Fang: A Firewall Analysis Engine
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Field studies of computer system administrators: analysis of system management tools and practices
CSCW '04 Proceedings of the 2004 ACM conference on Computer supported cooperative work
FACE: A Firewall Analysis and Configuration Engine
SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
International Journal of Information Security
A tool for automated iptables firewall analysis
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
An open source solution for testing NAT'd and nested iptables firewalls
LISA '05 Proceedings of the 19th conference on Large Installation System Administration Conference - Volume 19
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Why do internet services fail, and what can be done about it?
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Firewall analysis with policy-based host classification
LISA '06 Proceedings of the 20th conference on Large Installation System Administration
IEEE Transactions on Parallel and Distributed Systems
Fast, cheap, and in control: a step towards pain free security!
LISA'08 Proceedings of the 22nd conference on Large installation system administration conference
IEEE Transactions on Parallel and Distributed Systems
Model Checking Firewall Policy Configurations
POLICY '09 Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks
NetPiler: detection of ineffective router configurations
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Kodkod: a relational model finder
TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
Quantifying and Querying Network Reachability
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
SPAN: a unified framework and toolkit for querying heterogeneous access policies
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Symbolic analysis of network security policies using rewrite systems
Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming
Hot-ICE'12 Proceedings of the 2nd USENIX conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services
Participatory networking: an API for application control of SDNs
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Aluminum: principled scenario exploration through minimality
Proceedings of the 2013 International Conference on Software Engineering
A balance of power: expressive, analyzable controller programming
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Topologically configurable systems as product families
Proceedings of the 17th International Software Product Line Conference
Model-based, event-driven programming paradigm for interactive web applications
Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software
| Hi-index | 0.00 |
Writing and maintaining firewall configurations can be challenging, even for experienced system administrators. Tools that uncover the consequences of configurations and edits to them can help sysadmins prevent subtle yet serious errors. Our tool, Margrave, offers powerful features for firewall analysis, including enumerating consequences of configuration edits, detecting overlaps and conflicts among rules, tracing firewall behavior to specific rules, and verification against security goals. Margrave differs from other firewall-analysis tools in supporting queries at multiple levels (rules, filters, firewalls, and networks of firewalls), comparing separate firewalls in a single query, supporting reflexive ACLs, and presenting exhaustive sets of concrete scenarios that embody queries. Margrave supports real-world firewall-configuration languages, decomposing them into multiple policies that capture different aspects of firewall functionality. We present evaluation on networking-forum posts and on an in-use enterprise firewall-configuration.