Security Goals: Packet Trajectories and Strand Spaces
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
A Unified Methodology for Verification and Synthesis of Firewall Configurations
ICICS '01 Proceedings of the Third International Conference on Information and Communications Security
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Specification and Verification of Security Policies in Firewalls
EurAsia-ICT '02 Proceedings of the First EurAsian Conference on Information and Communication Technology
Specification-Based Testing of Firewalls
PSI '02 Revised Papers from the 4th International Andrei Ershov Memorial Conference on Perspectives of System Informatics: Akademgorodok, Novosibirsk, Russia
Automatic analysis of firewall and network intrusion detection system configurations
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Firmato: A novel firewall management toolkit
ACM Transactions on Computer Systems (TOCS)
Blowtorch: a framework for firewall test automation
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Computer Networks: The International Journal of Computer and Telecommunications Networking
A tool for automated iptables firewall analysis
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
An open source solution for testing NAT'd and nested iptables firewalls
LISA '05 Proceedings of the 19th conference on Large Installation System Administration Conference - Volume 19
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Architecting the Lumeta firewall analyzer
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Formal correctness of conflict detection for firewalls
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
Inferring higher level policies from firewall rules
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Assisted firewall policy repair using examples and history
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Automatic analysis of firewall and network intrusion detection system configurations
Journal of Computer Security - Formal Methods in Security Engineering Workshop (FMSE 04)
Detecting and resolving policy misconfigurations in access-control systems
Proceedings of the 13th ACM symposium on Access control models and technologies
TestCom '08 / FATES '08 Proceedings of the 20th IFIP TC 6/WG 6.1 international conference on Testing of Software and Communicating Systems: 8th International Workshop
Fast, cheap, and in control: a step towards pain free security!
LISA'08 Proceedings of the 22nd conference on Large installation system administration conference
A Calculus for Distributed Firewall Specification and Verification
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Configuration management and security
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Automated pseudo-live testing of firewall configuration enforcement
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Formal Specification and Analysis of Firewalls
Proceedings of the 2009 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the Eighth SoMeT_09
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
EOrBAC based network security management toolkit
WOCN'09 Proceedings of the Sixth international conference on Wireless and Optical Communications Networks
Analysis of firewall policy rules using traffic mining techniques
International Journal of Internet Protocol Technology
Model checking firewall policy configurations
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Network Security: Formal and Optimized Configuration
Proceedings of the 2010 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the 9th SoMeT_10
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
FAME: a firewall anomaly management environment
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Two case studies in grammar-based test generation
Journal of Systems and Software
Comparison model and algorithm for distributed firewall policy
ICIC'06 Proceedings of the 2006 international conference on Intelligent computing: Part II
The margrave tool for firewall analysis
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Automating security configuration and administration: an access control perspective
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Baaz: a system for detecting access control misconfigurations
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Detecting and resolving policy misconfigurations in access-control systems
ACM Transactions on Information and System Security (TISSEC)
Automated information flow analysis of virtualized infrastructures
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Detection and resolution of anomalies in firewall policy rules
DBSEC'06 Proceedings of the 20th IFIP WG 11.3 working conference on Data and Applications Security
Discovering access-control misconfigurations: new approaches and evaluation methodologies
Proceedings of the second ACM conference on Data and Application Security and Privacy
Complete redundancy detection in firewalls
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Collaborations, mergers, acquisitions, and security policy conflict analysis
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Header space analysis: static checking for networks
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
The Enhancement of Security in Healthcare Information Systems
Journal of Medical Systems
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
A model-driven approach for the extraction of network access-control policies
Proceedings of the Workshop on Model-Driven Security
Quantifying and verifying reachability for access controlled networks
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
Today, even a moderately sized corporate intranet contains multiple firewalls and routers, which are all used to enforce various aspects of the global corporate security policy. Configuring these devices to work in unison is difficult, especially if different vendors make them. Even testing or reverse-engineering an existing configuration (say, when a new security administrator takes over) is hard. Firewall configuration files are written in low-level formalisms, whose readability is comparable to assembly code, and the global policy is spread over all the firewalls that are involved.To alleviate some of these difficulties, we designed and implemented a novel firewall analysis tool. Our software allows the administrator to easily discover and test the global firewall policy (either a deployed policy or a planned one). Our tool uses a minimal description of the network topology, and directly parses the various vendor-specific low-level configuration files. It interacts with the user through a query-and-answer session, which is conducted at a much higher level of abstraction. A typical question our tool can answer is 驴from which machines can our DMZ be reached, and with which services?驴 Thus, our tool complements existing vulnerability analysis tools, as it can be used before a policy is actually deployed, it operates on a more understandable level of abstraction, and it deals with all the firewalls at once.