規則驗證演算法	28
圖 8：單防火牆一對多規則驗證演算法	29
圖 9：多防火牆一對一規則驗證演算法	31
圖 10：多防火牆一對多規則驗證演算法	33
圖 11：平行路徑驗證演算法	35
圖 12：來源端及目的端抽象存取清單表示圖	36
圖 13：抽象防火牆表示圖	37
圖 14：驗證區	39
圖 15：驗證結果	41
圖 16：防火牆驗證運作圖	42

表目錄
表 1：規則間關係說明圖	6
表 2：實作平台之軟硬體規格	38
表 3：防火牆存取控制清單	39

[1]	Al-Shaer E., and Hamed, H., “Discovery of Policy Anomalies in Distributed Firewalls,” Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, Vol. 4, pp. 2605 - 2616, 2004.
[2]	Al-Shaer, E., Hamed, H., Boutaba, R., and Hasan, M., "Conflict Classification and Analysis of Distributed Firewall Policies,"  IEEE Journal  on Selected Areas in Communications, Vol. 23, Issue. 10, pp. 2069-2084, 2005
[3]	Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A., Firmato: A novel firewall management toolkit. In Proc. 20th IEEE Symposium on Security and Privacy, 1999.
[4]	Bryant, R. E., "Graph-Based Algorithms for Boolean Function Manipulation", IEEE Transactions on Computers, vol. c-35, no.8, 1986
[5]	Bryant, R., ‘Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams’. ACM Com-puting Surveys, 24(3):293–318, September 1992
[6]	Hazelhurst, S., “Algorithms  for Analyzing Firewall and Router Access Lists”, University of Witwatersrand, Johannesburg, South Africa, Tech. Rep. TR-Wits-CS-1999-5, Jul 1999.
[7]	Liu, A., "Firewall Policy Verification and Troubleshooting," Computer Networks, Vol. 53, Is. 16, pp. 2800-2809, 2009.
[8]	Rezvani, M., Aryan, R., "Analyzing and Resolving Anomalies in Firewall Security Policies based on Propositional logic,"  IEEE 13th International Multitopic Conference, pp.  1-7, 14-15 Dec. 2009
[9]	Yin, Y., Bhuvaneswaran, R. S., Katayama, Y., and Takahashi, N., "Implementation of Packet Filter Configurations Anomaly Detection System with SIERRA,"  International Conference on   Information, Communication and Signal Processing, LNCS3783, pp. 467–480, 2005.
[10]	Yoon, M., Chen, S., Zhang, Z., "Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls", IEEE Trasaction on Computers, pp.218-230,Feb. 2010
[11]	Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., and Mohapatra, P., "FIREMAN: A Toolkit for FIREwall Modeling and Analysis", IEEE Symposium on Security and Privacy, 199–213, 2006