1. Technical Field
The present invention relates to the field of data processing systems. More particularly, the present invention relates to the field of securing data processing systems. Still more particularly, the present invention relates to a system and method of designing firewalls to secure data processing systems
2. Description of the Related Art
A firewall is a hardware and/or software network element interposed between a private network and an external network (e.g., Internet) to enforce a desired security policy on all incoming and outgoing packets. A packet can be viewed as a tuple with a finite number of fields; examples of these fields are source/destination IP address, source/destination port number, and protocol type. A firewall configuration defines which packets are legitimate and which are illegitimate. By examining the values of these fields for each incoming and outgoing packet, a firewall differentiates between legitimate and illegitimate packets, accepting legitimate packets and discarding illegitimate packets according to its configuration.
An error in a firewall configuration means that a wrong definition of legitimate or illegitimate has been established for at least some packets, which will either allow unauthorized access from the outside Internet to the private network or disable some legitimate communication between the private network and the outside Internet. Neither error case is desirable. Design of a firewall configuration is therefore and important network security and operability issue.