Fast, cheap, and in control: A step towards pain free security!

Sandeep Bhatt, Cat Okita, Prasad Rao

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Scopus citations

Abstract

We hypothesize that it is possible to obtain significant gains in operational efficiency through the application of simple analysis techniques to firewall rule sets. This paper describes our experiences with a firewall analysis tool and metrics that we have designed and used to help manage large production rule sets. Firewall rule sets typically become increasingly unwieldy over time. It is common for firewalls to have hundreds, or even thousands, of rules. Not surprisingly, administrators have a hard time keeping track of how the rules interact with each other, resulting in many partially effective or completely ineffective rules, and unpredictable behavior. Our tool can be used to identify these problematic rules. Further, given two rule sets, our tool produces a comprehensive list of the traffic that is only permitted or denied by one rule set, rather than both. As such, we can compare the existing rule set with a second rule set containing the proposed changes. The administrator can then visually check if the difference in traffic patterns corresponds to what he or she intended in proposing the changes. Additionally our tool collects various metrics that help the administrator to gauge the 'health' of the firewall. The tool is designed to be extensible to multiple vendor products.

Original languageEnglish
Title of host publicationProceedings of the 22nd Large Installation System Administration Conference, LISA 2008
Pages75-90
Number of pages16
ISBN (Electronic)9781931971638
StatePublished - 2008
Event22nd Large Installation System Administration Conference, LISA 2008 - San Diego, United States
Duration: 9 Nov 200814 Nov 2008

Publication series

NameProceedings of the 22nd Large Installation System Administration Conference, LISA 2008

Conference

Conference22nd Large Installation System Administration Conference, LISA 2008
Country/TerritoryUnited States
CitySan Diego
Period9/11/0814/11/08

Fingerprint

Dive into the research topics of 'Fast, cheap, and in control: A step towards pain free security!'. Together they form a unique fingerprint.

Cite this