Abdullah Al Farooq (Wentworth Institute of Technology), Tanvir Rahman Akash (Trine University), Manash Sarker (Patuakhali Science and Technology University)
Firewall rule misconfigurations is a very-well known challenge in network security management. It often leads to unintended access control behavior, storage misuse, unnecessary management overhead, and performance degradation. Existing approaches primarily rely on static rule analysis and are limited in their ability to explain how misconfigurations manifest during actual firewall execution. In this paper, we propose a provenance-based method for detecting firewall rule misconfigurations by reconstructing causal relationships between network traffic, firewall rules, and filtering decisions using firewall logs. Our methodology enables the systematic detection of well-acknowledged firewall misconfigurations, including shadowing, redundancy, generalization, specialization, and correlation. To ensure completeness and soundness, we formally specify the provenance model and prove key structural properties, including acyclicity, using the F* verification framework.
We evaluate our approach on an OPNsense firewall with some misconfigured rule sets and demonstrate that it detects all conflicts with negligible runtime and storage overhead. The results show that data provenance provides an effective and viable method for analyzing firewall misconfigurations.