Implementation of Zorp Firewall Rules

OData support
Dr. Molnár Sándor
Department of Telecommunications and Media Informatics

Firewalls, may they be either a simple packet filter or a full application-level solutions are an essential element of network security. As the market demand for these solutions continues to grow both in the realms of small and medium-sized enterprises, more and more vendors are hitting the market and implement their products to fulfill this need. My work will focus on the Zorp firewall which is currently under widespread use and development. Zorp is a Linux-based product which until recently (before version 3.4) was implemented on top of a custom in-house Linux distribution (ZorpOS), but since then the current version has switched to the latest Ubuntu Long Term Support edition as its foundation. This version switch has introduced a totally new backwards-incompatible configuration format in addition to a wealth of new functions. Though automatized update methods are available to migrate, using it is not recommended since the process is very fragile and unable to cover all corner cases and exactly duplicate the old functionality.

The main purpose of my thesis is to compare and analyze the differences between the features, operation, and configuration methods of the legacy, and the current Zorp versions, and by that provide a robust way to transform the legacy configuration rules to be in accordance with the current format and requirements.

My work consisted mainly of migrating an existing Zorp-based firewall solution to the new configuration format while preserving the the exact operation of the original system; methodically checking the functional equivalence of both systems; and comparing and documenting the throughput and performance of both firewalls with strategically defined benchmarks. In addition to this, I have examined and documented the main differences between the two configuration formats.


Please sign in to download the files of this thesis.