An expert system for analyzing firewall rules

When deploying firewalls in an organization, it is essential to verify that the firewalls are configured properly. The problem of finding out what a given firewall configuration does occurs, for instance, when a new network administrator takes over, or a third party performs a technical security audit for the organization. While the problem can be approached via testing, non-intrusive techniques are often preferred. Existing tools for analyzing firewall configurations usually rely on hard-coded algorithms for analyzing access lists. In this paper we present a tool based on constraint logic programming (CLP) which allows the user to write higher level operations for, e.g., detecting common configuration mistakes. Our tool understands Cisco router access lists, and it is implemented using Eclipse, a constraint logic programming language. The problem of analyzing firewall configurations lends itself quite naturally to be solved by an expert system. We found it surprisingly easy to use logic statements to express knowledge on networking, firewalls, and common configuration mistakes, for instance. Using an existing generic inference engine allowed us to focus on defining the core concepts and relationships in the knowledge base.