A tool for automated iptables firewall analysis

Authors:
Robert Marmorstein;Phil Kearns
Affiliations:
Department of Computer Science, The College of William & Mary, Williamsburg, VA;Department of Computer Science, The College of William & Mary, Williamsburg, VA
Venue:
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Year:
2005

Citing 6
Cited 10

Graph-Based Algorithms for Boolean Function Manipulation

IEEE Transactions on Computers
Fang: A Firewall Analysis Engine

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Firewall Design: Consistency, Completeness, and Compactness

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A Quantitative Study of Firewall Configuration Errors

Computer
Architecting the Lumeta firewall analyzer

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Efficient symbolic state-space construction for asynchronous systems

ICATPN'00 Proceedings of the 21st international conference on Application and theory of petri nets

An open source solution for testing NAT'd and nested iptables firewalls

LISA '05 Proceedings of the 19th conference on Large Installation System Administration Conference - Volume 19
Inferring higher level policies from firewall rules

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Assisted firewall policy repair using examples and history

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Using argumentation logic for firewall configuration management

IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
SPAN: a unified framework and toolkit for querying heterogeneous access policies

HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Management of heterogeneous security access control configuration using an ontology engineering approach

Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Aligning Semantic Web applications with network access controls

Computer Standards & Interfaces
The margrave tool for firewall analysis

LISA'10 Proceedings of the 24th international conference on Large installation system administration
Network attack detection at flow level

NEW2AN'11/ruSMART'11 Proceedings of the 11th international conference and 4th international conference on Smart spaces and next generation wired/wireless networking
Automated information flow analysis of virtualized infrastructures

ESORICS'11 Proceedings of the 16th European conference on Research in computer security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe ITVal, a tool that enables the efficient analysis of an iptables-based firewall. The underlying basis of ITVal is a library for the efficient manipulation of multi-way decision diagrams. We represent iptables rule sets and queries about the firewall defined by those rule sets as multi-way decision diagrams, and determine answers for the queries by manipulating the diagrams. In addition to discussing the design and implementation of ITVal, we describe how it can be used to detect and correct common firewall errors.