Analyzer

The Analyzer is the heart of InfoSecter. Analyzer processes firewall configuration files, converting them to a uniform data structure that is a complete functional model of the configuration which can be efficiently constructed and searched. The following operations can be performed on this model.

  • Dissection or Tiling - Dissection creates a disambiguated map of the network packet handling behavior of the firewall. This map consists of a set of packets which are all handled identically. Each entry is notated with firewall behavior for packets in that tile, and the configuration lines that create that behavior. Any particularly packet will be matched by at most one line for a given scope.
  • Constraint checking - A constraint check is a test based on a packet expressions against the configuration. Each packet expression specifies a set of packets by their network properties and expected handling. The Analyzer verifies that the model behavior is consistent with the packet expression. If not, then the violations of that constraint are generated containing the sets of packets and behavior.
  • Comparison - The Analyzer can compare two configurations and generate the operational differences. The output is the functional differences between the configurations. Any purely textual differences are ignored. As a special case, a configuration can be compared against itself, to detect rules that conflict with other rules. The comparison can be done between configurations for different versions of the same platform, or even between configurations for different vendor platforms.

The Analyzer is a command line executable, suitable for use in scripting. Its input and output (except for the configuration files) are in XML to make them easy to handle in a scripting environment. For additional utility, or a non-scripting environment, InfoSecter includes Visualizer and Querent. Visualizer displays the output from the Analyzer, allowing it to be sorted and filtered to rapidly locate important information. Querent is an expression editor for constraint checking.