Transcompiling Firewalls

Bodei, Chiara; Degano, Pierpaolo; Focardi, Riccardo; Galletta, Letterio; Tempesta, Mauro

doi:10.1007/978-3-319-89722-6_13

Cited by 5 publications

(2 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We intend to investigate the problem of compiling an abstract specification into concrete firewall languages along the lines of [36]. This would enable cross-compilation from one firewall system to another, complementing what we presented in this paper.…”

Section: Discussionmentioning

confidence: 98%

Language-Independent Synthesis of Firewall Policies

Bodei

Degano

Galletta

et al. 2018

2018 IEEE European Symposium on Security and Privacy (EuroS&P)

Self Cite

View full text Add to dashboard Cite

Configuring and maintaining a firewall configuration is notoriously hard. Policies are written in low-level, platform-specific languages where firewall rules are inspected and enforced along non trivial control flow paths. Further difficulties arise from Network Address Translation (NAT), since filters must be implemented with addresses translations in mind. In this work, we study the problem of decompiling a real firewall configuration into an abstract specification. This abstract version throws the low-level details away by exposing the meaning of the configuration, i.e., the allowed connections with possible address translations. The generated specification makes it easier for system administrators to check if: (i) the intended security policy is actually implemented;(ii) two configurations are equivalent; (iii) updates have the desired effect on the firewall behavior. The peculiarity of our approach is that is independent of the specific target firewall system and language. This independence is obtained through a generic intermediate language that provides the typical features of real configuration languages and that separates the specification of the rulesets, determining the destiny of packets, from the specification of the platform-dependent steps needed to elaborate packets. We present a tool that decompiles real firewall configurations from different systems into this intermediate language and uses the Z3 solver to synthesize the abstract specification that succinctly represents the firewall behavior and the NAT. Tests on real configurations show that the tool is effective: it synthesizes complex policies in a matter of minutes and, and it answers to specific queries in just a few seconds. The tool can also point out policy differences before and after configuration updates in a simple, tabular form.

show abstract

Section: Discussionmentioning

confidence: 98%

Language-Independent Synthesis of Firewall Policies

Bodei

Degano

Galletta

et al. 2018

2018 IEEE European Symposium on Security and Privacy (EuroS&P)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Na prática, instituições como a Unipampa e provedores de Internet regionais sofrem com os problemas e custos operacionais resultantes da configuração de diferentes tipos e versões de firewalls. Apesar de existirem soluções como a IFCL [Bodei et al, 2018], que viabilizam a migração de regras de um tipo de firewall para outro, elas não oferecem recursos para operacionalizar o gerenciamento simultâneo de diferentes soluções.…”

Section: Introductionunclassified

FWunify: uma Ferramenta para Simplificar a Configuração de Múltiplos Firewalls

Fiorenza

Kreutz

Mansilha

2021

Anais Estendidos Do XXI Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg Estendido 2021)

View full text Add to dashboard Cite

A configuração de múltiplos firewalls é um processo desafiador. As soluções existentes são especializadas e requerem o domínio prévio ou aprendizado de uma variedade de sintaxes e métodos de configuração para implementar corretamente as políticas de segurança desejadas. Para reduzir a curva de aprendizagem e mitigar erros operacionais, propomos a ferramenta FWunify – uma solução para configuração integrada e automática de firewalls. Através de uma arquitetura composta por múltiplas camadas e módulos fracamente acoplados, a FWunify permite que novas soluções de firewall sejam incorporadas a ferramenta impactando minimamente nas camadas adjacentes. Um protótipo funcional da FWunify foi implementado e utilizado para demonstrar a viabilidade técnica e aplicabilidade da proposta.

show abstract