Article

Specifications of a high-level conflict-free firewall policy language for multi-domain networks

Authors:

Radha Jagadeesan,

Corin PitcherAuthors Info & Claims

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

Pages 185 - 194

https://doi.org/10.1145/1266840.1266871

Published: 20 June 2007 Publication History

Abstract

Multiple firewalls typically cooperate to provide security properties for a network, despite the fact that these firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities.

We propose FLIP, a high-level firewall configuration policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual firewall and between firewalls. We prove that the translation algorithm is both sound and complete.

FLIP supports policy inheritance and customization features that enable defining a global firewall policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that firewall policy management for large-scale networks is efficient and accurate using FLIP.

References

[1]

Ehab Al-Shaer and Hazem Hamed, Discovery of Policy Anomalies in Distributed Firewalls, In Proceedings of IEEE INFOCOM '04, March 2004.

[2]

Ehab Al-Shaer and Hazem Hamed, Taxonomy of Conflicts in Network Security Policies, IEEE Communications Magazine, Vol. 44, No. 3, March 2006.

[3]

BitTorrent http://www.bittorrent.com/

[4]

Y. Bartal., A. Mayer, K. Nissim and A. Wool. Firmato: A Novel Firewall Management Toolkit. Proceedings of 1999 IEEE Symposium on Security and Privacy, May 1999.

[5]

Ian Foster The Grid: Blueprint for a New Computing Infrastructure Morgan Kaufmann, 2004.

Digital Library

[6]

M. Greenwald, S. Singhal, J. Stone, and D. Cheriton. Designing an Academic Firewall. Policy, Practice and Experience with SURF. Proc. of Network and Distributed System Security Symposium (NDSS), pages 79--91, February 1996.

Digital Library

[7]

Greg Graham, Richard Cavanaugh, Peter Couvares, Alan De Smet, and miron Livny Distributed Data Analysis: Federated Computing for High-Energy Physics The Grid: Blueprint for a New Computing Infrastructure, 2004.

[8]

Hazem Hamed, Ehab Al-Shaer and Will Marrero, Modeling and Verification of IPSec and VPN Security Policies. In Proceedings of IEEE ICNP'2005, November 2005.

Digital Library

[9]

Hazem Hamed and Ehab Al-Shaer, Dynamic Rule-ordering Optimization for High-speed Firewall Filtering, ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS'06), March 2006.

Digital Library

[10]

D. Harkins, D. Carrel, The Internet Key Exchange (IKE) RFC 2409, 1998.

Digital Library

[11]

J. D. Howard. An Analysis Of Security On The Internet 1989 - 1995. PhD thesis, Carnegie Mellon University, April 1997.

Digital Library

[12]

High Level Firewall Language http://www.hlfl.org/

[13]

The INSPECT Language guide http://www.security-gurus.de/papers

[14]

IPtables http://www.netfilter.org/

[15]

S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing Distributed Firewall. Proceedings of Computer and Communications Security (CCS), pages 190--199, November 2000.

Digital Library

[16]

NetSPoC: a Network Security Policy Compiler http://netspoc.berlios.de

[17]

D. Nessett and P. Humenn. The Multilayer Firewall. Proc. of Network and Distributed System Security Symposium (NDSS), pages 13--27, March 1998.

[18]

Squid Web Proxy Cache http://www.squid-cache.org/

[19]

Tatu Ylönen SSH - secure login connections of the internet. In Proceedings of the Sixth USENIX Security Symposium, San Jose, California, USA, July 1996.

Digital Library

[20]

World of Warcraft http://www.worldofwarcraft.com/

[21]

Charles C. Zhang, Marianne Winslett and Carl A. Gunter. On the Safety and Efficiency of Firewall Policy Deployment Proc. of IEEE Symposium on Security and Privacy, May 2007.

Digital Library

Cited By

Hoang XPham VBui N(2024)An Efficient Administration for Multiple Firewalls in Cloud EnvironmentsProceedings of the International Conference on Intelligent Systems and Networks10.1007/978-981-97-5504-2_1(1-10)Online publication date: 1-Sep-2024
https://doi.org/10.1007/978-981-97-5504-2_1
Liu WGao YChen M(2023)A Network Application Fault Repair Method Based on Reinforcement LearningProceedings of the 2023 4th International Conference on Machine Learning and Computer Application10.1145/3650215.3650256(232-238)Online publication date: 27-Oct-2023
https://dl.acm.org/doi/10.1145/3650215.3650256
Kovacevic IStengl BGros S(2022)Systematic review of automatic translation of high-level security policy into firewall rules2022 45th Jubilee International Convention on Information, Communication and Electronic Technology (MIPRO)10.23919/MIPRO55190.2022.9803570(1063-1068)Online publication date: 23-May-2022
https://doi.org/10.23919/MIPRO55190.2022.9803570
Show More Cited By

