Yair Bartal
Abstract
In recent years packet-filtering firewalls have seen some impressive technological advances (e.g., stateful inspection, transparency, performance, etc.) and wide-spread deployment. In contrast, firewall and security <i>management</i> technology is lacking. In this paper we present <i>Firmato</i>, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity-relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; (3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files; and (4) a graphical firewall rule illustrator.
We implemented a prototype of our toolkit to work with several commercially available firewall products. This prototype was used to control an operational firewall for several months. We believe that our approach is an important step toward streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations.
- Ahuja, R. K., Magnanti, T. L., and Orlin, J. B. 1993. Network Flows: Theory, Algorithms, and Applications. Prentice-Hall, Upper Saddle River, New Jersey. Google Scholar
- Bartal, Y., Mayer, A., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In Proceedings of the 20th IEEE Symp. on Security and Privacy. IEEE, Oakland, CA. 17--31.Google Scholar
- Bellovin, S. M. 1999. Distributed firewalls. ;login: The Magazine of USENIX & SAGE. 39--47.Google Scholar
- Carney, M. and Loe, B. 1998. A comparison of methods for implementing adaptive security policies. In Proceedings of the 7th USENIX Security Symposium. Usenix Association, Berkeley. 1--14. Google Scholar
- Chapman, D. B. and Zwicky, E. D. 1995. Building Internet Firewalls. O'Reilly & Associates, Inc. Google Scholar
- Chapman, D. W. and Fox, A. 2001. Cisco Secure PIX Firewalls. Cisco Press. Google Scholar
- Cheswick, W. R., Bellovin, S. M., and Rubin, A. 2003. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. Addison-Wesley. Google Scholar
- Dot. 2001. Graphviz---open source graph drawing software. version 1.7. http://www.research.att.com/sw/tools/graphviz/.Google Scholar
- FWB 2002. Firewall builder. http://www.fwbuilder.org.Google Scholar
- Gansner, E. R., Koutsofios, E., North, S. C., and Vo, K.-P. 1993. A technique for drawing directed graphs. IEEE Trans. Softw. Eng. 19, 3, 214--230. Google Scholar
- Garey, M. R. and Johnson, D. S. 1979. Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco. Google Scholar
- Guttman, J. D. 1997. Filtering postures: Local enforcement for global policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. Google Scholar
- Guttman, J. D. 2001. Security goals: Packet trajectories and strand spaces. In Foundations of Security Analysis and Design (FOSAD), LNCS 2171. Springer-Verlag. Google Scholar
- Guttman, J. D., Herzog, A., and Javier Thayer, F. 2000. Authentication and confidentiality via IPsec. In Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS), LNCS 1895. Springer-Verlag. Google Scholar
- Held, G. and Hundley, K. 1999. Cisco Access Lists. McGraw-Hill.Google Scholar
- Hinrichs, S. 1999. Policy-based management: Bridging the gap. In Proceedings of the 15th Annual Computer Security Applications Conference. Phoenix, AZ. Google Scholar
- HLFL 2002. HLFL---high level firewall language. http://www.hlfl.org.Google Scholar
- Howe, C. D., Erwin, B., Barth, C., and Elliot, S. 1996. What's beyond firewalls? The Forrester Report 10, 12 (Nov.).Google Scholar
- ICSA Labs. 2003. Certified firewall products. http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/index.shtml.Google Scholar
- Ioannidis, S., Keromytis, A. D., Bellovin, S. M., and Smith, J. M. 2000. Implementing a distributed firewall. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS). ACM, Athens, Greece. Google Scholar
- Lampson, B., Abadi, M., Burrows, M., and Wobber, E. 1992. Authentication in distributed systems: Theory and practice. ACM Trans. Comput. Syst. 10, 4 (Nov.), 265--310. Google Scholar
- Limoncelli, T. A. 1999. Tricks you can do if your firewall is a bridge. In First USENIX Conference on Network Administration (NETA). USENIX, Santa Clara, CA. Google Scholar
- Lucent 2002. Lucent VPN firewall brick. http://www.lucent.com/security.Google Scholar
- Mayer, A., Wool, A., and Ziskind, E. 2000. Fang: A firewall analysis engine. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. 177--187. Google Scholar
