Firmato

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Firmato: A novel firewall management toolkit

Full text

Pdf (918 KB)

Source

ACM Transactions on Computer Systems (TOCS) archive
Volume 22 , Issue 4 (November 2004) table of contents

Pages: 381 - 420

Year of Publication: 2004

ISSN:0734-2071

Authors

Yair Bartal	The Hebrew University of Jerusalem, Jerusalem, Israel
Alain Mayer	CenterRun Inc., Redwood City, CA
Kobbi Nissim	Microsoft Research, SVC, Mountain View, CA
Avishai Wool	Tel Aviv University, Ramat Aviv, Israel

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 198, Citation Count: 3

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1035582.1035583 What is a DOI?

ABSTRACT

In recent years packet-filtering firewalls have seen some impressive technological advances (e.g., stateful inspection, transparency, performance, etc.) and wide-spread deployment. In contrast, firewall and security <i>management</i> technology is lacking. In this paper we present <i>Firmato</i>, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity-relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; (3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files; and (4) a graphical firewall rule illustrator.

We implemented a prototype of our toolkit to work with several commercially available firewall products. This prototype was used to control an operational firewall for several months. We believe that our approach is an important step toward streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Ravindra K. Ahuja , Thomas L. Magnanti , James B. Orlin, Network flows: theory, algorithms, and applications, Prentice-Hall, Inc., Upper Saddle River, NJ, 1993
	2	Bartal, Y., Mayer, A., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In Proceedings of the 20th IEEE Symp. on Security and Privacy. IEEE, Oakland, CA. 17--31.
	3	Bellovin, S. M. 1999. Distributed firewalls. ;login: The Magazine of USENIX & SAGE. 39--47.
	4	Carney, M. and Loe, B. 1998. A comparison of methods for implementing adaptive security policies. In Proceedings of the 7th USENIX Security Symposium. Usenix Association, Berkeley. 1--14.
	5	D. Brent Chapman , Elizabeth D. Zwicky , Deborah Russell, Building Internet Firewalls, O'Reilly & Associates, Inc., Sebastopol, CA, 1995
	6	David W. Chapman , Andy Fox , Rick Stiffler, Cisco Secure PIX Firewalls, Cisco Press, 2001
	7	William R. Cheswick , Steven M. Bellovin , Aviel D. Rubin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2003
	8	Dot. 2001. Graphviz---open source graph drawing software. version 1.7. http://www.research.att.com/sw/tools/graphviz/.
	9	FWB 2002. Firewall builder. http://www.fwbuilder.org.
	10	E. R. Gansner , E. Koutsofios , S. C. North , K.-P. Vo, A Technique for Drawing Directed Graphs, IEEE Transactions on Software Engineering, v.19 n.3, p.214-230, March 1993 [doi>10.1109/32.221135]
	11	Michael R. Garey , David S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness, W. H. Freeman & Co., New York, NY, 1979
	12	J. D. Guttman, Filtering postures: local enforcement for global policies, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.120, May 04-07, 1997
	13	Joshua D. Guttman, Security Goals: Packet Trajectories and Strand Spaces, Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures, p.197-261, September 01, 2000
	14	Joshua D. Guttman , Amy L. Herzog , F. Javier Thayer, Authentication and Confidentiality via IPSEC, Proceedings of the 6th European Symposium on Research in Computer Security, p.255-272, October 04-06, 2000
	15	Held, G. and Hundley, K. 1999. Cisco Access Lists. McGraw-Hill.
	16	Susan Hinrichs, Policy-Based Management: Bridging the Gap, Proceedings of the 15th Annual Computer Security Applications Conference, p.209, December 06-10, 1999
	17	HLFL 2002. HLFL---high level firewall language. http://www.hlfl.org.
	18	Howe, C. D., Erwin, B., Barth, C., and Elliot, S. 1996. What's beyond firewalls? The Forrester Report 10, 12 (Nov.).
	19	ICSA Labs. 2003. Certified firewall products. http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/index.shtml.
	20	Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.353052]
	21	Butler Lampson , Martín Abadi , Michael Burrows , Edward Wobber, Authentication in distributed systems: theory and practice, ACM Transactions on Computer Systems (TOCS), v.10 n.4, p.265-310, Nov. 1992 [doi>10.1145/138873.138874]
	22	Limoncelli, T. A. 1999. Tricks you can do if your firewall is a bridge. In First USENIX Conference on Network Administration (NETA). USENIX, Santa Clara, CA.
	23	Lucent 2002. Lucent VPN firewall brick. http://www.lucent.com/security.
	24	Alain Mayer , Avishai Wool , Elisha Ziskind, Fang: A Firewall Analysis Engine, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.177, May 14-17, 2000
	25	Reed, D. 2002. Filter language compiler. http://cheops.anu.edu.au/ avalon/flc.html.
	26	Aviel D. Rubin , Daniel Geer , Marcus J. Ranum, Web security sourcebook, John Wiley & Sons, Inc., New York, NY, 1997
	27	Sandhu, R. S. 1998. Role-based access control. In Advances in Computers, M. Zerkowitz, Ed. Vol. 48. Academic Press.
	28	Solsoft. 2000. Solsoft NP: Putting security policies into practice. Enterprise Management Associates white paper. http://www.solsoft.com/library/ema_profiler.pdf.
	29	Michael M. Swift , Anne Hopkins , Peter Brundrett , Cliff Van Dyke , Praerit Garg , Shannon Chan , Mario Goertzel , Gregory Jensenworth, Improving the granularity of access control for Windows 2000, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.398-437, November 2002 [doi>10.1145/581271.581273]
	30	Dameon D. Welch-Abernathy, Essential check point FireWall-1: an installation, configuration, and troubleshooting guide, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2001
	31	Wool, A. 2001. Architecting the Lumeta firewall analyzer. In 10th USENIX Security Symposium. USENIX, Washington, D.C. 85--97.
	32	Wool, A. 2004a. The use and usability of direction-based filtering in firewalls. Computers & Security 23, 6, 459--468.
	33	A Quantitative Study of Firewall Configuration Errors, Computer, v.37 n.6, p.62-67, June 2004 [doi>10.1109/MC.2004.2]

CITED BY 3

	Birger Tödtmann , Erwin P. Rathgeb, Anticipatory distributed packet filter configurations for carrier-grade IP networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.10, p.2565-2579, July, 2007
	Venanzio Capretta , Bernard Stepien , Amy Felty , Stan Matwin, Formal correctness of conflict detection for firewalls, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.22-30, November 02-02, 2007, Fairfax, Virginia, USA
	S. Pozo , R. Ceballos , R. M. Gasca, Model-Based Development of firewall rule sets: Diagnosing model inconsistencies, Information and Software Technology, v.51 n.5, p.894-915, May, 2009

INDEX TERMS

Primary Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.0 General
Subjects: Security and protection (e.g., firewalls)

Additional Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.3 Network Operations
Subjects: Network management

K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.5 Security and Protection (D.4.6, K.4.2)

Keywords:
Security policy, firewall, management, model definition language, visualization

REVIEW

"Anthony Donald Vanker : Reviewer"

A prototype firewall management toolkit is discussed in this paper. The authors wanted a tool that was firewall vendor independent, separated security policy from network topology, generated firewall configurations (as rules) automatically, and pr more...

Collaborative Colleagues:

Yair Bartal: colleagues

Alain Mayer: colleagues

Kobbi Nissim: colleagues

Avishai Wool: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player