Skip to main content
SpringerLink
Log in

Policy-based networking: applications to firewall management

Contrôle et gestion par règles: application à la gestion de pare-feux

  • Published:
Annales des Télécommunications Aims and scope Submit manuscript

Abstract

This paper describes a policy-based approach to firewall management. The Policy-Based Networking (pbn) architecture proposed by the Policy Framework Group of Internet Engineering Task Force (ietf) is analysed, together with the communication protocols, policy specification languages, and the necessary information models.

An overview of policy specification languages applicability topbn architecture is presented paying particular attention to the specification of security policies through Security Policy Specification Language (spsl).

The Common Open Policy Service protocol (cops) and its variant,cops for Policy provisioning (cops-pr), both used for the transport of policy information, are also presented.

The paper continues with a description of an application of thepbn architecture to firewall management. The proposed architecture is presented and its implementation issues are analysed with some usage examples. The paper concludes with the evaluation of the policy-based approach to firewall management.

Résumé

Cet article décrit une méthode de gestion de pare-feux à partir de mise en œuvre de règles. On analyse d’abord l’architecture de réseautique à base de règles (pbn) proposée par le groupe « Policy Framework » de l’ietf qui comporte des protocoles de communication, des langages de spécification de politique et la modélisation de l’information nécessaire. On présente ensuite un état de l’art de l’application des langages de spécification de règles à l’architecturepbn en détaillant particulièrement la spécification des règles de sécurité avec le langagespsl. Le protocolecops et sa variantecops-pr utilisés pour transporter l’information sur les règles sont également présentés. La dernière partie de l’article est consacrée à l’application de l’architecturepbn à la gestion de pare-feux. L’architecture proposée est alors analysée au travers de quelques exemples. L’article se conclut en évaluant l’approche à base de règles dans la gestion des pare-feux.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alaetinouglu (C.)et al., Routing Policy Specification Language (rpsl),rfc 2280,ietf, January 1998.

  2. Bergsten (A.),Borg (N.), Implementation and Evaluation of the Common Open Policy Service (cops) Protocol and its use for Policy Provisioning, http://epubl.luth.se/1402-1617/2000/125/, 2000.

  3. Booch (G.)et al., Unified Method for Object-Oriented DevelopmentDocument Set, Rational Software Corporation, 1996, (http://www.rational.com/uml).

  4. Boutaba (R.)et al.,cops-pr with meta-policy support,ietf independent publication, April 2001.

  5. Braden (R.)et al., Resource ReserVation Protocol (rsvp) — Version 1 Functional Specification,rfc 2205,ietf, September 1997.

  6. Bray (T.)et al., eXtensible Markup Language (xml) 1.0,w3c, February 1998, (http://www.w3c.org/tr/rec-xml).

  7. Caldeira (F.),Monteiro (E.), Descrição Geração e Difusão de Políticas de Segurança,in Proceedings ofcrc’2000, November 2000.

  8. Chan (K.)et al.,cops Usage for Policy Provisioning (cops-pr),rfc 3084,ietf, March 2001.

  9. Common Information Model (cim) Specification — Version 2.2,dmtf, June 1999 (http://www.dmtf.org/spec/cim_spec_v22/).

  10. Online manuals (http://www.cisco.com)

  11. Condell (M.)et al., Security Policy Specification Language, Internet draft, draft-ietf-ipsp-spsl-00.text,ietf, March 2000.

  12. Dinesh (V.), Simplifying Network Administration using Policy based Management,ieeeNetwork Magazine, March 2002.

  13. Donnelly (C.),Stallman (R.), Bison — Theyacc-compatible Parser Generator, (http://www.gnu.org/manual/bison/html_mono/bison.html), November 1995.

  14. Durham (D.),Boyle (J.),Cohen (R.),Herzog (S.),Rajan (R.),Sastry (A.), Thecops (Common Open Policy Service) Protocol,rfc 2748, Network Working Group,ietf, January 2000.

  15. Fine (M.)et al., Quality of Service Policy Information Base, Internet draft, draft-mfine-cops-pib-01.txt,ietf, June 1999.

  16. Fine (M.)et al., Framework Policy Information Base, Internet draft, draft-ietf-rap-frameworkpib-04.txt,ietf, November 2000.

  17. Survey on Policy-Based Networking — Addressing Issues, Technological Trends, Future Prospects of Policy Exchange Methods in Multi-Domain Scenarios,intap, 2001, (http://www.net.intap.or.jp/intap/).

  18. Policy Standards andietf Terminology, White paper, Volume #2,iphighway, January 2001.

  19. Kurland (V.),Zaliva (V.). Firewall Builder, (http://www.fwbuilder.org/), 2001

  20. Mahon (H.)et al., Requirements for a Policy Management System, Internet draft, draft-ietf-policy-req-02.txt,ietf, November 1999.

  21. Moore (B.)et al., Policy Core Information Model — Version 1 Specification, Internet draft, draft-ietf-policy-core-info-model-04.txt,ietf March 2000.

  22. Paxson (V.), Flex — A fast scanner generator, (http://www.gnu.org/manual/flex-2.5.4/html_mono/flex.html), March 1995.

  23. Raju (R.)et al., A policy framework for integrated and differentiated services in the internet, inieeeNetwork, September 1999.

  24. Resource Allocation Protocol (rap); (http://www.ietf.org/html.charters/rap-charter.html), 2001.

  25. Darren (R.), Filter language compiler specification (http://coombs.anu.edu.au/~avalon/flc.html), 2001.

  26. Russell (R.), Linuxipchains HowTo, Online, July 2000.

  27. Shepard (S.) Policy-based networks: hype and hope; initProfessional,2, no 1, January 2000.

  28. Simon (R. C.),Ultes-Nitsche (U.), Anxml-based Approach to Modelling and Implementing Firewall Configurations, in proceedings ofissa2002 Information Security conference, Muldersdrift, Gauteng, South Africa, July 2002

  29. Stevens (M.)et al., Policy Framework, Internet draft, draft-ietf-policy-framework-00.txt,ietf, September 1999.

  30. Stone (G.)et al., Network Policy Languages: A Survey and a New Approach, inieeeNetwork, pp. 10–21, January 2001.

Download references

Author information

Authors and Affiliations

  1. Department of Informatics, Polytechnic Institute of Viseu, estv, Campus Politécnico de Repeses, 3504-510, Viseu, Portugal

    Filipe Caldeira

  2. Laboratory of Communications and Telematics, University of Coimbra, cisuc/dei, Polo II, Pinhal de Marrocos, 3030-290, Coimbra, Portugal

    Edmundo Monteiro

Authors
  1. Filipe Caldeira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Edmundo Monteiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Filipe Caldeira.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Caldeira, F., Monteiro, E. Policy-based networking: applications to firewall management. Ann. Télécommun. 59, 38–54 (2004). https://doi.org/10.1007/BF03179673

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03179673

Key words

Mots clés

Search

Navigation