Automatic analysis of firewalls using tree automata
Résumé
Since the late 80s, firewalls are at the heart of network security. First designed to enable private networks to be opened up to the outside in a secure way, the growing complexity of organizations make them indispensable to control information flow within a company. The central role of firewalls in the security of the organization information make their management a critical task. That is why for years many works have been focused on checking and analysing firewalls. Nevertheless, most of these works are based on significant simplification of the firewall technology. Indeed, majority of algorithms developped for automatic analysis of firewalls are only founded on IP addresses filtering. This restriction does not allow to take advantage of these algorithms in real situations. In this paper, we propose a new approach for analysing firewalls, based on first order terms algebra and on tree automata techniques. Indeed, we attempt to specify using these techniques firewalls in a realistic way, that is to say taking into account packet filtering as well as the Network Address Translation (NAT) functionality. We next show that our framework allows us to compare firewalls and prove that the detection of classical misconfigurations can be performed in an automatic way.
Origine : Fichiers produits par l'(les) auteur(s)