Because of the conflicts and order sensitivity of firewall rules, firewall configurations are difficult to design and analyze correctly. The goal of this book is to reduce firewall configuration errors. We approach this goal from two directions: (1) how to reduce errors when a firewall configuration is being designed, and (2) how to detect errors after a firewall configuration has been designed. In this book, we present two methods for designing firewall configurations, one model for specifying stateful firewalls, and two methods for analyzing firewall configurations.