Automated pseudo-live testing of firewall configuration enforcement

Ehab Al-Shaer; Adel El-Atawy; Taghrid Samak

doi:10.1109/JSAC.2009.090406

Automated pseudo-live testing of firewall configuration enforcement

Ehab Al-Shaer^*
, Adel El-Atawy
, Taghrid Samak

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

32 Scopus citations

Abstract

Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.

Original language	English
Article number	4808474
Pages (from-to)	302-314
Number of pages	13
Journal	IEEE Journal on Selected Areas in Communications
Volume	27
Issue number	3
DOIs	https://doi.org/10.1109/JSAC.2009.090406
State	Published - Apr 2009
Externally published	Yes

Bibliographical note

Funding Information:
Manuscript received 11 April 2008; revised 15 November 2008. This research was supported in part by National Science Foundation under Grant No. CNS-0834686 and Cisco. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.

Keywords

Automated security analysis
Firewall testing
Policy enforcement validation
Policy generation
Security configuration testing
Security evaluation
network security

ASJC Scopus subject areas

Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/JSAC.2009.090406

Cite this

@article{a30b07e27455433a9756e650ce10c42a,

title = "Automated pseudo-live testing of firewall configuration enforcement",

abstract = "Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.",

keywords = "Automated security analysis, Firewall testing, Policy enforcement validation, Policy generation, Security configuration testing, Security evaluation, network security",

author = "Ehab Al-Shaer and Adel El-Atawy and Taghrid Samak",

note = "Funding Information: Manuscript received 11 April 2008; revised 15 November 2008. This research was supported in part by National Science Foundation under Grant No. CNS-0834686 and Cisco. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.",

year = "2009",

month = apr,

doi = "10.1109/JSAC.2009.090406",

language = "English",

volume = "27",

pages = "302--314",

journal = "IEEE Journal on Selected Areas in Communications",

issn = "0733-8716",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "3",

}

TY - JOUR

T1 - Automated pseudo-live testing of firewall configuration enforcement

AU - Al-Shaer, Ehab

AU - El-Atawy, Adel

AU - Samak, Taghrid

N1 - Funding Information: Manuscript received 11 April 2008; revised 15 November 2008. This research was supported in part by National Science Foundation under Grant No. CNS-0834686 and Cisco. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.

PY - 2009/4

Y1 - 2009/4

N2 - Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.

AB - Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.

KW - Automated security analysis

KW - Firewall testing

KW - Policy enforcement validation

KW - Policy generation

KW - Security configuration testing

KW - Security evaluation

KW - network security

UR - https://www.scopus.com/pages/publications/64249084113

U2 - 10.1109/JSAC.2009.090406

DO - 10.1109/JSAC.2009.090406

M3 - Article

AN - SCOPUS:64249084113

SN - 0733-8716

VL - 27

SP - 302

EP - 314

JO - IEEE Journal on Selected Areas in Communications

JF - IEEE Journal on Selected Areas in Communications

IS - 3

M1 - 4808474

ER -

Automated pseudo-live testing of firewall configuration enforcement

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this