Skip to Main Content
Firewalls play a critical role in protecting networks and enforcing security policies. Traditionally, firewalls have been deployed at an organization's periphery to protect it from Internet traffic. Today, however, this model no longer holds true as organizations try to safeguard themselves against other types of threats. This has led to the advent of the distributed firewall where potentially every router or end-host can run a firewall. As it is, firewalls are extremely hard to analyze and configure correctly due to complexities of network topology, routing, and administrative issues. Distributed firewalls make the situation even worse since there are multiple firewalls. This paper describes FACE - a tool that helps in analysis and configuration of distributed firewalls. Using FACE, administrators can automatically generate and analyze configurations for all firewalls in the network by specifying the filtering policy and a threat model in which a distributed firewall must provide defense against spoofed traffic from specified nodes in a network.