1 Passive Traffic Inspection for Automated Firewall Rule Set Generation Georg-Christian Pranschke 1 , Barry Irwin 2 and Richard J Barnett 3 Security and Networks Research Group Department of Computer Science Rhodes University Grahamstown, South Africa E-Mail: 1 g05p3292@campus.ru.ac.za 2 b.irwin@ru.ac.za 3 barnettrj@acm.org Abstract—The introduction of network filters and chokes such as firewalls in existing operational network is often problematic, due to considerations that need to be made to minimise the interruption of existent legitimate traffic. This often necessitates the time consuming manual analysis of network traffic over a period of time in order to generate and vet the rule bases to minimise disruption of legitimate flows. To improve upon this, a system facilitating network traffic analysis and firewall rule set generation is proposed. The system shall be capable to deal with the ever increasing traffic volumes and help to provide and maintain high uptimes. A high level overview of the design of the components is presented. Additions to the system are scoring metrics which may assist the administrator to optimise the rule sets for the most efficient matching of flows, based on traffic volume, frequency or packet count. A third party package - Firewall Builder - is used to target the resultant rule sets to a number of different firewall and network Filtering platforms. Index Terms—firewall, c automated configuration, network traffic analyser, pcap, netflow I. I NTRODUCTION I N order for firewalls to serve their intended purpose, it is imperative that they are correctly configured for the requirements and environment in which they are operated. Combining the various technologies involved into a well configured firewalling solution is often a non trivial task in itself [6]A misconfigured firewall will, almost certainly, only provide the illusion of network security [10], and may well adversely affect legitimate traffic. While configuring firewalling solutions protecting small networks and correctly documented networks may be a relatively straight forward task for an experienced network administrator, it does become a very much harder task when dealing with poorly documented legacy and organically developed networks. The process of configuring and deploying a firewalling solution is further complicated when a firewall is to be introduced into a network segment that previously did not have any choke point controls. The authors would like to acknowledge the financial support of Telkom SA, Business Connexion, Comverse SA, Stortech, Tellabs, Amatole, Mars Technologies and THRIP through the Telkom Centre of Excellence in the Department of Computer Science at Rhodes University. This research is focused on the feasibility of automatically generating the an appropriate configuration input for Firewall Builder [2], based on an automated analysis of traffic collected at the intended point of insertion. The intention of this is to provide a means to analyse network traffic in setups in which to manual analysis is prohibitive due to traffic volumes or time constraints. The remainder of this paper is structured as follows. After a brief problem statement in section II, in which we describe in what situations and setups the system is to be employed, we turn to a brief review of related research in section II and to the high level design overview of the proposed system in section III. Section IV describes possible future extensions to the system and concludes the paper. II. RELATED RESEARCH The pros and cons of netflow in analysing network traffic have been researched extensively [4], [9], [7], [5] - with the common conclusion that it is adequate if sampling rate and sampling interval (so called bin sizes ) are chosen carefully as their values directly correspond to memory utilisation and cpu-time in netflow enabled Cisco routers. The shortcommings of netflow, pointed out in the related research are almost of no concern to the proposed project because the flow creation routine treats the packet-level traces as one continuous bin - and therefore all packets are analysed and no sampling artifacts created[5]. Because a flow is only created when a SYN-ACK is observed there is also no vulnerability to SYN flooding. There is a great deal of literature about rule collisions and redundancies such as described in [8]. III. PROPOSED SOLUTION In order to minimize downtime when deploying a new fire- walling solution, the authors propose a system, which aims to automate as much of the firewall configuration process as possible with the goals of increasing the accuracy of the generated rule base and reducing the time required in com- parison to traditional manual analysis. . The system consists