Firewall Analysis with Policy-based Host Classification

For administrators of large systems, testing and debugging a firewall policy is a difficult process. The size and complexity of many firewall policies make manual inspection of the rule set tedious and error-prone. The complex interaction of conflicting rules can conceal serious errors that compromise the security of the network or interrupt the delivery of important services. Most existing tools for verifying the policy require the user to provide a detailed set of test cases or queries, which can sometimes be as difficult as verifying the policy by hand. Deriving a sufficiently comprehensive set of tests requires a detailed knowledge of potential vulnerabilities and a familiarity with the mechanics of the firewall. It also requires a significant investment of time and other resources. In this work, we present a fully automatic technique for identifying significant anomalies in a firewall policy. Our technique employs a novel system for classifying the hosts of a network into classes based on an equivalence structure, which is calculated from the firewall policy. This ‘‘policy-based classification of network hosts’’ substantially reduces the difficulty of identifying potential errors in the configuration of a firewall or group of connected firewalls and can be combined with existing firewall verification techniques to improve their effectiveness in detecting errors.