Firewall Rule Data Enrichment and Visualization Tool.
In the world of Network Security, a Firewall acts as a checkpoint for traffic moving between networks, and this is formulated as a set of rules. When an analyst needs to look into these rule sets, they are likely leveraging tools which output excel spreadsheets. We sought to produce a tool which is able to enrich these reports, so that security analysts can better understand the access across a network environment. Report2Map aims to highlight problems such as access overlap and access creep, which can prove detrimental to a network by enabling unauthorized access between hosts. Our tool looks to simplify the analysis process of firewall rule sets, by reducing the reliance on spreadsheets- and instead enriching this same data with a visualized ontology.
The backbone of any product which focuses on the enrichment of data is the input data itself. In the case of our tool, we focus on Firewall Rule Reports, a quite common piece of information across teams focused on network security. Firewall rule reports contain a list of firewall rules, which detail the network traffic which is permitted across a network’s firewalls. These rules sit on firewalls, which sit between layers of a network. The most common structure of a rule is simple; a Source IP address, a Destination IP address, a port, and whether the traffic is allowed, or disallowed. You can imagine, with how many devices typically exist on a network, how complicated your list of rules can get.
Network analysts spend tons of time working with compilations of these rules, In example, the firewall rule reports that was mentioned previously. These typically take the form of Excel Spreadsheets, lines and lines of rules. Getting into the rules and extracting actionable information is hard to do manually, and there are many tools which aide in this process, but none fill our specific niche. We aim to take this data and provide the user with an ontology of their rules. To further empower the user, we provide filters which the user can leverage to tailor visibility on specific IP Addresses, as well as ports. The intent is that through use of these user-centric features, the resulting output is an enrichment of the provided input- allowing for an analyst to better understand the firewall rules in each environment.