TY - GEN
T1 - Fast, cheap, and in control
T2 - 22nd Large Installation System Administration Conference, LISA 2008
AU - Bhatt, Sandeep
AU - Okita, Cat
AU - Rao, Prasad
N1 - Publisher Copyright:
© LISA 2008.All right reserved.
PY - 2008
Y1 - 2008
N2 - We hypothesize that it is possible to obtain significant gains in operational efficiency through the application of simple analysis techniques to firewall rule sets. This paper describes our experiences with a firewall analysis tool and metrics that we have designed and used to help manage large production rule sets. Firewall rule sets typically become increasingly unwieldy over time. It is common for firewalls to have hundreds, or even thousands, of rules. Not surprisingly, administrators have a hard time keeping track of how the rules interact with each other, resulting in many partially effective or completely ineffective rules, and unpredictable behavior. Our tool can be used to identify these problematic rules. Further, given two rule sets, our tool produces a comprehensive list of the traffic that is only permitted or denied by one rule set, rather than both. As such, we can compare the existing rule set with a second rule set containing the proposed changes. The administrator can then visually check if the difference in traffic patterns corresponds to what he or she intended in proposing the changes. Additionally our tool collects various metrics that help the administrator to gauge the 'health' of the firewall. The tool is designed to be extensible to multiple vendor products.
AB - We hypothesize that it is possible to obtain significant gains in operational efficiency through the application of simple analysis techniques to firewall rule sets. This paper describes our experiences with a firewall analysis tool and metrics that we have designed and used to help manage large production rule sets. Firewall rule sets typically become increasingly unwieldy over time. It is common for firewalls to have hundreds, or even thousands, of rules. Not surprisingly, administrators have a hard time keeping track of how the rules interact with each other, resulting in many partially effective or completely ineffective rules, and unpredictable behavior. Our tool can be used to identify these problematic rules. Further, given two rule sets, our tool produces a comprehensive list of the traffic that is only permitted or denied by one rule set, rather than both. As such, we can compare the existing rule set with a second rule set containing the proposed changes. The administrator can then visually check if the difference in traffic patterns corresponds to what he or she intended in proposing the changes. Additionally our tool collects various metrics that help the administrator to gauge the 'health' of the firewall. The tool is designed to be extensible to multiple vendor products.
UR - http://www.scopus.com/inward/record.url?scp=85040230915&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85040230915&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85040230915
T3 - Proceedings of the 22nd Large Installation System Administration Conference, LISA 2008
SP - 75
EP - 90
BT - Proceedings of the 22nd Large Installation System Administration Conference, LISA 2008
Y2 - 9 November 2008 through 14 November 2008
ER -