usenix conference policies
An Open Source Solution for Testing NAT'd and Nested iptables Firewalls
As firewalls have increased in power and flexibility, the complexity of configuring them correctly has grown significantly. An error in the firewall configuration can compromise the security of the system or interfere with normal network activity. The chance of an error increases when coordinating multiple firewalls, because the interaction between filters may hide errors more easily noticed on a single firewall. Firewalls on many networks use network address translation, which further increases the complexity of the firewall policy and creates additional opportunities for errors. Because errors in the firewall configuration are often extremely costly in time and security, system administrators need tools for verifying and debugging their firewall policy. ITVal is a tool for analyzing iptables-based firewalls that provides a plain English query language for simple firewall analysis. In this work, we describe extensions to ITVal that allow it to process network address translation rules and analyze multiple firewalls connected sequentially.
author = {Robert Marmorstein and Phil Kearns},
title = {An Open Source Solution for Testing {NAT{\textquoteright}d} and Nested iptables Firewalls},
booktitle = {19th Large Installation System Administration Conference (LISA 05)},
year = {2005},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/lisa-05/open-source-solution-testing-natd-and-nested-iptables-firewalls},
publisher = {USENIX Association},
month = dec
}
connect with us