Index Terms

Specifications of a high-level conflict-free firewall policy language for multi-domain networks
1. Theory of computation

Recommendations

Inconsistency Detection System for Security Policy and Firewall Policy
ICNC '10: Proceedings of the 2010 First International Conference on Networking and Computing

Packet filtering in firewall either accepts or denies network packets based upon a set of pre-defined filters called firewall policy. Firewall policy is designed under the instruction of security policy. A network security policy is a generic document ...
Detecting and Resolving Firewall Policy Anomalies

The advent of emerging computing technologies such as service-oriented architecture and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by ...
Conflict classification and analysis of distributed firewall policies

Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

June 2007

254 pages

ISBN:9781595937452

DOI:10.1145/1266840

General Chair:
Volkmar Lotz
SAP Labs, France
,
Program Chair:
Bhavani Thuraisingham
University of Texas at Dallas, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT07

Sponsor:

SACMAT07: 12th ACM Symposium on Access Control Models and Technologies

June 20 - 22, 2007

Sophia Antipolis, France

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
1,622
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)3

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hoang XPham VBui N(2024)An Efficient Administration for Multiple Firewalls in Cloud EnvironmentsProceedings of the International Conference on Intelligent Systems and Networks10.1007/978-981-97-5504-2_1(1-10)Online publication date: 1-Sep-2024
https://doi.org/10.1007/978-981-97-5504-2_1
Liu WGao YChen M(2023)A Network Application Fault Repair Method Based on Reinforcement LearningProceedings of the 2023 4th International Conference on Machine Learning and Computer Application10.1145/3650215.3650256(232-238)Online publication date: 27-Oct-2023
https://dl.acm.org/doi/10.1145/3650215.3650256
Kovacevic IStengl BGros S(2022)Systematic review of automatic translation of high-level security policy into firewall rules2022 45th Jubilee International Convention on Information, Communication and Electronic Technology (MIPRO)10.23919/MIPRO55190.2022.9803570(1063-1068)Online publication date: 23-May-2022
https://doi.org/10.23919/MIPRO55190.2022.9803570
Su PGao YChen M(2022)A Novel Firewalls ConFigure Fault and Its Repair Method2022 Tenth International Conference on Advanced Cloud and Big Data (CBD)10.1109/CBD58033.2022.00048(228-233)Online publication date: Nov-2022
https://doi.org/10.1109/CBD58033.2022.00048
Bodei CCeragioli LDegano PFocardi RGalletta LLuccio FTempesta MVeronese L(2021)FWS: Analyzing, maintaining and transcompiling firewallsJournal of Computer Security10.3233/JCS-200017(1-58)Online publication date: 25-Jan-2021
https://doi.org/10.3233/JCS-200017
Barakat RCatal FTcholtchev NRebahi YSchieferdecker I(2020)Industrial Grade Methodology for Firewall Simulation and Requirements VerificationNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS47738.2020.9110345(1-7)Online publication date: Apr-2020
https://doi.org/10.1109/NOMS47738.2020.9110345
Voronkov AMartucci L(2020)Natural vs. Technical Language Preference and Their Impact on Firewall ConfigurationHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_18(261-270)Online publication date: 10-Jul-2020
https://doi.org/10.1007/978-3-030-50309-3_18
Diekmann CNaab JKorsten ACarle G(2019)Agile Network Access Control in the Container AgeIEEE Transactions on Network and Service Management10.1109/TNSM.2018.288900916:1(41-55)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1109/TNSM.2018.2889009
da Costa Júnior Eda Silva CPinheiro MSampaio S(2018)A new approach to deploy a self-adaptive distributed firewallJournal of Internet Services and Applications10.1186/s13174-018-0083-69:1Online publication date: 4-Jun-2018
https://doi.org/10.1186/s13174-018-0083-6
Vanickis RJacob PDehghanzadeh SLee B(2018)Access Control Policy Enforcement for Zero-Trust-Networking2018 29th Irish Signals and Systems Conference (ISSC)10.1109/ISSC.2018.8585365(1-6)Online publication date: Jun-2018
https://doi.org/10.1109/ISSC.2018.8585365
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents