Creating and sharing knowledge for telecommunications

Localizing Firewall Security Policies

Adão, P. ; Focardi, RF ; Guttman, JDG ; Luccio, FLL

Localizing Firewall Security Policies, Proc IEEE Computer Security Foundations Symposium - CSF, Lisboa, Portugal, Vol. 1, pp. 194 - 209, June, 2016.

Digital Object Identifier: 10.1109/CSF.2016.21

In complex networks, filters may be applied at different nodes to control how packets flow. In this paper, we study how to locate filtering functionality within a network. We show how to enforce a set of security goals while allowing maximal service subject to the security constraints. To implement our results we present a tool that given a network specification and a set of control rules automatically localizes the filters and generates configurations for all the firewalls in the network. These configurations are implemented using an extension of Mignis — an open source tool to generate firewalls from declarative, semantically explicit configurations.

Our contributions include a way to specify security goals for how packets traverse the network; an algorithm to distribute filtering functionality to different nodes in the network to enforce a given set of security goals; and a proof that the results are compatible with a Mignis-based semantics for network behavior.