Contributions of the Book Towards the goal of correct firewalls, this book focuses on the following two fundamental problems: how to design a new firewall such that the errors introduced in the design phase is reduced, and how to analyze an existing firewall such that we can detect errors that have been built in. For firewall design, we present two methods for designing stateless firewalls, namely the method of structured firewall design and the method of diverse firewall design, and a model for specifying stateful firewalls. For firewall analysis, we present two methods, namely firewall queries and firewall redundancy detection.