A Tool for Automated iptables Firewall Analysis

نویسندگان

Robert M. Marmorstein

Phil Kearns

چکیده

We describe ITVal, a tool that enables the efficient analysis of an iptables-based firewall. The underlying basis of ITVal is a library for the efficient manipulation of multi-way decision diagrams. We represent iptables rule sets and queries about the firewall defined by those rule sets as multi-way decision diagrams, and determine answers for the queries by manipulating the diagrams. In addition to discussing the design and implementation of ITVal, we describe how it can be used to detect and correct common firewall errors.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

An Open Source Solution for Testing NAT'd and Nested iptables Firewalls

As firewalls have increased in power and flexibility, the complexity of configuring them correctly has grown significantly. An error in the firewall configuration can compromise the security of the system or interfere with normal network activity. The chance of an error increases when coordinating multiple firewalls, because the interaction between filters may hide errors more easily noticed on...

متن کامل

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

The security provided by a firewall for a computer network almost completely depends on the rules it enforces. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. Therefore, there are many tools to analyze them. However, we found that none of the available tools could handle typical, real-world iptables rulesets. This is ...

متن کامل

Design and Implementation of Conflict Detection System for Time-Based Firewall Policies

Firewalls are one of the most common mechanisms used to protect the network from unauthorized access and security threats. Nowadays, time-based firewall policies are widely in use in many firewalls such as CISCO ACLs and Linux iptables to control network traffic with respect to time. However, network administrators struggle to maintain the firewall policies due to their high complexity. A confl...

متن کامل

Demo: Implementing iptables using a programmable stateful data plane abstraction

Iptables is a well known Linux’s user interface to control the Netfiltermodule, which is responsible for processing packets traversing the Linux’s networking subsystem. In cooperation with the conntrackmodule, Netfilter supports a wide range of network functions such as: filtering, NAT, stateful firewall, load balancer, anomaly detection, etc. Given the central role of the iptables’ functions i...

متن کامل

Provably Secure Networks: Methodology and Toolset for Configuration Management

Network management and administration is an inherently complex task, in particular when it comes to security. Configuration complexity in this domain leads to human error, which is often only uncovered when it is too late: after a successful attack. This thesis focuses on the security of network configurations, i.e., network-level access control and network-level information flow security. The ...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}

با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره شماره

صفحات -

تاریخ انتشار 2005

A Tool for Automated iptables Firewall Analysis

نویسندگان

چکیده

منابع مشابه

An Open Source Solution for Testing NAT'd and Nested iptables Firewalls

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Design and Implementation of Conflict Detection System for Time-Based Firewall Policies

Demo: Implementing iptables using a programmable stateful data plane abstraction

Provably Secure Networks: Methodology and Toolset for Configuration Management

عنوان ژورنال:

اشتراک گذاری