Complex computer networks are usually protected by multiple firewalls that limit access into and out of network zones. Firewall configuration is tedious and error-prone, and most systems allow unneeded and/or undesired access. Software tools that analyze firewall configurations and determine connectivity can help identify which flows are permitted through the system, and whether any of these flows violate desired access policy.
We have developed a such a tool, called NP-View. This talk describes a number of algorithmic problems and solutions we have developed in an effort to make connectivity analysis feasible on systems with many firewalls. These problems include:
- means by which all flows that are permitted in a network can be discovered efficiently
- means by which only flows that pass through selected VPN tunnels, devices, access control lists, or individual rules in access control lists can be discovered efficiently
- means by which firewalls from different vendors, with different behaviors can be integrated in a single analysis
David M. Nicol is the Franklin W. Woeltge Professor of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign, as well as the Director of UIUC’s Information Trust Institute. Previously, he was Professor of Computer Science at Dartmouth College, where he helped establish and lead the Institute for Security Technology Studies, first as Associate Director of Research, and then as Acting Director. He is widely known for his research contributions in modeling and simulation methodologies for discrete systems, and in rigorous methods for studying the security of large complex systems. Currently his research focuses on means of providing cyber-security to industrial control systems such as the electric power grid. He was elected Fellow of the IEEE, and also Fellow of the ACM for his research contributions, and is the inaugural recipient of ACM SIGSIM’s Distinguished Contributions Award.
He began his academic career at the College of William and Mary, where he was Assistant, and then Associate Professor of Computer Science. Prior to joining William and Mary he held the position of Staff Scientist at the Institute for Computer Applications in Science and Engineering, at NASA Langley Research Center. He holds the M.S. and Ph.D. degrees in Computer Science from the University of Virginia, and a B.A. in Mathematics from Carleton College.