The Community for Technology Leaders
Policies for Distributed Systems and Networks, IEEE International Workshop on (2007)
Bologna, Italy
June 13, 2007 to June 15, 2007
ISBN: 0-7695-2767-1
pp: 151-160
Adel El-Atawy , DePaul University, USA
Taghrid Samak , DePaul University, USA
Zein Wali , DePaul University, USA
Ehab Al-Shaer , DePaul University, USA
Frank Lin , Cisco, California, USA
Christopher Pham , Cisco, California, USA
Sheng Li , Cisco, California, USA
The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure required security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles. <p>In this paper, we present a framework for automatic testing of the firewall policy enforcement or implementation using efficient random traffic and policy generation techniques. Our framework is a two-stage architecture that provides a satisfying coverage of the firewall operational states. A large variety of policies are randomly generated according to custom profiles and also based on the grammar of the access control list. Testing packets are then generated intelligently and proportional to the critical regions of the generated policies to validate the firewall enforcement for such policies. We describe our implementation of the framework based on Cisco IOS, which includes the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that the automated security testing is not only achievable but it also offers a dramatically higher degree of confidence than random or manual testing.</p>

Z. Wali et al., "An Automated Framework for Validating Firewall Policy Enforcement," Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)(POLICY), Bologna, 2007, pp. 151-160.
96 ms
(Ver 3.3 (11022016))