Localizing Firewall Security Policies
; Focardi, RF
; Guttman, JDG
; Luccio, FLL
Localizing Firewall Security Policies, Proc IEEE Computer Security Foundations Symposium - CSF, Lisboa, Portugal, Vol. 1, pp. 194 - 209, June, 2016.
Digital Object Identifier: 10.1109/CSF.2016.21
In complex networks, filters may be applied at different nodes to control how packets flow. In this paper, we study how to locate filtering functionality within a network. We show how to enforce a set of security goals while allowing maximal service subject to the security constraints. To implement our results we present a tool that given a network specification and a set of control rules automatically localizes the filters and generates configurations for all the firewalls in the network. These configurations are implemented using an extension of Mignis — an open source tool to generate firewalls from declarative, semantically explicit configurations.
Our contributions include a way to specify security goals for how packets traverse the network; an algorithm to distribute filtering functionality to different nodes in the network to enforce a given set of security goals; and a proof that the results are compatible with a Mignis-based semantics for network behavior.