Security '01 Abstract
Architecting the Lumeta Firewall Analyzer
Avishai Wool, Lumeta Corporation
Practically every corporation that is connected to the Internet
has at least one firewall, and often many more.
However, the protection that these firewalls provide
is only as good as the policy they are configured to
implement. Therefore, testing, auditing, or reverse-engineering
existing firewall configurations should be
important components of every corporation's network
security practice. Unfortunately, this is easier said than
done. Firewall configuration files are written in notoriously
hard to read languages, using vendor-specific
GUIs. A tool that is sorely missing in the arsenal of firewall
administrators and auditors is one that will allow
them to analyze the policy on a firewall.
The first passive, analytical, firewall analysis system
was the Fang prototype system [MWZ00]. This was
the starting point for the new Lumeta Firewall Analyzer
(LFA) system. LFA improves upon Fang in many ways.
The most significant improvements are that human interaction
is limited to providing the firewall configuration,
and that LFA automatically issues the "interesting"
queries and displays the outputs of all of them, in a way
that highlights the risks without cluttering the high-level
view. This solves a major usability problem we found
with Fang, namely, that users do not know which queries
The input to the LFA consists of the firewall's routing
table, and the firewall's configuration files. The LFA
parses these various low-level, vendor-specific, files, and
simulates the firewall's behavior against all the packets
it could possibly receive. The simulation is done completely
offline, without sending any packets. The administrator
gets a comprehensive report showing which types
of traffic the firewall allows to enter fromthe Internet into
the customer's intranet and which types of traffic are allowed
out of the intranet. The LFA's report is presented
as a set of explicit web pages, which are rich with links
and cross references to further detail (allowing for easy
drill-down). This paper describes the design and architecture
of the LFA.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.