• DocumentCode
    2960521
  • Title

    Firewall Configuration Policies for the Specification and Implementation of Private Zones

  • Author

    Lobo, Jorge ; Marchi, Massimo ; Provetti, Alessandro

  • Author_Institution
    IBM T.J. Watson Res. Center, Hawthorne, NY, USA
  • fYear
    2012
  • fDate
    16-18 July 2012
  • Firstpage
    78
  • Lastpage
    85
  • Abstract
    We introduce and discuss two case studies where a complex network is modeled as a set of zones interconnected by routers or firewalls. To address the problem in full abstraction, we defined PDLz, an extension of the PDL event-condition-action language that supports the specification of firewall routing policies. PDLz allows the modelling of computer networks based on the concept of zone, i.e., a TCP/IP subnet where internal traffic remains unconstrained. PDLz policies are enforceable thanks to a direct translation to the IPtables firewall configuration language. At the same time, PDLz has a declarative semantics thanks to translation to logic programs. The logic programming translation also supports, by adding extra rules, the formal verification of properties of the network, viz. off-line reachability testing across firewalls. We describe the application of PDLz to the case studies.
  • Keywords
    authorisation; complex networks; computer network security; language translation; logic programming; program testing; program verification; programming language semantics; reachability analysis; telecommunication network routing; telecommunication traffic; transport protocols; IPtables firewall configuration language; PDL event-condition-action language; PDLz policies; TCP/IP subnet; complex network; computer networks; declarative semantics; direct language translation; firewall configuration policies; firewall routing policies; formal verification; logic programming translation; network traffic; offline reachability testing; private zones; routers; Fires; Government; IP networks; Logic gates; Mirrors; Semantics; Servers; Case studies real-life deployments and experiences; Policy-based networking; Specifications refinement analysis reasoning;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Policies for Distributed Systems and Networks (POLICY), 2012 IEEE International Symposium on
  • Conference_Location
    Chapel Hill, NC
  • Print_ISBN
    978-1-4673-1993-5
  • Type

    conf

  • DOI
    10.1109/POLICY.2012.14
  • Filename
    6268004
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2960521