Firewall rules and problems for visualization research

[shaunm]

Hello all,

I am looking for old or unusual firewall files that could be published for use in my part-time study for a doctorate in Computer Science. Barry Stiefel suggested that the members might have some data to contribute.

My research involves applying multi-dimensional information visualization techniques to the comprehension and management of firewall rulesets. My adviser is Professor Georges Grinstein of the Institute for Visualization and Perception Research, Computer Science Dept., Univ. of Massachusetts/Lowell.

There is no prior published work on this particular topic. My initial surveys of the field suggest that the primary approach to editing rulesets are essentially based on text-editing capabilities (from the info visualization perspective, a spreadsheet-like table with visual symbols for services or accept/deny is essentially a text-editor).

That drives me nuts. The human visual cortex is one of the most powerful and massively parallel processing setups in nature, and the highest bandwidth channel into the human brain. Using a text representation is the lowest efficiency use of that channel. I want to change that so that people can look at a firewall (well, a representation of a firewall) and go "Yes, that's it!" or "What the heck is that?" in very short time frames (seconds and minutes, not hours).

Given the state of research effort to date, the research is in a very early or immature stage, dealing with highly limited/abstracted forms of firewalls. Specifically, firewall rules are treated as objects (six-tuples) that compare packet header fields to an interval in each of five dimensions and when a match is achieved, the corresponding action is taken. (note that in the abstracted research version of rulesets that I am working with, the distinction between a dynamic packet firewall and a router with an access control list essentially disappears).

The five dimensions are:
source address;
destination address;
source port;
destination port; and
protocol number.

At this point, the rules are stateless, making no use of historical information regarding packet flows. This is admittedly a very primitive view of firewalls/ACLs, but one solves the simpler problems first. In this case, a five or six dimensional visualization problem.

This view of firewalls is very primitive compared to what a user currently sees at the administrator end of a Checkpoint-1 firewall. Nonetheless, proposed visual approaches must meet the needs of a user community.

You are, collectively, a community of users. I am soliciting the community for:

1)Examples of real firewall rulesets that could be published (perhaps because the organization no longer exists, or has completely reconfigured its topology and connectedness).

2) Examples of specific debugging incidents where an obscure or non-obvious rule, or an unintended interaction between rules, created a problem.

3) Educational examples of how to meet more complex configuration and protection goals.


My purpose is to use this material to summarize user tasks and concerns. In turn, user tasks and concerns act as a basis for building visualizations that might transform the task of configuring firewalls.

So what have you got that is unusual, obnoxious, or difficult? And that we can find a way to anonymize enough so you will be comfortable if it is published?


Shaun P. Morrissey
smorriss (at) cs.uml.edu