Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.
A MULTI-PLATFORM TOOLKIT FOR THE CONFIGURATION OF PACKET-FILTERING FIREWALLS / Prandini, Marco. - STAMPA. - (2005), pp. 141-148. (Intervento presentato al convegno IASTED International Conference on Communication, Network and Information Security (CNIS 2005) tenutosi a Phoenix, Arizona, USA nel 14-16 novembre 2005).
A MULTI-PLATFORM TOOLKIT FOR THE CONFIGURATION OF PACKET-FILTERING FIREWALLS
PRANDINI, MARCO
2005
Abstract
Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
