Firmato: A Novel Firewall Management Toolkit

In recent years firewalls have seen some impressive techniological advances (e.g., stateful inspection, transparency, performance, etc.,) and wide-spread deployment. In contrast, firewall and security management technology is lacking. In this paper we present Firmato, a firewall management toolkit, with the following distinguishing properties and components: 1) an entity-relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; 2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; 3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files; and 4) a graphical firewall rule illustrator. We demonstrate Firmato's capabilities on a realistic example, thus showing that firewall management can be done successfully at an appropriate level of abstraction. We implemented our toolkit to work with a commercially available firewall product. We believe that our approach is an important step towards streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations.