Offline firewall analysis

Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, auditing, or reverse-engineering existing firewall configurations are important components of every corporation’s network security practice. Unfortunately, this is easier said than done. Firewall configuration files are written in notoriously hard to read languages, using vendor-specific GUIs. A tool that is sorely missing in the arsenal of firewall administrators and auditors is one that allows them to analyze the policy on a firewall.To alleviate some of these difficulties, we designed and implemented two generations of novel firewall analysis tools, which allow the administrator to easily discover and test the global firewall policy. Our tools use a minimal description of the network topology, and directly parse the various vendor-specific low-level configuration files. A key feature of our tools is that they are passive: no packets are sent, and the analysis is performed offline, on a machine that is separate from the firewall itself. A typical question our tools can answer is “from which machines can our DMZ be reached, and with which services?.” Thus, our tools complement existing vulnerability analyzers and port scanners, as they can be used before a policy is actually deployed, and they operate on a more understandable level of abstraction. This paper describes the design and architecture of these tools, their evolution from a research prototype to a commercial product, and the lessons we have learned along the way.

[1]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[2]  Matthias Kalle Dalheimer,et al.  Programming with Qt , 1999 .

[3]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[4]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[5]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[6]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[7]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 1: The Protocols , 1994 .

[8]  Martin Freiss,et al.  Protecting Networks with SATAN , 1998 .

[9]  Elizabeth D. Zwicky,et al.  Building Internet firewalls (2nd ed.) , 2000 .

[10]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[11]  Emden R. Gansner,et al.  A Technique for Drawing Directed Graphs , 1993, IEEE Trans. Software Eng..

[12]  Andy Fox,et al.  Cisco Secure PIX Firewalls , 2001 .

[13]  Christian Huitema,et al.  Routing in the Internet , 1995 .

[14]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[15]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  Mark de Berg,et al.  Computational geometry: algorithms and applications , 1997 .

[17]  Juan M. Estévez-Tapiador,et al.  Concepts and Attitudes for Internet Security (A review of Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin). , 2003 .

[18]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[19]  Dameon D. Welch-Abernathy Essential Check Point Firewall-1: An Installation, Configuration, and Troubleshooting Guide , 2002 .

[20]  S. Bellovin Distributed Firewalls , 1994 .

[21]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[22]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[23]  Dan Farmer,et al.  Improving the Security of Your Site by Breaking Into it , 2000 .

[24]  Joshua D. Guttman,et al.  Security Goals: Packet Trajectories and Strand Spaces , 2000, FOSAD.

[25]  A. Robert,et al.  HAUGEN, . The New Finance: The Case against Efficient Markets (Englewood Prentice Hall. , 1995 .

[26]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.