Skip to main content

Expanding Firewall Misconfiguration Detection Based on Dynamic Routing Analysis for Large Network

Researcher: Hyong Kim

Research Area: Next Generation Secure and Available Networks


Scope: Firewalls are the most common method of maintaining a degree of security in connections between different segments of a network and also in connections between these segments and the Internet. Although this type of device is very effective in enforcing security policies when deployed with a sound design and topology, ensuring a consistent conflict-free global security policy becomes a daunting task in large enterprise networks. Previous works detect misconfiguration using limited models and golden rules without consideration of network routing status. There are numerous significant instances that routing policies conflict with the intended firewall policies and existing systems fail to detect these problems, especially in large networks, as reported in large corporate networks. We propose three verification approaches that include network routing states: the networkwide flow analysis, the policy mining system, and the analysis system that detects inconsistencies between routing and packet filtering policies. These three approaches allow a significant expansion in the range of misconfigurations that can be detected in large enterprise networks.

Outcomes: Presentations and publications related to this work. Prototype of the firewall misconfiguration detection system (software).