Abstract
Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, auditing, or reverse-engineering existing firewall configurations are important components of every corporation’s network security practice. Unfortunately, this is easier said than done. Firewall configuration files are written in notoriously hard to read languages, using vendor-specific GUIs. A tool that is sorely missing in the arsenal of firewall administrators and auditors is one that allows them to analyze the policy on a firewall.
To alleviate some of these difficulties, we designed and implemented two generations of novel firewall analysis tools, which allow the administrator to easily discover and test the global firewall policy. Our tools use a minimal description of the network topology, and directly parse the various vendor-specific low-level configuration files. A key feature of our tools is that they are passive: no packets are sent, and the analysis is performed offline, on a machine that is separate from the firewall itself. A typical question our tools can answer is “from which machines can our DMZ be reached, and with which services?.” Thus, our tools complement existing vulnerability analyzers and port scanners, as they can be used before a policy is actually deployed, and they operate on a more understandable level of abstraction. This paper describes the design and architecture of these tools, their evolution from a research prototype to a commercial product, and the lessons we have learned along the way.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Algorithmic Security’s Firewall Analyzer (2004) http://www.algosec.com/Products/
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)
Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Comput. Commun. Rev. 19(2), 32–48 (1989)
Bellovin, S.M.: Distributed firewalls. login: The Magazine of USENIX & SAGE, pp. 39–47 (1999)
Chapman, D.W., Fox, A.: Cisco Secure PIX Firewalls. Cisco Press, Indiana (2001)
Cheswick, W.R., Bellovin, S.M., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley, Reading, MA (2003)
Dalheimer, M.K.: Programming With Qt. O’Reilly & Associates, Inc., California (1999)
De Berg, M., van Kreveld, M., Overmars, M.: Computational Geometry: Algorithms and Applications, 2nd edn. Springer, Berlin Heidelberg New York (2000)
Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107. Copenhagen, Denmark (November 2001); Technical Report IMM-TR-2001-14, Technical University of Denmark
Farmer, D., Venema, W.: Improving the security of your site by breaking into it. (1993) http://www.fish.com/security/admin-guide-to-cracking.html
Freiss, M.: Protecting Networks with SATAN. O’Reilly & Associates, Inc., California (1998)
Fulmer, C.: Firewall product overview. (2002) http://www.thegild.com/firewall/
Fyodor: NMAP – the network mapper. (2000) http://www.insecure.org/nmap/
Gansner, E.R., Koutsofios, E., North, S.C., Vo, K.-P.: A technique for drawing directed graphs. IEEE Trans. Softw. Eng. 19(3), 214–230 (1993)
Goldsmith, D., Schiffman, M.: Firewalking: A traceroute-like analysis of ip packet responses to determine gateway access control lists. White paper, Cambridge Technology Partners (1998), http://www.packetfactory.net/firewalk/
Graphviz – open source graph drawing software (2001) version 1.7, http://www.research.att.com/sw/tools/graphviz/
Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. IEEE, Piscataway, NJ (1997)
Guttman, J.D.: Security goals: Packet trajectories and strand spaces. In: Foundations of Security Analysis and Design (FOSAD). Lecture Notes in Computer Science, vol. 2171. Springer, Berlin Heidelberg New York (2001)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Workshop on Dependability of IP Applications, Platforms and Networks, pp. 576–585. IEEE Computer Society Press, Los Alamitos, CA, (2000). Published in Proceedings of International Conference on Dependable Systems and Networks
Held, G., Hundley, K.: Cisco Access Lists. McGraw-Hill, New York (1999)
Huitema, C.: Routing in the Internet. Prentice-Hall, Englewood Cliffs, NJ (1995)
ICSA Labs Certified firewall products. (2003) http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/index.shtml
Internet Security Systems Internet Scanner (2000) http://documents.iss.net/literature/InternetScanner/is_ps.pdf
Internet Security Systems BlackICE Defender (2003) http://blackice.iss.net/
Lucent VPN firewall brick (2002) http://www.lucent.com/security
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. Oakland, CA. IEEE, Piscataway, NJ (2000)
Qt: online reference documentation, version 2.0.1. (1999) Troll Tech http://www.troll.no/qt/
Ranum, M.: On the topic of firewall testing (1995) http://www.ranum.com/pubs/fwtest/
Rubin, A., Geer, D., Ranum, M.: Web Security Sourcebook. Wiley Computer Publishing, New York (1997)
Russell, R.: (2000) Linux IPCHAINS-HOWTO, v1.0.8, http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html
Stevens, W.R.: TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, Reading, MA (1994)
Welch-Abernathy, D.D.: Essential Checkpoint Firewall-1: An Installation, Configuration, and Troubleshooting Guide. Addison-Wesley, Reading, MA (2002)
Wool, A.: Architecting the Lumeta firewall analyzer. In: Proceedings of 10th USENIX Security Symposium, pp. 85–97. Washington, DC (2001). USENIX
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)
Wool, A.: The use and usability of direction-based filtering in firewalls. Comput. Security 23(6), 459–468 (2004)
Xu, W., O’Neal, S., Schoonover, J., Moser, S., Lamar, F., Grasboeck, G.: (2000) fwrules50, Available from http://www.phoneboy.com/fw1/
ZoneAlarm (2003) 3.7.143. Zone Labs, http://www.zonelabs.om/
Zwicky, E.D., Cooper, S., Chapman, D.B.: Building Internet Firewalls, 2nd edn. O’Reilly & Associates, Inc., California (2000)
Author information
Authors and Affiliations
Corresponding author
Additional information
Parts of this paper appeared, in preliminary form, in the 21st IEEE Symposium on Security & Privacy, Oakland, CA, May 2000 and in the 10th USENIX Security Symposium, Washington, DC, 2001.
Rights and permissions
About this article
Cite this article
Mayer, A., Wool, A. & Ziskind, E. Offline firewall analysis. Int. J. Inf. Secur. 5, 125–144 (2006). https://doi.org/10.1007/s10207-005-0074-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-005-0074-z