Florian Mansmann
ABSTRACT
Firewalls have become essential components in the security concept of almost any modern computer network. Due to their relevance and central location in the network, their programming logic often survives several generations of administrators and hardware. Understanding the logic behind a firewall configuration is thus an important but challenging task for a network administrator. In general, there is a tendency to add new rules while old rules are only rarely changed or removed due to unexpected consequences in the network. In this paper we present a visualization tool to support the network administrator in this complex task of understanding firewall rule sets and object group definitions. The tool consists of a hierarchical sunburst visualization, which logically groups rules or object groups according to their common characteristics, a color-linked configuration editor and classical tree view components for rules and object groups. All these components are interactively linked to enable both exploratory and hypotheses testing tasks aimed at understanding the complex functionality of a firewall configuration. To verify our design, we present two case studies on the analysis of rule usage and on nested object groups and collected feedback from five firewall administrators.
- R. Becker, S. Eick, and A. Wilks. Visualizing network data. Visualization and Computer Graphics, IEEE Transactions on, 1(1):16--28, 2002. Google Scholar
Digital Library
- E. Bertini, P. Hertzog, and D. Lalanne. SpiralView: towards security policies assessment through visual correlation of network resources with evolution of alarms. In Visual Analytics Science and Technology, 2007. VAST 2007. IEEE Symposium on, pages 139--146. IEEE, 2007. Google ScholarDigital Library
- B. Cheswick, H. Burch, and S. Branigan. Mapping and visualizing the internet. In Proc. USENIX Annual Technical Conference, pages 1--12. Citeseer, 2000. Google ScholarDigital Library
- W. Cheswick, S. Bellovin, and A. Rubin. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 1st edition, 1994. Google ScholarDigital Library
- CISCO. Cisco systems. object groups for acls, September 2010. http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html.Google Scholar
- C. Collins. Docuburst: Document content visualization using language structure. In Proceedings of IEEE Symposium on Information Visualization, Poster Session. Baltimore. Citeseer, 2006.Google Scholar
- S. Foresti, J. Agutter, Y. Livnat, S. Moon, and R. Erbacher. Visual correlation of network alerts. IEEE Computer Graphics and Applications, pages 48--59, 2006. Google ScholarDigital Library
- J. Goodall, W. Lutters, P. Rheingans, and A. Komlodi. Preserving the big picture: Visual network traffic analysis with tnv. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on, pages 47--54. IEEE, 2005. Google ScholarDigital Library
- J. Heer, S. Card, and J. Landay. Prefuse: a toolkit for interactive information visualization. In Proceedings of the SIGCHI conference on Human factors in computing systems, pages 421--430. ACM, 2005. Google ScholarDigital Library
- D. A. Keim, F. Mansmann, J. Schneidewind, and T. Schreck. Monitoring network traffic with radial traffic analyzer. In Proceedings of the IEEE Symposium on Visual Analytics Science and Technology (VAST '06), 2006.Google ScholarCross Ref
- D. A. Keim, J. Schneidewind, and M. Sips. Fp-viz: Visual frequent pattern mining. In Proceedings of IEEE Symposium on Information Visualization (InfoVis '05), Poster Paper, 2005.Google Scholar
- H. Koike and K. Ohno. SnortView: visualization system of snort logs. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 143--147. ACM, 2004. Google ScholarDigital Library
- C. Lee, J. Trost, N. Gibbs, R. Beyah, and J. Copeland. Visual firewall: real-time network security monitor. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on, pages 129--136. IEEE, 2005. Google ScholarDigital Library
- F. Mansmann, D. A. Keim, S. C. North, B. Rexroad, and D. Sheleheda. Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats. IEEE Transactions on Visualization and Computer Graphics, 13(6), 2007. Google ScholarDigital Library
- J. McPherson, K. Ma, P. Krystosk, T. Bartoletti, and M. Christensen. Portvis: a tool for port-based detection of security events. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 73--81. ACM, 2004. Google ScholarDigital Library
- S. Morrissey and G. Grinstein. Visualizing firewall configurations using created voids. In 6th International Workshop on Visualization for Cyber Security (VizSec), 2009.Google ScholarCross Ref
- H. Shiravi, A. Shiravi, and A. Ghorbani. A survey of visualization systems for network security. Visualization and Computer Graphics, IEEE Transactions on, 99(RapidPosts), 2011. Google ScholarDigital Library
- J. Stasko, R. Catrambone, M. Guzdial, and K. McDonald. An evaluation of space-filling information visualizations for depicting hierarchical structures. International Journal of Human-Computer Studies, 53(5):663--694, 2000. Google ScholarDigital Library
- T. Tran, E. Al-Shaer, and R. Boutaba. PolicyVis: firewall security policy visualization and inspection. In Proceedings of the 21st conference on Large Installation System Administration Conference, pages 1--16. USENIX Association, 2007. Google ScholarDigital Library
- P. Wong, P. Whitney, and J. Thomas. Visualizing association rules for text mining. In InfoVis, page 120. Published by the IEEE Computer Society, 1999. Google ScholarDigital Library
- L. Xiao, J. Gerth, and P. Hanrahan. Enhancing visual analysis of network traffic using a knowledge representation. In Visual Analytics Science And Technology, 2006 IEEE Symposium On, pages 107--114. IEEE, 2006.Google ScholarCross Ref
Index Terms
- Visual analysis of complex firewall configurations
Recommendations
Visual Firewall: Real-time Network Security Monito
VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer SecurityNetworked systems still suffer from poor firewall configuration and monitoring. VisualFirewall seeks to aid in the configuration of firewalls and monitoring of networks by providing four simultaneous views that display varying levels of detail and time-...
Offline firewall analysis
Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, ...
A Unified Methodology for Verification and Synthesis of Firewall Configurations
ICICS '01: Proceedings of the Third International Conference on Information and Communications SecurityFirewalls offer a protection for private networks against external attacks. However, configuring firewalls correctly is a difficult task. There are two main reasons. One is that the effects of a firewall configuration cannot be easily seen during the ...
Comments