Abstract
Design and management of firewall rule sets is difficult and error prone, mainly because the translation of access control requirements to low level languages is difficult. Abstract languages have been proposed, but none have been adopted by the industry. We think that the main reason is that their complexity is close to many of the existing low level languages. Complexity is defined as the difficulty to express knowledge from the reality being modeled (access control requirements). In this paper, we analyze the most widely used firewall languages and different possibilities of abstraction. Based on this analysis, a model for Firewall languages is proposed, and a new simple yet expressive and powerful firewall abstract language, Abstract Firewall Policy Language (AFPL), is proposed. AFPL can then be translated to existing low level firewall languages, or be directly interpreted by firewall platforms. We expect that AFPL can fill the gap between requirements and low level firewall languages.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Chapman, D., Zwicky, E.: Building Internet Firewalls, 2nd edn. O’Reilly & Associates, Inc., Sebastopol (2000)
Cheswick, W., Belovin, S.: Firewalls and Internet Security, 2nd edn. Addison-Wesley, Reading (2003)
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. ACM Transactions on Computer Systems 22(4) (2004)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Specification Language. In: Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, January 29-31 (2001)
OASIS eXtensible Access Control Markup Language (XACML), http://www.oasis-open.org/committees/xacml/
Moore, B., Ellesson, E., Strassner, J., Westerinen, A.: Policy Core Information Model (PCIM). IETF RFC 3060 (February 2001)
Rule Markup Language (RuleML), http://www.ruleml.org/
Simple Rule Markup Language (SRML): A General XML Rule Representation for Forward-chaining Rules. ILOG, S.A (May 2001)
De Capitani di Vimercati, S., Foresti, S., Jajodia, P.: Access control policies and languages. Int. J. Computational Science and Engineering (2007)
Ardagna, C.A., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: XML-based Access Control Languages. Information Security Technical Report. Elsevier Science, Amsterdam (2004)
El-Atawy, A.: Survey on the Use of Formal Languages/Models for the Specification, Verification, and Enforcement of Security Policies", Technical reports, DePaul University, CTI 06-005 (April 2006)
Basin, D., Dorser, J., Lodderstedt, T.: Model Driven Security: from UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology 15(1) (January 2006)
Barkley, J.: Comparing simple role based access control models and access control lists. In: ACM Workshop on Role-Based access control (RBAC). ACM, New York (1997)
High Level Firewall Language, http://www.hlfl.org
Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., Pitcher, C.: Specifications of a High-level Conflict-free Firewall Policy Language for Multi-domain Networks. In: Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2007) (2007)
NeTSPoC: A nework Security Policy Compiler, http://netspoc.berlios.de
Pozo, S., Ceballos, R., Gasca, R.M.: Model Based Development of Firewall Rule Sets: Detecting and Diagnosing Errors. Information and Software Technology Journal (Spring 2008)
Pozo, S., Ceballos, R., Gasca, R.M.: CSP-based Firewall Rule Set Diagnosis using Security Policies. In: International Symposium on Frontiers in Availability, Reliability and Security (FARES), in International Conference on Availability, Reliability and Security (ARES), Vienna, Austria, April 2007, IEEE Computer Society Press, Los Alamitos (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pozo, S., Ceballos, R., Gasca, R.M. (2008). AFPL, an Abstract Language Model for Firewall ACLs. In: Gervasi, O., Murgante, B., Laganà, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds) Computational Science and Its Applications – ICCSA 2008. ICCSA 2008. Lecture Notes in Computer Science, vol 5073. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69848-7_39
Download citation
DOI: https://doi.org/10.1007/978-3-540-69848-7_39
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69840-1
Online ISBN: 978-3-540-69848-7
eBook Packages: Computer ScienceComputer Science (R0)