Linux-based hosts are suitable for a broad range of network-related applications, as clients, servers and as a convenient replacement for traditional routers. Their cost and flexibility are appealing both to the experienced network administrator and to the novice with no deep knowledge of the matter. The correct configuration of the packet filtering functions natively available within the Linux OS certainly represents an important, yet only the first, step towards system and network security. This paper illustrates the architecture of a configuration tool, aimed at the broadest audience, suitable for Linux-based routers/firewalls. Its modular design encompasses a wizard-like interface, which is invoked for easy definition of the basic behaviors, an architecture-independent rule definition language (Firewall Architecture Independent Rules, or FAIR), and a parser, which translates the FAIR files to actual firewall programming commands. The wizard is designed so that the guided configuration of behaviors not foreseen from the beginning can be enabled by adding modules. The FAIR rules are easily readable and modifiable by an expert operator, who can benefit of their high-level syntax for programming custom behaviors, not fitting in any general scheme, without having to deal with specific OS-dependent tools. The resulting architecture, while designed on and for Linux, can be easily extended for configuring other packet-filtering systems by simply adding specific parsers/translators.

A flexible approach to configuration of linux-based firewalls

PRANDINI, MARCO
2004

Abstract

Linux-based hosts are suitable for a broad range of network-related applications, as clients, servers and as a convenient replacement for traditional routers. Their cost and flexibility are appealing both to the experienced network administrator and to the novice with no deep knowledge of the matter. The correct configuration of the packet filtering functions natively available within the Linux OS certainly represents an important, yet only the first, step towards system and network security. This paper illustrates the architecture of a configuration tool, aimed at the broadest audience, suitable for Linux-based routers/firewalls. Its modular design encompasses a wizard-like interface, which is invoked for easy definition of the basic behaviors, an architecture-independent rule definition language (Firewall Architecture Independent Rules, or FAIR), and a parser, which translates the FAIR files to actual firewall programming commands. The wizard is designed so that the guided configuration of behaviors not foreseen from the beginning can be enabled by adding modules. The FAIR rules are easily readable and modifiable by an expert operator, who can benefit of their high-level syntax for programming custom behaviors, not fitting in any general scheme, without having to deal with specific OS-dependent tools. The resulting architecture, while designed on and for Linux, can be easily extended for configuring other packet-filtering systems by simply adding specific parsers/translators.
Proceedings of the Third IASTED International Conference on Communications, Internet and Information Technology
176
181
M. Prandini
File in questo prodotto:
Eventuali allegati, non sono esposti

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/11504
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact