Specifications of a high-level conflict-free firewall policy language for multi-domain networks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Specifications of a high-level conflict-free firewall policy language for multi-domain networks

Full text

Pdf (370 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 12th ACM symposium on Access control models and technologies table of contents

Sophia Antipolis, France

SESSION: Roles and policies table of contents

Pages: 185 - 194

Year of Publication: 2007

ISBN:978-1-59593-745-2

Authors

Bin Zhang	DePaul University
Ehab Al-Shaer	DePaul University
Radha Jagadeesan	DePaul University
James Riely	DePaul University
Corin Pitcher	DePaul University

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 12, Downloads (12 Months): 158, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1266840.1266871 What is a DOI?

ABSTRACT

Multiple firewalls typically cooperate to provide security properties for a network, despite the fact that these firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities.

We propose FLIP, a high-level firewall configuration policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual firewall and between firewalls. We prove that the translation algorithm is both sound and complete.

FLIP supports policy inheritance and customization features that enable defining a global firewall policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that firewall policy management for large-scale networks is efficient and accurate using FLIP.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Ehab Al-Shaer and Hazem Hamed, Discovery of Policy Anomalies in Distributed Firewalls, In Proceedings of IEEE INFOCOM '04, March 2004.
	2	Ehab Al-Shaer and Hazem Hamed, Taxonomy of Conflicts in Network Security Policies, IEEE Communications Magazine, Vol. 44, No. 3, March 2006.
	3	BitTorrent http://www.bittorrent.com/
	4	Y. Bartal., A. Mayer, K. Nissim and A. Wool. Firmato: A Novel Firewall Management Toolkit. Proceedings of 1999 IEEE Symposium on Security and Privacy, May 1999.
	5	Ian Foster , Carl Kesselman, The grid: blueprint for a new computing infrastructure, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1998
	6	Michael B. Greenwald , Sandeep K. Singhal , Jonathan R. Stone , David R. Cheriton, Designing an Academic Firewall: Policy, Practice, and Experience with SURF, Proceedings of the 1996 Symposium on Network and Distributed System Security (SNDSS '96), p.79, February 22-23, 1996
	7	Greg Graham, Richard Cavanaugh, Peter Couvares, Alan De Smet, and miron Livny Distributed Data Analysis: Federated Computing for High-Energy Physics The Grid: Blueprint for a New Computing Infrastructure, 2004.
	8	Hazem Hamed , Ehab Al-Shaer , Will Marrero, Modeling and Verification of IPSec and VPN Security Policies, Proceedings of the 13TH IEEE International Conference on Network Protocols (ICNP'05), p.259-278, November 06-09, 2005 [doi>10.1109/ICNP.2005.25]
	9	Hazem Hamed , Ehab Al-Shaer, Dynamic rule-ordering optimization for high-speed firewall filtering, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan [doi>10.1145/1128817.1128867]
	10	D. Harkins, D. Carrel, The Internet Key Exchange (IKE) RFC 2409, 1998.
	11	John Douglas Howard, An analysis of security incidents on the Internet 1989-1995, Carnegie Mellon University, Pittsburgh, PA, 1998
	12	High Level Firewall Language http://www.hlfl.org/
	13	The INSPECT Language guide http://www.security-gurus.de/papers
	14	IPtables http://www.netfilter.org/
	15	Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.353052]
	16	NetSPoC: a Network Security Policy Compiler http://netspoc.berlios.de
	17	D. Nessett and P. Humenn. The Multilayer Firewall. Proc. of Network and Distributed System Security Symposium (NDSS), pages 13--27, March 1998.
	18	Squid Web Proxy Cache http://www.squid-cache.org/
	19	Tatu Ylönen, SSH: secure login connections over the internet, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.4-4, July 22-25, 1996, San Jose, California
	20	World of Warcraft http://www.worldofwarcraft.com/
	21	Charles C. Zhang , Marianne Winslett , Carl A. Gunter, On the Safety and Efficiency of Firewall Policy Deployment, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.33-50, May 20-23, 2007 [doi>10.1109/SP.2007.32]