Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Bodei, Chiaraa | Ceragioli, Lorenzoa | Degano, Pierpaoloa | Focardi, Riccardob | Galletta, Letterioc; * | Luccio, Flaminiab | Tempesta, Maurod | Veronese, Lorenzod
Affiliations: [a] Dipartimento di Informatica, Università di Pisa, Pisa, Italy. E-mails: chiara@di.unipi.it, lorenzo.ceragioli@phd.unipi.it, degano@di.unipi.it | [b] DAIS, Università Ca’ Foscari, Venezia, Italy. E-mails: focardi@unive.it, luccio@unive.it | [c] IMT School for Advanced Studies, Lucca, Italy. E-mail: letterio.galletta@imtlucca.it | [d] TU Wien, Wien, Austria. E-mails: mauro.tempesta@tuwien.ac.at, lorenzo.veronese@tuwien.ac.at
Correspondence: [*] Corresponding author. E-mail: letterio.galletta@imtlucca.it.
Abstract: Firewalls are essential for managing and protecting computer networks. They permit specifying which packets are allowed to enter a network, and also how these packets are modified by IP address translation and port redirection. Configuring a firewall is notoriously hard, and one of the reasons is that it requires using low level, hard to interpret, configuration languages. Equally difficult are policy maintenance and refactoring, as well as porting a configuration from one firewall system to another. To address these issues we introduce a pipeline that assists system administrators in checking if: (i) the intended security policy is actually implemented by a configuration; (ii) two configurations are equivalent; (iii) updates have the desired effect on the firewall behavior; (iv) there are useless or redundant rules; additionally, an administrator can (v) transcompile a configuration into an equivalent one in a different language; and (vi) maintain a configuration using a generic, declarative language that can be compiled into different target languages. The pipeline is based on IFCL, an intermediate firewall language equipped with a formal semantics, and it is implemented in an open source tool called FWS. In particular, the first stage decompiles real firewall configurations for iptables, ipfw, pf and (a subset of) Cisco IOS into IFCL. The second one transforms an IFCL configuration into a logical predicate and uses the Z3 solver to synthesize an abstract specification that succinctly represents the firewall behavior. System administrators can use FWS to analyze the firewall by posing SQL-like queries, and update the configuration to meet the desired security requirements. Finally, the last stage allows for maintaining a configuration by acting directly on its abstract specification and then compiling it to the chosen target language. Tests on real firewall configurations show that FWS can be fruitfully used in real-world scenarios.
Keywords: Firewall configuration languages, Semantic-based tool, Configuration analysis, refactoring, maintaining, porting
DOI: 10.3233/JCS-200017
Journal: Journal of Computer Security, vol. 29, no. 1, pp. 77-134, 2021
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl