Midpoints Versus Endpoints: From Protocols to Firewalls
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Multiprimary Support for the Availability of Cluster-Based Stateful Firewalls Using FT-FW
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
Information and Software Technology
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Configuration management and security
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Analyzing end-to-end network reachability
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Network Security: Formal and Optimized Configuration
Proceedings of the 2010 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the 9th SoMeT_10
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
The margrave tool for firewall analysis
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Using argumentation logic for firewall policy specification and analysis
DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
Packet flow analysis in IP networks using data-flow analysis
Proceedings of the 5th India Software Engineering Conference
Constructing mid-points for two-party asynchronous protocols
OPODIS'11 Proceedings of the 15th international conference on Principles of Distributed Systems
| Hi-index | 0.00 |
Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, auditing, or reverse-engineering existing firewall configurations are important components of every corporation’s network security practice. Unfortunately, this is easier said than done. Firewall configuration files are written in notoriously hard to read languages, using vendor-specific GUIs. A tool that is sorely missing in the arsenal of firewall administrators and auditors is one that allows them to analyze the policy on a firewall.To alleviate some of these difficulties, we designed and implemented two generations of novel firewall analysis tools, which allow the administrator to easily discover and test the global firewall policy. Our tools use a minimal description of the network topology, and directly parse the various vendor-specific low-level configuration files. A key feature of our tools is that they are passive: no packets are sent, and the analysis is performed offline, on a machine that is separate from the firewall itself. A typical question our tools can answer is “from which machines can our DMZ be reached, and with which services?.” Thus, our tools complement existing vulnerability analyzers and port scanners, as they can be used before a policy is actually deployed, and they operate on a more understandable level of abstraction. This paper describes the design and architecture of these tools, their evolution from a research prototype to a commercial product, and the lessons we have learned along the way.