| Title: | An Automated Framework for Validating Firewall Policy Enforcement |
| Authors: | Adel El-Atawy, Taghrid Samak, Zein Wali, Ehab Al-Shaer, Sheng Li |
| Abstract: | The implementation of
network security devices such as firewalls and IDSs are constantly being
improved to accommodate higher security and performance standards. Using
reliable and yet practical techniques for testing the functionality of
firewall devices particularly after new filtering implementation or
optimization becomes necessary to assure proven security. Generating
random traffic to test the functionality of firewall matching is
inefficient and inaccurate as it requires an exponential number of test
cases for a reasonable coverage. In addition, in most cases the policies
used during testing are limited and manually generated representing
fixed policy profiles. In this paper, we present a framework for automatic testing of the firewall policy enforcement or implementation using efficient random traffic and policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing. |
| Keywords: | Information architecture, card sorting, web navigation, evaluation methods |
| Full Paper: | [postscript, pdf] |