Analysis of Firewall Configuration using an Ontology Engineering Approach

Firewalls provide important points of demarcation between networks of different levels of trust. They do so by controlling traffic flow to and from network resources in accordance with the network security policy. A significant challenge in providing security for network resources is attaining a degree of confidence that a firewall configuration adequately addresses the (security) threats. A misconfiguration may result in a threat of unapproved access or the denial of approved access to network resources. In practice, firewall configurations typically span multiple subnets and run to many thousands of access control rules, and such complexity may increase the likelihood of misconfiguration. This paper explores the effectiveness of an ontology-based framework to model, query and reason over firewall configurations.