Abstract
Firewalls are widely used to protect networks from unauthorised access. To ensure that they implement an organisation’s security policy correctly, they need to be tested. We present an approach that addresses this problem. Namely, we show how an organisation’s network security policy can be formally specified in a high-level way, and how this specification can be used to automatically generate test cases to test a deployed system. In contrast to other firewall testing methodologies, such as penetration testing, our approach tests conformance to a specified policy. Our test cases are organisation-specific — i.e. they depend on the security requirements and on the network topology of an organisation — and can uncover errors both in the firewall products themselves and in their configuration.
This work was partially supported by armasuisse. It represents the views of the authors.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Burns, J., Cheng, A., Gurung, P., Rajagopalan, S., Rao, P., Rosenbluth, D., Surendran, A.V., Martin, D.M.: Automatic management of network security policy. In: Proceedings of DISCEX II (2001)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31 (1999)
Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. Technical report, Dept. Electrical Engineering Systems, Tel Aviv University, Ramat Aviv 69978 Israel (February 2003)
Chow, T.S.: Testing software design modeled by finite-state machines. IEEE Transactions on Software Engineering SE-4(3), 178–187 (1978)
Fuller, V., Li, T., Yu, J., Varadhan, K.: RFC 1519: Classless inter-domain routing (CIDR): an address assignment and aggregation strategy (September 1993), http://www.ietf.org/rfc/rfc1519.txt
Goodenough, J.B., Gerhart, S.L.: Toward a theory of test data selection. IEEE Transactions on Software Engineering (TSE) 1(2), 156–173 (1975)
Gill, A.: State-identification experiments in finite automata. Information and Control 4, 132–154 (1961)
Gill, A.: Introduction to the Theory of Finite-state Machines. McGraw-Hill, New York (1962)
Guttman, J.D.: Filtering postures: Local enforcement for global policies. In: 1997 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–129. IEEE Computer Society Press, Los Alamitos (1997)
Haeni, R.E.: Firewall penetration testing. Technical report, The George Washington University Cyberspace Policy Institute, 2033 K St, Suite 340N, Washington, DC, 20006, US (January 1997)
Jürjens, J., Wimmel, G.: Specification based testing: Towards practice. In: Ershov, A. (ed.) PSI 2001. LNCS, vol. 2244, p. 287. Springer, Heidelberg (2001)
Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy (S&P 2000), May 2000, pp. 177–187 (2000)
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: RFC 3261 SIP: Session initiation protocol (June 2002), http://www.ietf.org/rfc/rfc3261.txt
Schultz, E.: How to perform effective firewall testing. Computer Security Journal 12(1), 47–54 (1996)
Sabnani, K., Dahbura, A.: A protocol test generation procedure. Computer Networks and ISDN Systems 15, 285–297 (1988)
Wool, A.: Architecting the lumeta firewall analyzer. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 85–97 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Senn, D., Basin, D., Caronni, G. (2005). Firewall Conformance Testing. In: Khendek, F., Dssouli, R. (eds) Testing of Communicating Systems. TestCom 2005. Lecture Notes in Computer Science, vol 3502. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11430230_16
Download citation
DOI: https://doi.org/10.1007/11430230_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26054-7
Online ISBN: 978-3-540-32076-0
eBook Packages: Computer ScienceComputer Science (R0)