Tool-Assistance for Packet-Filter Design
Ingo Lück
-
Materna Information & Communications,
Voßkuhle 37, D-44141 Dortmund, Germany
-
E-Mail: Ingo.Lueck@materna.de
-
Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund, Germany
-
E-Mail: krumm@ls4.cs.tu-dortmund.de
Abstract
The design of suitable packet-filters protecting subnets
against net-work-based attacks is usually difficult and error-prone.
Therefore, tool-assistance shall facilitate the design task and shall
contribute to the correctness of the filters, i.e., the filters should
be consistent with the other security mecha-nisms of the computer
network, in particular with its access control schemes. Moreover, they
should just enable the corresponding necessary traffic. Our tool
approach applies a three-layered model describing the access control and
net-work topology aspects of the system on three levels of abstraction.
Each lower layer refines its upper neighbour and is accompanied with
access control mod-els. At the top level, role based access control is
applied. The lowest level specifies packet filter configurations which
can be implemented by means of the Linux kernel extension IPchains. The
derivation of filter configurations is substantially supported by tool
assistance in the course of an interactive design process.
Keywords
Packet Filter, Policy Hierarchy, Model-Based Management,
Firewall Design
Published in
M. Sloman, E. Lupu, J. Lobo (Eds.),
Proceedings of the IEEE Workshop on Policies for Distributed Systems and
Networks (Policy 2001), pages 120-136, Bristol, UK, Lecture Notes in
Computer Science 1995, 2001. Springer-Verlag.
Obtaining the paper
Due to the copyright agreement between the publisher and the authors we are
not allowed to make the paper available online. If you have problems to
obtain it,
please call us.
Peter Herrmann, March 28, 2001
-- digital media copyright