FIREMAN: a toolkit for firewall modeling and analysis
- 1 January 2006
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 15 pp.-213
- https://doi.org/10.1109/sp.2006.16
Abstract
Security concerns are becoming increasingly critical in networked systems. Firewalls provide important defense for network security. However, misconfigurations in firewalls are very common and significantly weaken the desired security. This paper introduces FIREMAN, a static analysis toolkit for firewall modeling and analysis. By treating firewall configurations as specialized programs, FIREMAN applies static analysis techniques to check misconfigurations, such as policy violations, inconsistencies, and inefficiencies, in individual firewalls as well as among distributed firewalls. FIREMAN performs symbolic model checking of the firewall configurations for all possible IP packets and along all possible data paths. It is both sound and complete because of the finite state nature of firewall configurations. FIREMAN is implemented by modeling firewall rules using binary decision diagrams (BDDs), which have been used successfully in hardware verification and model checking. We have experimented with FIREMAN and used it to uncover several real misconfigurations in enterprise networks, some of which have been subsequently confirmed and corrected by the administrators of these networksKeywords
This publication has 18 references indexed in Scilit:
- Rigorous automated network security managementInternational Journal of Information Security, 2005
- Complete Redundancy Detection in FirewallsLecture Notes in Computer Science, 2005
- Routing design in operational networksACM SIGCOMM Computer Communication Review, 2004
- Measuring ISP Topologies With RocketfuelIEEE/ACM Transactions on Networking, 2004
- Practical verification techniques for wide-area routingACM SIGCOMM Computer Communication Review, 2004
- Filtering postures: local enforcement for global policiesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Heuristics for Internet map discoveryPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Algorithms for improving the dependability of firewall and filter rule listsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Fang: a firewall analysis enginePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Bugs as deviant behaviorPublished by Association for Computing Machinery (ACM) ,2001