Abdullah Al Farooq (Wentworth Institute of Technology), Tanvir Rahman Akash (Trine University), Manash Sarker (Patuakhali Science and Technology University)

Firewall rule misconfigurations is a very-well known challenge in network security management. It often leads to unintended access control behavior, storage misuse, unnecessary management overhead, and performance degradation. Existing approaches primarily rely on static rule analysis and are limited in their ability to explain how misconfigurations manifest during actual firewall execution. In this paper, we propose a provenance-based method for detecting firewall rule misconfigurations by reconstructing causal relationships between network traffic, firewall rules, and filtering decisions using firewall logs. Our methodology enables the systematic detection of well-acknowledged firewall misconfigurations, including shadowing, redundancy, generalization, specialization, and correlation. To ensure completeness and soundness, we formally specify the provenance model and prove key structural properties, including acyclicity, using the F* verification framework.

We evaluate our approach on an OPNsense firewall with some misconfigured rule sets and demonstrate that it detects all conflicts with negligible runtime and storage overhead. The results show that data provenance provides an effective and viable method for analyzing firewall misconfigurations.

View More Papers

Tutorial: Introducing the Carbanak Attack Engagement, Version 2

Akul Goyal (University of Illinois at Urbana-Champaign), Saurav Chittal (Purdue University), Dylen Greenenwald, and Adam Bates (University of Illinois at Urbana-Champaign)

Read More

From Scam to Safety: Participatory Design of Digital Privacy...

Sarah Tabassum (University of North Carolina at Charlotte, USA), Narges Zare (University of North Carolina at Charlotte, USA), Cori Faklaris(University of North Carolina at Charlotte, USA)

Read More

Position Paper: Towards Ubiquitous and Automated User Privacy Configuration

Song Liao (Texas Tech University), Jingwen Yan (Clemson University), Yichen Liu (University of Illinois Urbana-Champaign), David Kotz (Dartmouth College), Luyi Xing (University of Illinois Urbana-Champaign), Long Cheng (Clemson University)

Read More