Method and apparatus for analyzing one or more firewalls
First Claim
1. A method for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said method comprising the steps of:
- generating a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway;
receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and
evaluating said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are disclosed for analyzing the operation of one or more network gateways, such as firewalls or routers, that perform a packet filtering function in a network environment. Given a user query, the disclosed firewall analysis tool simulates the behavior of the various firewalls, taking into account the topology of the network environment, and determines which portions of the services or machines specified in the original query would manage to reach from the source to the destination. The relevant packet-filtering configuration files are collected and an internal representation of the implied security policy is derived. A graph data structure is used to represent the network topology. A gateway-zone graph permits the firewall analysis tool to determine where given packets will travel in the network, and which gateways will be encountered along those paths. In this manner, the firewall analysis tool can evaluate a query object against each rule-base object, for each gateway node in the gateway-zone graph that is encountered along each path between the source and destination. A graphical user interface is provided for receiving queries, such as whether one or more given services are permitted between one or more given machines, and providing results. A spoofing attack can be simulated by allowing the user to specify where packets are to be injected into the network, which may not be the true location of the source host-group.
89 Citations
29 Claims
-
1. A method for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said method comprising the steps of:
-
generating a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway; receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and evaluating said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of modeling a network having a plurality of gateway devices, comprising the steps of:
-
identifying each gateway device in said network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and generating a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones. - View Dependent Claims (10, 11)
-
-
12. An apparatus for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of packet filtering rules, said network having a plurality of addresses, said tool comprising:
-
a user interface for receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address, wherein each of said source addresses and said destination addresses correspond to one of said zones; and a user interface for indicating a portion of said one or more given services that are permitted between a portion of said at least one source address and a portion of said at least one destination address, said portions obtained by analyzing a gateway-zone graph that models said network based on said packet filtering configuration file with at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said tool comprising:
-
a memory for storing computer readable code; and a processor operatively coupled to said memory, said processor configured to; generate a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway; receive a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and evaluate said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer readable medium having computer readable program code means embodied thereon, said computer readable program code means analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said computer readable program code means comprising:
-
a step to generate a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway; a step to receive a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and a step to evaluate said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.
-
-
28. A system for modeling a network, comprising:
-
a memory for storing computer readable code; and a processor operatively coupled to said memory, said processor configured to; identify each gateway device in said network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and generate a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones.
-
-
29. A computer readable medium having computer readable program code means embodied thereon, said computer readable program code means comprising:
-
a step to identify each gateway device in a network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and a step to generate a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones.
-
Specification