Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.
Titolo: | A MULTI-PLATFORM TOOLKIT FOR THE CONFIGURATION OF PACKET-FILTERING FIREWALLS |
Autore/i: | PRANDINI, MARCO |
Autore/i Unibo: | |
Anno: | 2005 |
Titolo del libro: | Proceedings of The IASTED International Conference on Communication, Network and Information Security (CNIS 2005) |
Pagina iniziale: | 141 |
Pagina finale: | 148 |
Abstract: | Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system. |
Data prodotto definitivo in UGOV: | 7-feb-2006 |
Appare nelle tipologie: | 4.01 Contributo in Atti di convegno |