Advanced Search
CS Search Google Search
Subscribers, please login

Published Articles >> Table of Contents >> Abstract

Publication Home Page
June 2004 (Vol. 37, No. 6)   pp. 62-67
A Quantitative Study of Firewall Configuration Errors
Avishai Wool, Tel Aviv University
Full Article Text: View linked HTML of full textDownload PDF of full textBuy this articleGet full text from IEEE Xplore

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2004.2
Send link to a friend

Abstract

Firewalls are the cornerstone of corporate intranet security, yet network security experts generally consider them to be poorly configured. This assessment is indirectly affirmed by the success of recent worms and viruses like Blaster and Sapphire, which a well-configured firewall could easily have blocked.

A study of real configuration files, or rule sets, for a variety of corporate firewalls establishes a quality measure based on "misconfigurations" that violate established best practices. The study correlates the quality measure with other factors--specifically, the operating system on which the firewall runs, the firewall’s software version, and a rule-set complexity. The results clearly show that corporate firewalls are often enforcing poorly written rule sets; they also offer some useful observations for improving rule-set quality.
References
[1] A. Rubin, D. Geer, and M. Ranum, Web Security Sourcebook, Wiley Computer Publishing, 1997.
[2] CERT Coordination Center "CERT Advisory CA-2003-20: W32/Blaster Worm,"11 Aug. 2003; www.cert.org/advisoriesCA-2003-20.html.
[3] D. Moore et al., "The Spread of the Sapphire/Slammer Worm," 2003; www.caida.org/outreach/ papers/2003/sapphire sapphire.html.
[4] A. Mayer, A. Wool, and E. Ziskind, "Fang: A Firewall Analysis Engine," Proc. IEEE Symp. Security and Privacy (S&P 2000), IEEE Press, 2000, pp. 177-187.
[5] A. Wool, "Architecting the Lumeta Firewall Analyzer," Proc. 10th Usenix Security Symp., Usenix Assoc., 2001, pp. 85-97.
[6] W.R. Cheswick and S.M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison Wesley, 1994.
[7] D.B. Chapman and E.D. Zwicky, Building Internet Firewalls, O'Reilly&Assoc., 1995.
[8] SANS Institute, "The Twenty Most Critical Internet Security Vulnerabilities," v. 4.0, 2003; www.sans.orgtop20/.
[9] Symantec Security Response, "W32.Welchia.Worm," Aug. 2003; http://securityresponse.symantec.com/avcenter/ venc/dataw32.welchia.worm.html.
[10] A. Wool, "How Not to Configure Your Firewall: A Field Guide to Common Firewall Misconfigurations," presentation slides (invited talk), 15th Large Installation Systems Administration Conf. (LISA), Usenix Assoc., 2001.
[11] A. Wool, "The Use and Usability of Direction-Based Filtering in Firewalls," Computers&Security, in press; available online 2 Apr. 2004; www.sciencedirect.com/science/journal01674048 .
Additional Information

Citation:  Avishai Wool, "A Quantitative Study of Firewall Configuration Errors," Computer, vol. 37,  no. 6,  pp. 62-67,  Jun.,  2004

RSS Feed

Similar Articles

Abstract Contents
Abstract
References
Citation

Download Citation
Ascii Text
BibTex
RefWorks
Procite/RefMan/Endnote




Free access to

  • Abstracts
  • Selected PDFs

Electronic subscribers login to:

  • Access HTML/PDFs of full text articles

Subscription information

Get a Web account

PDFs require Adobe Acrobat Reader.

Peer Review Notice

Give us Feedback