A visualized internet firewall rule validation system

Abstract

For the security consistency, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a large-scale and multi-firewall-equipped network. Nevertheless, a network operator is prone to incorrectly configuring the firewalls because there are typically thousands or hundreds of filtering/admission rules (i.e., rules in the Access Control List file; or ACL for short) which should be setup in a firewall, not mention these rules among firewalls which affect mutually can make the matter worse. For this reason, our work is to build a visualized validation system for checking the security consistency between firewalls' rule configuration and the demands of network security policies. The system collects the filtering/admission rules (or ACL rules) from all of the firewalls (and routers if they are ACL-configured) in the managed network and then checks if these rules meet the demands of the global network security policies. The checked/analyzed results would later be visualized systematically by our system with different viewpoints for error debugging or anomaly removal. Currently, part of the firewalls' configuration of our campus network has being used to demonstrate our system's implementation. © Springer-Verlag Berlin Heidelberg 2007.