Elisha Ziskind scite author profile

Practically every corporation that is connected to the Internet has at least one firewall, and often many more. However, the protection that these firewalls provide is only as good as the policy they are configured to implement. Therefore, testing, auditing, or reverse-engineering existing firewall configurations are important components of every corporation's network security practice. Unfortunately, this is easier said than done. Firewall configuration files are written in notoriously hard to read languages, using vendorspecific GUIs. A tool that is sorely missing in the arsenal of firewall administrators and auditors is one that allows them to analyze the policy on a firewall.To alleviate some of these difficulties, we designed and implemented two generations of novel firewall analysis tools, which allow the administrator to easily discover and test the global firewall policy. Our tools use a minimal description of the network topology, and directly parse the various vendor-specific low-level configuration files. A key feature of our tools is that they are passive: no packets are sent, and the analysis is performed offline, on a machine that is separate from the firewall itself. A typical question our tools can answer is "from which machines can our DMZ be reached, and with which services?." Thus, our tools complement existing vulnerability analyzers and port scanners, as they can be used before a policy is actually deployed, and they operate on a more understandable level of abstraction. This paper describes the design and architecture of these tools, their evolution from a research prototype to a commercial product, and the lessons we have learned along the way.

show abstract

Turning the postal system into a generic digital communication mechanism

Wang

¹

,

Sobti

²

,

Garg

³

et al. 2004

View full text Add to dashboard Cite

The phenomenon that rural residents and people with low incomes lag behind in Internet access is known as the "digital divide." This problem is particularly acute in developing countries, where most of the world's population lives. Bridging this digital divide, especially by attempting to increase the accessibility of broadband connectivity, can be challenging. The improvement of wide-area connectivity is constrained by factors such as how quickly we can dig ditches to bury fibers in the ground; and the cost of furnishing "last-mile" wiring can be prohibitively high.In this paper, we explore the use of digital storage media transported by the postal system as a general digital communication mechanism. While some companies have used the postal system to deliver software and movies, none of them has turned the postal system into a truly generic digital communication medium supporting a wide variety of applications. We call such a generic system a Postmanet. Compared to traditional wide-area connectivity options, the Postmanet has several important advantages, including wide global reach, great bandwidth potential and low cost.Manually preparing mobile storage devices for shipment may appear deceptively simple, but with many applications, communicating parties and messages, manual management becomes infeasible, and systems support at several levels becomes necessary. We explore the simultaneous exploitation of the Internet and the Postmanet, so we can combine their latency and bandwidth advantages to enable sophisticated bandwidth-intensive applications.

show abstract

Turning the postal system into a generic digital communication mechanism

Wang

¹

,

Sobti

²

,

Garg

³

et al. 2004

SIGCOMM Comput. Commun. Rev.

View full text Add to dashboard Cite

The phenomenon that rural residents and people with low incomes lag behind in Internet access is known as the "digital divide." This problem is particularly acute in developing countries, where most of the world's population lives. Bridging this digital divide, especially by attempting to increase the accessibility of broadband connectivity, can be challenging. The improvement of wide-area connectivity is constrained by factors such as how quickly we can dig ditches to bury fibers in the ground; and the cost of furnishing "last-mile" wiring can be prohibitively high.In this paper, we explore the use of digital storage media transported by the postal system as a general digital communication mechanism. While some companies have used the postal system to deliver software and movies, none of them has turned the postal system into a truly generic digital communication medium supporting a wide variety of applications. We call such a generic system a Postmanet. Compared to traditional wide-area connectivity options, the Postmanet has several important advantages, including wide global reach, great bandwidth potential and low cost.Manually preparing mobile storage devices for shipment may appear deceptively simple, but with many applications, communicating parties and messages, manual management becomes infeasible, and systems support at several levels becomes necessary. We explore the simultaneous exploitation of the Internet and the Postmanet, so we can combine their latency and bandwidth advantages to enable sophisticated bandwidth-intensive applications.

show abstract

Elisha Ziskind

Fang: a firewall analysis engine

Offline firewall analysis

Turning the postal system into a generic digital communication mechanism

Turning the postal system into a generic digital communication mechanism

Contact Info

Product

Resources

About