We introduce and discuss two case studies where a complex network is modeled as a set of zones interconnected by routers or firewalls. To address the problem in full abstraction, we defined PDLz, an extension of the PDL event-condition-action language that supports the specification of firewall routing policies. PDLz allows the modelling of computer networks based on the concept of zone, i.e., a TCP/IP subnet where internal traffic remains unconstrained. PDLz policies are enforceable thanks to a direct translation to the IPtables firewall configuration language. At the same time, PDLz has a declarative semantics thanks to translation to logic programs. The logic programming translation also supports, by adding extra rules, the formal verification of properties of the network, viz. off-line reachability testing across firewalls. We describe the application of PDLz to the case studies.
Firewall configuration policies for the specification and implementation of private zones / J. Lobo, M. Marchi, A. Provetti - In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks[s.l] : IEEE, 2012. - ISBN 978-1-4673-1993-5. - pp. 78-85 (( Intervento presentato al 13. convegno International Symposium on Policies for Distributed Systems and Networks tenutosi a Chapel Hill nel 2012 [10.1109/POLICY.2012.14].
Firewall configuration policies for the specification and implementation of private zones
M. Marchi;A. Provetti
2012
Abstract
We introduce and discuss two case studies where a complex network is modeled as a set of zones interconnected by routers or firewalls. To address the problem in full abstraction, we defined PDLz, an extension of the PDL event-condition-action language that supports the specification of firewall routing policies. PDLz allows the modelling of computer networks based on the concept of zone, i.e., a TCP/IP subnet where internal traffic remains unconstrained. PDLz policies are enforceable thanks to a direct translation to the IPtables firewall configuration language. At the same time, PDLz has a declarative semantics thanks to translation to logic programs. The logic programming translation also supports, by adding extra rules, the formal verification of properties of the network, viz. off-line reachability testing across firewalls. We describe the application of PDLz to the case studies.
| File | Dimensione | Formato | |
|---|---|---|---|
|
marchi-firewall-Policy12.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
397.99 kB
Formato
Adobe PDF
|
397.99 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
