Firewall Policies

Firewalls are the standard way to protect computer networks and, as any other security mechanism, their effectiveness crucially depends on the correctness of their configuration. Writing firewall policies is a complex task even for experienced system administrators since they usually consist of hundreds of rules written in low-level, platform-specific configuration languages where the order of the rules affects the semantics of the policy. Further difficulties arise from Network Address Translation (NAT), the indispensable mechanism for translating IP addresses and performing port redirection, which operates while packets traverse the firewall. The situation is even worse in case of networks protected by several firewalls since all their configurations need to be kept coherent.

The ACADIA center has developed several open-source tools to support system administrators in configuring and maintaining firewalls. Mignis is a compiler that produces configurations for iptables firewalls starting from a high-level specification expressed in a simple, human-readable language where rule ordering is irrelevant. System administrators can simply declare the set of allowed connections and the eventual addresses translations without needing to understand the internals of iptables and how packets are processed by the operating system. Complementarily, FWS is a tool that decompiles real firewall configurations (e.g., iptables, ipfw, pf) into an abstract specification that represents the allowed connections, thus exposing only the meaning of the policy and getting rid of all the low-level details that are specific to the analyzed platform. Administrators can use FWS in the maintenance of an existing policy to understand the import of the implemented changes on the overall firewall behavior.

Selected publications

  1. C. Bodei, P. Degano, R. Focardi, L. Galletta, M. Tempesta, L. Veronese – Language-Independent Synthesis of Firewall Policies, In IEEE European Symposium on Security and Privacy (2018)
  2. C. Bodei, P. Degano, R. Focardi, L. Galletta, M. Tempesta – Transcompiling Firewalls, In International Conference on Principles of Security and Trust (2018)
  3. P. Adão, R. Focardi, J. D. Guttman, F. L. Luccio – Localizing Firewall Security Policies, In IEEE Computer Security Foundations Symposium (2016)
  4. P. Adão, C. Bozzato, G. Dei Rossi, R. Focardi, F. L. Luccio – Mignis: A Semantic Based Tool for Firewall Configuration, In IEEE Computer Security Foundations Symposium (2014)