AFPL2, an Abstract Language for Firewall ACLs with NAT Support

Author

Pozo, S. ; Varela-Vaca, A.J. ; Gasca, R.M.

Author_Institution

Dept. of Comput. Languages & Syst., Univ. of Seville, Seville, Spain

fYear

2009

fDate

18-23 June 2009

Firstpage

52

Lastpage

59

Abstract

The design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although high-level languages have been proposed to model firewall ACLs, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, etc. In this paper the most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis, a new domain specific language for firewall ACLs (AFPL2) is proposed, supporting more features that other languages do not cover (e.g. NAT). As the result of our design methodology, AFPL2 is very lightweight and easy to use. AFPL2 can be translated to existing low-level firewall languages, or be directly interpreted by firewall platforms, and is an extension to a previously developed language.

Keywords

authorisation; machine oriented languages; abstract language; access control list; access control policy languages; firewall design; firewall management; high-level languages; low-level language; Access control; Authorization; Computer errors; Computer languages; DSL; Design methodology; Domain specific languages; High level languages; Network address translation; Protocols; acl; firewall; language; model; nat;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependability, 2009. DEPEND '09. Second International Conference on

Conference_Location

Athens, Glyfada

Print_ISBN

978-0-7695-3666-8

Type

conf

DOI

10.1109/DEPEND.2009.14

Filename

5211094