Firewall Policy Query Language for Behavior Analysis

Firewalls are one of the most important devices used in network security today. Their primary goal is to provide protections between parties that only wish to communicate over an explicit set of channels, expressed through protocols. These channels are implemented and described in a firewall using a set of rules, collectively referred to as a firewall policy. However, understanding the policy that a particular firewall is enforcing has become increasingly difficult. Many industry forces are converging that cause managing these devices to be much more complex than the premise of rules suggest. Recently work has been done modeling a firewall policy in a concise and efficient data structure referred to as a Firewall Policy Diagram (FPD). The structure facilitates the canonical representation of a policy as well as human comprehension of the policy. This work builds on top of the data structure to provide a language for asking the data structure questions about the space that is represented in a policy, either the accepted, denied, or remaining traffic. Firewall Policy Query Language (FPQL) is a language loosely modeled after the Structured Query Language often seen related to database systems and relational algebra. It essentially provides a group of set mathematics based operators for deriving knowledge from a very large solution space. This work seeks to provide a simple, yet powerful, query language that is useful for human comprehension of a firewall policy as represented by an FPD.