Fast, Cheap and In Control: A Step Towards Pain Free Security!

© Fast, Cheap and In Control: A Step Towards Pain Free Security! Sandeep Bhatt, Cat Okita, Prasad Rao HP Laboratories HPL-2008-111 firewall, network, security metrics We hypothesize that it is possible to obtain significant gains in operational efficiency through the application of simple analysis techniques to firewall rule sets. This paper describes our experiences with a firewall analysis tool and metrics that we have designed and used to help manage large production rule sets. Firewall rule sets typically become increasingly unwieldy over time. It is common for firewalls to have hundreds, or even thousands, of rules. Not surprisingly, administrators have a hard time keeping track of how the rules interact with each other, resulting in many partially effective or completely ineffective rules, and unpredictable behavior. Our tool can be used to identify these problematic rules. Further, given two rule sets, our tool produces a comprehensive list of the traffic that is only permitted or denied by one rule set, rather than both. As such, we can compare the existing rule set with a second rule set containing the proposed changes. The administrator can then visually check if the difference in traffic patterns corresponds to what he or she intended in proposing the changes. Additionally our tool collects various metrics that help the administrator to gauge the 'health' of the firewall. The tool is designed to be extensible to multiple vendor products. External Posting Date: September 21, 2008 [Fulltext] Approved for External Publication Internal Posting Date: September 21, 2008 [Fulltext] To be published and presented at 22nd Large Installation System Administration Conference (LISA '08), San Diego, CA November 9-14, 2008 Copyright 22nd Large Installation System Administration Conference (LISA '08) Fast, Cheap and In Control: A Step Towards Pain Free Security! Sandeep Bhatt, Cat Okita, and Prasad Rao – Hewlett-Packard