Visualizing firewall configurations using created voids

Security configuration files are created and edited as text files. These files are the essential definition and control of the behavior of security devices. Despite their significant size, complexity, and the possibility of interaction between entries, no visually sophisticated tools exist that explicitly capture and visualize problematic interactions between rules to aid in the comprehension and modification of configuration files. Our initial work on the direct visualization of firewall configurations showed the limitations of visualizing just the range of packets that can be accepted. To visually capture the interactions between rules, we introduce the concept of a "created void." Created voids capture the information about destructive interactions between rules in a firewall ruleset, where an overlap between a deny rule prevents that packet from reaching an accept rule later in the ruleset. We present a lossless five-dimensional visualization of the convex solid decomposition of the set of acceptable packets from a firewall configuration, augmented with visual representations of created voids. This interactive visualization is embedded in a simple firewall ruleset editor, allowing the user to investigate the effect of changes in the ruleset.