Fang: A firewall analysis engine

Alain Mayer, Avishai Wool, Elisha Ziskind

Research output: Contribution to journalArticlepeer-review


Today, even a moderately sized corporate intranet contains multiple firewalls and routers, which are all used to enforce various aspects of the global corporate security policy. Configuring these devices to work in unison is difficult, especially if they are made by different vendors. Even testing or reverse-engineering an existing configuration (say, when a new security administrator takes over) is hard. Firewall configuration files are written in low-level formalisms, whose readability is comparable to assembly code, and the global policy is spread over all the firewalls that are involved. To alleviate some of these difficulties, we designed and implemented a novel firewall analysis tool. Our software allows the administrator to easily discover and test the global firewall policy (either a deployed policy or a planned one). Our tool uses a minimal description of the network topology, and directly parses the various vendor-specific low-level configuration files. It interacts with the user through a query-and-answer session, which is conducted at a much higher level of abstraction. A typical question our tool can answer is 'from which machines can our DMZ be reached, and with which services?'. Thus, our tool complements existing vulnerability analysis tools, as it can be used before a policy is actually deployed, it operates on a more understandable level of abstraction, and it deals with all the firewalls at once.

Original languageEnglish
Pages (from-to)177-187
Number of pages11
JournalProceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
StatePublished - 2000
Externally publishedYes


Dive into the research topics of 'Fang: A firewall analysis engine'. Together they form a unique fingerprint.

Cite this