Firewall Decision Diagrams

Computing & Wireless : Computing Methods

Available for licensing


  • Mohamed Gouda, Ph.D. , Computer Science
  • Xiang-Yang Liu, Ph.D. , Computer Science

Background/unmet need

Computer network firewalls operate by a set of rules that act as a gatekeeper for data traffic. These rules are written in a table format by network administrators. The process of creating and maintaining the rules is highly susceptible to error, especially in complex network environments that have multiple firewalls and rules numbering in the hundreds or thousands. Network security breaches are often a result of errors in these rules. While there are many tools available today to assist with the design and maintenance of firewall rules, firewall errors still proliferate because these tools do not address the underlying cause of the errors and do not provide a comprehensive and efficient method for testing and administering firewalls.

Invention Description

This invention is a firewall design and administration toolkit that enables the creation of error-free firewall rule sets, provides comprehensive firewall testing, and significantly simplifies the process of creating, updating, and maintaining firewalls

Underlying the toolkit is a unique data structure based on decision diagrams. The decision diagram user interface provides a superior visual framework for rule entry and updating because it enables the administrator to see how the rules interoperate. Based on this decision diagram, a table of error-free, compact rules can be generated for use with existing firewalls

In addition, the reduction of a rule set to a decision diagram enables the processing by computer of a number of administration functions that are not possible with the expression of rules in a table, including simulation of firewall results and comparison of two different sets of rules against each other.

While the toolkit employs a new data structure, it is compatible with existing firewall products because it is capable of compiling a decision diagram from a table of rules and generating a table of rules from a decision diagram.


  • Automatic Generation of Firewall Rules. Process that automatically generates firewall rules that are error-free and compact even in the most complex environments. Data structure allows for simplified method of modifying rules as needs of enterprise change.
  • Query Engine. Process by which a network administrator can ask a ?query ” about the Firewall in their network and get a correct answer. Resulting software tool will automatically generate a unique query engine for a particular firewall rule set. Query engine can then used by system administrator to accurately answer questions about the firewall?s function.
  • Rule Set Comparison. Process that compares two separate sets of firewall rules and identifies how their results will differ. Resulting software tool will compare two separate sets of firewall rules that are designed for the same environment by separate teams to determine if they get different results.
  • Elimination of Redundant Rules. Software tool that eliminates redundant rules from a set of firewall rules.

Market potential/applications

Firewall administration and network administration markets.

Development Stage

Proof of concept

IP Status

Web Links