This is a discussion on Re: [fw-wiz] Security policy language - Firewalls ; > > The closest I've seen anyone get is Avishai Wool's firewall rules parser. > It's been a couple of years, so I can't speak for its condition now, but at > the time I looked at it it was ...
> The closest I've seen anyone get is Avishai Wool's firewall rules parser.
> It's been a couple of years, so I can't speak for its condition now, but at
> the time I looked at it it was the nearest thing I'd ever seen to a tool for
> comparing firewall security configurations across multiple devices and
> (eventually) multiple firewall vendors.
FYI, the technology is available and actively developed
It's still focused on just the firewall - we don't claim to solve all security
problems with one piece of software... So, we don't look at, e.g., the database
access control in the back-end system, or at human processes, or
IMHO, Firewalls offer rather rich configuration
languages - rich enough for many organizations to get royally messed up -
but are still structured enough so an automatic system can understand
the policy and check it for gross errors and sloppy details. across multiple
vendors and for all levels of rule complexity.
I think the original poster was more interested in the "Firmato" system we did
back in Bell Labs in 1998, which was a firewall rule compiler that had a
rather high-level specification language (separate policy from network
you could actually write a single generic policy and apply it to
with different numbers of interfaces, and different vendors!). It also was a
flat-text-file language - you could write multi-line comments wherever
you wanted, not just in the Comments field in a point-and-click GUI
Tom Limoncelli actually
used it to configure the Bell Labs operational firewall for a few
months, which I
always thought was pretty cool. That project
didn't go too far commercially - read our TOCS paper for a historical
and tech details - available from
The original poster is exactly right that we invented an "ad hoc language" using
bison and flex. Sure did. But the syntax, and tools, are mostly irrelevant. The
_concepts_ and _algorithms_ are the important part. You could use the same
concepts and format them in XML or whatever meta-syntax-du-jour you go for
these days ...
> But that's a *long* way from a "security policy language." It's a poorly
> defined goal: it incorporates machines, networks, workflow, business
> practices *and* political maneuvering all in one big bowl o' muck.
yeah, sure - but if you start with such a tall order, the likely outcome is
futile frustration (or a $50BN government project overrun 10 years
past its projected
deadline :-). I prefer to aim lower, to something challenging, but still
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Firewall Management Made Smarter *******
firewall-wizards mailing list