- Reed, D. 2002. Filter language compiler. http://cheops.anu.edu.au/ avalon/flc.html.Google Scholar
- Rubin, A., Geer, D., and Ranum, M. 1997. Web Security Sourcebook. Wiley Computer Publishing. Google Scholar
- Sandhu, R. S. 1998. Role-based access control. In Advances in Computers, M. Zerkowitz, Ed. Vol. 48. Academic Press.Google Scholar
- Solsoft. 2000. Solsoft NP: Putting security policies into practice. Enterprise Management Associates white paper. http://www.solsoft.com/library/ema_profiler.pdf.Google Scholar
- Swift, M. M., Hopkins, A., Brundrett, P., Van Dyke, C., Garg, P., Chan, S., Goertzel, M., and Jensenworth, G. 2002. Improving the granularity of access control for Windows 2000. ACM Trans. Info. Syst. Secu. 5, 4 (Nov.), 398--437. Google Scholar
- Welch-Abernathy, D. D. 2002. Essential Checkpoint Firewall-1: An Installation, Configuration, and Troubleshooting Guide. Addison-Wesley. Google Scholar
- Wool, A. 2001. Architecting the Lumeta firewall analyzer. In 10th USENIX Security Symposium. USENIX, Washington, D.C. 85--97. Google Scholar
- Wool, A. 2004a. The use and usability of direction-based filtering in firewalls. Computers & Security 23, 6, 459--468.Google Scholar
- Wool, A. 2004b. A quantitative study of firewall configuration errors. IEEE Computer 37, 6, 62--67. Google Scholar
Index Terms
- Firmato: A novel firewall management toolkit
Recommendations
Systematic Literature Review on Usability of Firewall Configuration
Firewalls are network security components that handle incoming and outgoing network traffic based on a set of rules. The process of correctly configuring a firewall is complicated and prone to error, and it worsens as the network complexity grows. A ...
NeoMAN: A Negotiation Management System for IKE Protocol Based on X.509 Certificate in Cross Domain Application
SECTECH '08: Proceedings of the 2008 International Conference on Security TechnologyIPSec VPN is widely used to protect remote data access. IKE protocol is the mandatory key management protocol of IPSec protocol, it provides a manual configuration method for IPSec VPN. But manual configuration is complex, unreliable, unmanageable, and ...
Structure design and test of enterprise security management system with advanced internal security
A security system for a company network is progressing as a ESM (Enterprise Security Management) in an existing security solution foundation. The establishment of the security policy is occupying a very important area in ESM of the security system. We ...
Reviews
Anthony Donald Vanker
A prototype firewall management toolkit is discussed in this paper. The authors wanted a tool that was firewall vendor independent, separated security policy from network topology, generated firewall configurations (as rules) automatically, and provided for high-level debugging of the configuration. These concepts, if properly implemented, could result in firewall management software that is robust and reliable. The authors' approach to designing and building the tool is unique. Entity-relationship (ER) modeling was used to represent the network security policy and topology at a higher level of abstraction. A model definition language was developed to interact with the ER model, to provide security policy and topology knowledge. A model compiler will generate configuration files for each firewall interface. A high-level rule illustrator for debugging is also described. The authors used this prototype to configure two different firewalls, with changing interfaces, at a large corporation for several months. The prototype was partially successful. The model compiler is not ready, so configuration files were manually generated from the ER model built. The rule illustrator did provide a visual representation of the model, but, as the model grew complex, the image became hard to understand. The toolkit is still narrowly focused. For example, it does not support network address translation (NAT), a common feature in routers. The prototype does show that it is possible to configure firewalls at a higher level of abstraction than is currently done today. The objectives of this research are commendable. Perhaps the prototype will be enhanced, so that the resulting concepts can be incorporated into commercial firewall management tools. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments