We introduce and discuss two case studies where a complex network is modeled as a set of zones interconnected by routers or firewalls. To address the problem in full abstraction, we defined PDLz, an extension of the PDL event-condition-action language that supports the specification of firewall routing policies. PDLz allows the modelling of computer networks based on the concept of zone, i.e., a TCP/IP subnet where internal traffic remains unconstrained. PDLz policies are enforceable thanks to a direct translation to the IPtables firewall configuration language. At the same time, PDLz has a declarative semantics thanks to translation to logic programs. The logic programming translation also supports, by adding extra rules, the formal verification of properties of the network, viz. off-line reachability testing across firewalls. We describe the application of PDLz to the case studies.

Firewall configuration policies for the specification and implementation of private zones / J. Lobo, M. Marchi, A. Provetti - In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks[s.l] : IEEE, 2012. - ISBN 978-1-4673-1993-5. - pp. 78-85 (( Intervento presentato al 13. convegno International Symposium on Policies for Distributed Systems and Networks tenutosi a Chapel Hill nel 2012 [10.1109/POLICY.2012.14].

Firewall configuration policies for the specification and implementation of private zones

M. Marchi;A. Provetti
2012

Abstract

We introduce and discuss two case studies where a complex network is modeled as a set of zones interconnected by routers or firewalls. To address the problem in full abstraction, we defined PDLz, an extension of the PDL event-condition-action language that supports the specification of firewall routing policies. PDLz allows the modelling of computer networks based on the concept of zone, i.e., a TCP/IP subnet where internal traffic remains unconstrained. PDLz policies are enforceable thanks to a direct translation to the IPtables firewall configuration language. At the same time, PDLz has a declarative semantics thanks to translation to logic programs. The logic programming translation also supports, by adding extra rules, the formal verification of properties of the network, viz. off-line reachability testing across firewalls. We describe the application of PDLz to the case studies.
Case studies real-life deployments and experiences; Policy-based networking; Specifications refinement analysis reasoning
Settore INF/01 - Informatica
2012
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
marchi-firewall-Policy12.pdf

accesso riservato

Tipologia: Publisher's version/PDF
Dimensione 397.99 kB
Formato Adobe PDF
397.99 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/962380
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact