Skip to main content
SpringerLink
Log in

Offline firewall analysis

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, auditing, or reverse-engineering existing firewall configurations are important components of every corporation’s network security practice. Unfortunately, this is easier said than done. Firewall configuration files are written in notoriously hard to read languages, using vendor-specific GUIs. A tool that is sorely missing in the arsenal of firewall administrators and auditors is one that allows them to analyze the policy on a firewall.

To alleviate some of these difficulties, we designed and implemented two generations of novel firewall analysis tools, which allow the administrator to easily discover and test the global firewall policy. Our tools use a minimal description of the network topology, and directly parse the various vendor-specific low-level configuration files. A key feature of our tools is that they are passive: no packets are sent, and the analysis is performed offline, on a machine that is separate from the firewall itself. A typical question our tools can answer is “from which machines can our DMZ be reached, and with which services?.” Thus, our tools complement existing vulnerability analyzers and port scanners, as they can be used before a policy is actually deployed, and they operate on a more understandable level of abstraction. This paper describes the design and architecture of these tools, their evolution from a research prototype to a commercial product, and the lessons we have learned along the way.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Algorithmic Security’s Firewall Analyzer (2004) http://www.algosec.com/Products/

  2. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    Article  Google Scholar 

  3. Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Comput. Commun. Rev. 19(2), 32–48 (1989)

    Article  Google Scholar 

  4. Bellovin, S.M.: Distributed firewalls. login: The Magazine of USENIX & SAGE, pp. 39–47 (1999)

  5. Chapman, D.W., Fox, A.: Cisco Secure PIX Firewalls. Cisco Press, Indiana (2001)

    Google Scholar 

  6. Cheswick, W.R., Bellovin, S.M., Rubin, A.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley, Reading, MA (2003)

    Google Scholar 

  7. Dalheimer, M.K.: Programming With Qt. O’Reilly & Associates, Inc., California (1999)

    Google Scholar 

  8. De Berg, M., van Kreveld, M., Overmars, M.: Computational Geometry: Algorithms and Applications, 2nd edn. Springer, Berlin Heidelberg New York (2000)

    Google Scholar 

  9. Eronen, P., Zitting, J.: An expert system for analyzing firewall rules. In: Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100–107. Copenhagen, Denmark (November 2001); Technical Report IMM-TR-2001-14, Technical University of Denmark

  10. Farmer, D., Venema, W.: Improving the security of your site by breaking into it. (1993) http://www.fish.com/security/admin-guide-to-cracking.html

  11. Freiss, M.: Protecting Networks with SATAN. O’Reilly & Associates, Inc., California (1998)

    Google Scholar 

  12. Fulmer, C.: Firewall product overview. (2002) http://www.thegild.com/firewall/

  13. Fyodor: NMAP – the network mapper. (2000) http://www.insecure.org/nmap/

  14. Gansner, E.R., Koutsofios, E., North, S.C., Vo, K.-P.: A technique for drawing directed graphs. IEEE Trans. Softw. Eng. 19(3), 214–230 (1993)

    Article  Google Scholar 

  15. Goldsmith, D., Schiffman, M.: Firewalking: A traceroute-like analysis of ip packet responses to determine gateway access control lists. White paper, Cambridge Technology Partners (1998), http://www.packetfactory.net/firewalk/

  16. Graphviz – open source graph drawing software (2001) version 1.7, http://www.research.att.com/sw/tools/graphviz/

  17. Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. IEEE, Piscataway, NJ (1997)

  18. Guttman, J.D.: Security goals: Packet trajectories and strand spaces. In: Foundations of Security Analysis and Design (FOSAD). Lecture Notes in Computer Science, vol. 2171. Springer, Berlin Heidelberg New York (2001)

  19. Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: Workshop on Dependability of IP Applications, Platforms and Networks, pp. 576–585. IEEE Computer Society Press, Los Alamitos, CA, (2000). Published in Proceedings of International Conference on Dependable Systems and Networks

  20. Held, G., Hundley, K.: Cisco Access Lists. McGraw-Hill, New York (1999)

    Google Scholar 

  21. Huitema, C.: Routing in the Internet. Prentice-Hall, Englewood Cliffs, NJ (1995)

    Google Scholar 

  22. ICSA Labs Certified firewall products. (2003) http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/index.shtml

  23. Internet Security Systems Internet Scanner (2000) http://documents.iss.net/literature/InternetScanner/is_ps.pdf

  24. Internet Security Systems BlackICE Defender (2003) http://blackice.iss.net/

  25. Lucent VPN firewall brick (2002) http://www.lucent.com/security

  26. Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 177–187. Oakland, CA. IEEE, Piscataway, NJ (2000)

  27. Qt: online reference documentation, version 2.0.1. (1999) Troll Tech http://www.troll.no/qt/

  28. Ranum, M.: On the topic of firewall testing (1995) http://www.ranum.com/pubs/fwtest/

  29. Rubin, A., Geer, D., Ranum, M.: Web Security Sourcebook. Wiley Computer Publishing, New York (1997)

    Google Scholar 

  30. Russell, R.: (2000) Linux IPCHAINS-HOWTO, v1.0.8, http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

  31. Stevens, W.R.: TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, Reading, MA (1994)

    Google Scholar 

  32. Welch-Abernathy, D.D.: Essential Checkpoint Firewall-1: An Installation, Configuration, and Troubleshooting Guide. Addison-Wesley, Reading, MA (2002)

    Google Scholar 

  33. Wool, A.: Architecting the Lumeta firewall analyzer. In: Proceedings of 10th USENIX Security Symposium, pp. 85–97. Washington, DC (2001). USENIX

  34. Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)

    Google Scholar 

  35. Wool, A.: The use and usability of direction-based filtering in firewalls. Comput. Security 23(6), 459–468 (2004)

    Article  Google Scholar 

  36. Xu, W., O’Neal, S., Schoonover, J., Moser, S., Lamar, F., Grasboeck, G.: (2000) fwrules50, Available from http://www.phoneboy.com/fw1/

  37. ZoneAlarm (2003) 3.7.143. Zone Labs, http://www.zonelabs.om/

  38. Zwicky, E.D., Cooper, S., Chapman, D.B.: Building Internet Firewalls, 2nd edn. O’Reilly & Associates, Inc., California (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CenterRun Inc., 900 Island Drive, Redwood City, CA, 94065, USA

    Alain Mayer

  2. School of Electrical Engineering, Tel Aviv University, Ramat Aviv, 69978, Israel

    Avishai Wool

  3. Department of Computer Science, Princeton University, Princeton, NJ, USA

    Elisha Ziskind

Authors
  1. Alain Mayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Avishai Wool
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elisha Ziskind
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Avishai Wool.

Additional information

Parts of this paper appeared, in preliminary form, in the 21st IEEE Symposium on Security & Privacy, Oakland, CA, May 2000 and in the 10th USENIX Security Symposium, Washington, DC, 2001.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mayer, A., Wool, A. & Ziskind, E. Offline firewall analysis. Int. J. Inf. Secur. 5, 125–144 (2006). https://doi.org/10.1007/s10207-005-0074-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-005-0074-z

Keywords

Search

Navigation