Abstract
The design of suitable packet-filters protecting subnets against network-based attacks is usually difficult and error-prone. Therefore, tool-assistance shall facilitate the design task and shall contribute to the correctness of the filters, i.e., the filters should be consistent with the other security mechanisms of the computer network, in particular with its access control schemes. Moreover, they should just enable the corresponding necessary traffic. Our tool approach applies a three-layered model describing the access control and network topology aspects of the system on three levels of abstraction. Each lower layer refines its upper neighbour and is accompanied with access control models. At the top level, role based access control is applied. The lowest level specifies packet filter configurations which can be implemented by means of the Linux kernel extension IPchains. The derivation of filter configurations is substantially supported by tool assistance in the course of an interactive design process.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Y. Bartal, A. Mayer, K. Nissim and A. Wool: Firmato: A Novel Firewall Management Toolkit. In Proc. IEEE Computer Society Symposium on Security an Privacy, 1999.
M. Casassa Mont, A. Baldwin, C. Goh: POWER Prototype: Towards Integrated Policy-Based Management. in Proc. of the IEEE/IFIP Int. Symposium on Network Operations and Management NOMS 2000, IEEE, 2000.
Desktop Management Taskforce: Common Information Model-Specification 2.0; Desktop Management Taskforce Inc. DMTF, 1998, available via http://www.dmtf.org/spec/
Cisco Systems, Inc: Delivering end-to-end security in policy-based networks. http://www-uk.cisco.com/warp/public/cc/cisco/mkt/enm/cap/tech/deesp_wp.htm, 1999.
M. Ejiri, S. Goyal (eds.): Proc. of the IEEE/IFIP Int. Symposium on Network Operations and Management NOMS.96, IEEE, 1996.
D.F. Ferraiolo, J.F. Barkley and D.R. Kuhn: A Role Based Access Control Model and Reference Implementation within a Corporate Intranet. ACM Transactions on Information Systems Security, Volume 1, Number 2, February 1999.
M. Haworth: Service Management and Availability Planning for Data Backup and Recovery; HP Open View Service Management Solutions, White paper, Hewlett-Packard Company, Palo Alto, 1998.
K. Heiler, R. Wies: Policy Driven Configuration Management of Network Devices. In [Eji96], pg. 674–689, 1996.
A. Lazar et al. (eds.): Integrated Network Management V, Proc. 5th IFIP/IEEE Int. Symposium on Integrated Network Management, Chapman & Hall, London, 1997.
I. Lück, M. Schönbach, A. Mester and H. Krumm: Derivation of Backup Service Management Applications from Service and System Models. In: R. Stadler, B. Stiller (Eds.), Active Technologies for Network and Service Management, Proc. DSOM.99, pages 243–255, Zürich, Oct. 1999, LNCS 1700, Springer-Verlag.
D. McBride: Successful Deployment of IT Service Management in the Distributed Enterprise; White paper, Hewlett-Packard Company, Palo Alto, 1998.
J. Moffet, M. Sloman: Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communications, 11, 9, 1993.
C.P. Pfleeger: Security in Computing (second edition). Prentice-Hall, Inc. 1997.
G. Rodosek, T. Kaiser: Determining the Availability of Distributed Applications; in [Laz97], pg. 207–218, 1997.
R. Sandhu, E. Coyne, H. Feinstein, Ch. Youman: Role-Based Access Control Models. IEEE Computer 29(2), pg. 38–47, 1996.
C.L. Schuba and E.H. Spafford: A Reference Model for Firewall Technology. First Annual Sprint Applied Research parTners Advanced Networking (SPARTAN) Symposium, March 1997.
M. Sloman: Policy Driven Management for Distributed Systems. Journal of Network and Systems Management, Plenum Press, Vol. 2, No. 4, 1994.
G. Booch, J. Rumbaugh, I. Jacobson: The Unified Modelling Language User Guide; Addison-Wesley, Reading, 1997.
R. Wies: Using a Classification of Management Policies for Policy Specification and Policy Transformation. In Proc. of the 4th IFIP/IEEE Int. Symposium on Integrated Network Management, Santa Barbara, 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lück, I., Schäfer, C., Krumm, H. (2001). Model-Based Tool-Assistance for Packet-Filter Design. In: Sloman, M., Lupu, E.C., Lobo, J. (eds) Policies for Distributed Systems and Networks. POLICY 2001. Lecture Notes in Computer Science, vol 1995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44569-2_8
Download citation
DOI: https://doi.org/10.1007/3-540-44569-2_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41610-4
Online ISBN: 978-3-540-44569-2
eBook Packages: Springer Book Archive