Automatic detection of firewall misconfigurations using firewall and network routing policies

Firewalls are the most prevalent and important means of enforcing security policies inside networks and across organizational boundaries. However, effective and fault free firewall management in large and fast growing networks becomes increasingly more challenging. Firewall security policies are complex and their interaction with routing policies and applications further complicates policy configurations. It is often that routing is ignored in firewall management. Configuration problems can occur in a device or multiple devices along several network paths that change over time according to routing. We present an application, Prometheus, which implements mechanisms for automatic detection of firewall configuration problems that are extremely difficult to resolve manually. In addition to firewall configurations, Prometheus incorporates and analyzes dynamic routing information. We believe that the routing information is critical to obtain the complete view of the network and cannot be ignored for firewall configurations. We test Prometheus in a large production network and report its effectiveness. Prometheus is currently being deployed in the production network.