Firewall Design and Analysis 1.3.5 Firewall Redundancy Detection Firewalls, especially those that have been updated many times, often contain redundant rules. A rule in a firewall is redundant if and only if removing the rule does not change the function of the firewall. When a firewall consists of many redundant rules, the firewall becomes difficult to manage. A redundant rule may indicate a possible error if the rule is not expected to be redundant. In addition, redundant rules significantly degrade the performance of firewalls, especially TCAM based firewalls. The technical challenge is how to detect all the redundant rules in a firewall. There is no previous solution for this problem. In [Liu and Gouda (2005)], we developed theorems for identifying all the redundant rules in a firewall, and we presented the first algorithm that can detect all the redundant rules in a firewall, which means that in the resulting firewall no rule can be removed without changing the function of the firewall.