Tool-Assistance for Packet-Filter Design

Ingo Lück

Materna Information & Communications, Voßkuhle 37, D-44141 Dortmund, Germany

Christian Schäfer, Heiko Krumm

Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund, Germany


The design of suitable packet-filters protecting subnets against net-work-based attacks is usually difficult and error-prone. Therefore, tool-assistance shall facilitate the design task and shall contribute to the correctness of the filters, i.e., the filters should be consistent with the other security mecha-nisms of the computer network, in particular with its access control schemes. Moreover, they should just enable the corresponding necessary traffic. Our tool approach applies a three-layered model describing the access control and net-work topology aspects of the system on three levels of abstraction. Each lower layer refines its upper neighbour and is accompanied with access control mod-els. At the top level, role based access control is applied. The lowest level specifies packet filter configurations which can be implemented by means of the Linux kernel extension IPchains. The derivation of filter configurations is substantially supported by tool assistance in the course of an interactive design process.


Packet Filter, Policy Hierarchy, Model-Based Management, Firewall Design

Published in

M. Sloman, E. Lupu, J. Lobo (Eds.), Proceedings of the IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2001), pages 120-136, Bristol, UK, Lecture Notes in Computer Science 1995, 2001. Springer-Verlag.

Obtaining the paper

Due to the copyright agreement between the publisher and the authors we are not allowed to make the paper available online. If you have problems to obtain it, please call us.

Peter Herrmann, March 28, 2001 -- digital media copyright