Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.

A MULTI-PLATFORM TOOLKIT FOR THE CONFIGURATION OF PACKET-FILTERING FIREWALLS

PRANDINI, MARCO
2005

Abstract

Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.
Proceedings of The IASTED International Conference on Communication, Network and Information Security (CNIS 2005)
141
148
Prandini, Marco
File in questo prodotto:
Eventuali allegati, non sono esposti

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11585/19126
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? 0
social impact