Re: [fw-wiz] Security policy language

The closest I've seen anyone get is Avishai Wool's firewall rules parser.
It's been a couple of years, so I can't speak for its condition now, but at
the time I looked at it it was the nearest thing I'd ever seen to a tool for
comparing firewall security configurations across multiple devices and
(eventually) multiple firewall vendors.

Thanks Tina!

FYI, the technology is available and actively developed
It's still focused on just the firewall - we don't claim to solve all security
problems with one piece of software... So, we don't look at, e.g., the database
access control in the back-end system, or at human processes, or <fill in blank>

IMHO, Firewalls offer rather rich configuration
languages - rich enough for many organizations to get royally messed up -
but are still structured enough so an automatic system can understand
the policy and check it for gross errors and sloppy details. across multiple
vendors and for all levels of rule complexity.

I think the original poster was more interested in the "Firmato" system we did
back in Bell Labs in 1998, which was a firewall rule compiler that had a
rather high-level specification language (separate policy from network
specifics! -
you could actually write a single generic policy and apply it to
different firewalls,
with different numbers of interfaces, and different vendors!). It also was a
flat-text-file language - you could write multi-line comments wherever
you wanted, not just in the Comments field in a point-and-click GUI :)
Tom Limoncelli actually
used it to configure the Bell Labs operational firewall for a few
months, which I
always thought was pretty cool. That project
didn't go too far commercially - read our TOCS paper for a historical
and tech details - available from

The original poster is exactly right that we invented an "ad hoc language" using
bison and flex. Sure did. But the syntax, and tools, are mostly irrelevant. The
_concepts_ and _algorithms_ are the important part. You could use the same
concepts and format them in XML or whatever meta-syntax-du-jour you go for
these days ...

But that's a *long* way from a "security policy language." It's a poorly
defined goal: it incorporates machines, networks, workflow, business
practices *and* political maneuvering all in one big bowl o' muck.

yeah, sure - but if you start with such a tall order, the likely outcome is
futile frustration (or a $50BN government project overrun 10 years
past its projected
deadline :-). I prefer to aim lower, to something challenging, but still
within reach...

Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Firewall Management Made Smarter *******
firewall-wizards mailing list