Firmato: a novel firewall management toolkit

Bartal, Yair; Mayer, Alain; Nissim, Kobbi; Wool, Avishai

doi:10.1109/secpri.1999.766714

Cited by 187 publications

(218 citation statements)

References 18 publications

Supporting

Mentioning

211

Contrasting

Unclassified

Order By: Relevance

“…after modifications on the PIM to update the security policy of the network according to the new requirements). In that sense, some existing forward engineering efforts [18,4] that produce firewall configurations from high level representations can be reused.…”

Section: Application Scenariosmentioning

confidence: 99%

“…Although there exist approaches to derive firewall configurations from highlevel network policy specifications [18,4], these configuration files are still mostly manually written, using low-level and, often, vendor-specific rule filtering languages. Moreover, the network topology, that may include several firewalls (potentially from different vendors), may impose the necessity of splitting the enforcement of the global security policy among several elements.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Model-Driven Extraction and Analysis of Network Security Policies

Martínez

García-Alfaro

Cuppens

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Firewalls are a key element in network security. They are in charge of filtering the traffic of the network in compliance with a number of access-control rules that enforce a given security policy. In an always-evolving context, where security policies must often be updated to respond to new security requirements, knowing with precision the policy being enforced by a network system is a critical information. Otherwise, we risk to hamper the proper evolution of the system and compromise its security. Unfortunately, discovering such enforced policy is an error-prone and time consuming task that requires low-level and, often, vendor-specific expertise since firewalls may be configured using different languages and conform to a complex network topology. To tackle this problem, we propose a model-driven reverse engineering approach able to extract the security policy implemented by a set of firewalls in a working network, easing the understanding, analysis and evolution of network security policies.

show abstract

Section: Application Scenariosmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Model-Driven Extraction and Analysis of Network Security Policies

Martínez

García-Alfaro

Cuppens

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In [14] the authors propose a high-level language, Firmato, which models ACLs as ERDs in order to automatically generate low-level firewall ACLs. However, the complexity of Firmato is similar to that of many low-level languages.…”

Section: Related Workmentioning

confidence: 99%

“…Many third-party domain specific languages (DSLs) have been proposed to abstract the network administrator from the underlying firewall platform details and language syntax [6,7,8,9,10,11]. A domain specific language provides more possibilities to network administrators, since it can raise the abstraction level of the problem domain using its own concepts.…”

Section: Introductionmentioning

confidence: 99%

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Pozo

Varela-Vaca

Gasca

2009

Computational Science and Its Applications – ICCSA 2009

View full text Add to dashboard Cite

Abstract. The design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although several high-level languages have been proposed to model firewall access control policies, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, no common development process, etc. In this paper, a development process for Firewall ACLs based on the Model Driven Architecture (MDA) framework is proposed. The framework supports the market leaders firewall platforms and is user-extensible. The most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis a new DSL language for firewall ACLs, AFPL2, covering most features other languages do not cover, is proposed. The language is then used as the platform independent metamodel, the first part of the MDA-based framework.

show abstract

“…The Firmato system [19] is a firewall management toolkit for large-scale networks. It provides a portable, unified policy language, independent of the firewall specifics.…”

Section: Related Workmentioning

confidence: 99%

Path-Based Access Control for Enterprise Networks

Burnside

Keromytis

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Enterprise networks are ubiquitious and increasingly complex. The mechanisms for defining security policies in these networks have not kept up with the advancements in networking technology. In most cases, system administrators define policies on a per-application basis, and subsequently, these policies do not interact. For example, there is no mechanism that allows a web server to communicate decisions based on its ruleset to a firewall in front of it, even though decisions being made at the web server may be relevant to decisions at the firewall. In this paper, we describe a path-based access control system for serviceoriented architecture (SOA)-style networks which allows services to pass access-control-related information to neighboring services, as the services process requests from outsiders and from each other. Path-based access control defends networks against a class of attacks wherein individual services make correct access control decisions but the resulting global network behavior is incorrect. We demonstrate the system in two forms, using graph-based policies and by leveraging the KeyNote trust management system.

show abstract

Firmato: a novel firewall management toolkit

Cited by 187 publications

References 18 publications

Model-Driven Extraction and Analysis of Network Security Policies

Model-Driven Extraction and Analysis of Network Security Policies

MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT

Path-Based Access Control for Enterprise Networks

Contact Info

Product

Resources

About