Home // International Journal On Advances in Security, volume 6, numbers 3 and 4, 2013 // View article

Firewall Analysis by Symbolic Simulation: Advanced Optimizations

Authors:
Arno Wagner

Keywords: Network Security; Firewall Analysis; Symbolic Simulation; Interval Search Trees

Abstract:
There are two primary tasks when doing a Layer 4 firewall security analysis. First, unifying a chain of firewalls on a given network path into a single one to efficiently determine what it allows to pass and what it drops, and second, comparing a firewall with a security policy. Both tasks are work-intensive and error-prone if performed manually and become infeasible in the presence of large firewall rule sets. To automate the process of unifying a chain of firewalls, we have created the Consecom Network Analyzer that uses symbolic simulation with an interval representation to generate a unified equivalent firewall in a normalized, simple and flat form. The unification process is also suitable to implement comparison with a policy, by representing the policy in a special way in the form of a firewall rule set. We show the suitability of this approach for firewalls with large configurations by giving benchmarks based on deployed rule sets. In addition, we demonstrate the effects of different optimization techniques on run-time and memory footprint, including the use of an advanced optimization technique that builds on ideas from geometrical search to reduce unnecessary rule applications by means of interval search trees. The Consecom Network Analyzer has been used successfully for a number of industrial security reviews.

Pages: 88 to 98

Copyright: Copyright (c) to authors, 2013. Used with permission.

Publication date: December 31, 2013

Published in: journal

ISSN: 1942-2636