LISA '07 – Abstract
Pp. 27–37 of the Proceedings
Assisted Firewall Policy Repair Using Examples and History
Robert Marmorstein and Phil Kearns, The College of William & Mary
Firewall policies can be extremely complex and difficult to
maintain, especially on networks with more than a few hundred
machines. The difficulty of configuring a firewall properly often
leads to serious errors in the firewall configuration or discourage
system administrators from implementing restrictive policies.
In previous research, we developed a technique for modeling
firewall policies using Multiway Decision Diagrams and performing
logical queries against a decision diagram model. Using the query
logic, the system administrator can detect errors in the policy and
gain a deeper understanding of the behavior of the firewall. The
technique is extremely efficient and can process policies with
thousands of rules in just a few seconds. While queries are a
significant improvement over manual inspection of the policy for
detecting that errors exist, they provide only limited assistance in
repairing a broken policy. In this paper we present two extensions to
our work, examples and history, which enable the administrator to more
easily repair a policy which contains errors.
An example is a representative packet which illustrates that the
firewall complies with or (more importantly) deviates from its
expected behavior. History records the specific rules involved in the
deviation. Examples and history provide guidance in finding and fixing
faults in a firewall rule set. These contributions can be also be used
with the equivalence class analysis to reduce the burden of designing
a complicated set of assertions.
- View the full text of this paper in HTML and PDF.
Listen to the presentation in
Until November 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.