Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Policies for Distributed Systems and Networks

POLICY 2001: Policies for Distributed Systems and Networks pp 120–136Cite as

Model-Based Tool-Assistance for Packet-Filter Design

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1995))

Abstract

The design of suitable packet-filters protecting subnets against network-based attacks is usually difficult and error-prone. Therefore, tool-assistance shall facilitate the design task and shall contribute to the correctness of the filters, i.e., the filters should be consistent with the other security mechanisms of the computer network, in particular with its access control schemes. Moreover, they should just enable the corresponding necessary traffic. Our tool approach applies a three-layered model describing the access control and network topology aspects of the system on three levels of abstraction. Each lower layer refines its upper neighbour and is accompanied with access control models. At the top level, role based access control is applied. The lowest level specifies packet filter configurations which can be implemented by means of the Linux kernel extension IPchains. The derivation of filter configurations is substantially supported by tool assistance in the course of an interactive design process.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Y. Bartal, A. Mayer, K. Nissim and A. Wool: Firmato: A Novel Firewall Management Toolkit. In Proc. IEEE Computer Society Symposium on Security an Privacy, 1999.

    Google Scholar 

  2. M. Casassa Mont, A. Baldwin, C. Goh: POWER Prototype: Towards Integrated Policy-Based Management. in Proc. of the IEEE/IFIP Int. Symposium on Network Operations and Management NOMS 2000, IEEE, 2000.

    Google Scholar 

  3. Desktop Management Taskforce: Common Information Model-Specification 2.0; Desktop Management Taskforce Inc. DMTF, 1998, available via http://www.dmtf.org/spec/

  4. Cisco Systems, Inc: Delivering end-to-end security in policy-based networks. http://www-uk.cisco.com/warp/public/cc/cisco/mkt/enm/cap/tech/deesp_wp.htm, 1999.

  5. M. Ejiri, S. Goyal (eds.): Proc. of the IEEE/IFIP Int. Symposium on Network Operations and Management NOMS.96, IEEE, 1996.

    Google Scholar 

  6. D.F. Ferraiolo, J.F. Barkley and D.R. Kuhn: A Role Based Access Control Model and Reference Implementation within a Corporate Intranet. ACM Transactions on Information Systems Security, Volume 1, Number 2, February 1999.

    Google Scholar 

  7. M. Haworth: Service Management and Availability Planning for Data Backup and Recovery; HP Open View Service Management Solutions, White paper, Hewlett-Packard Company, Palo Alto, 1998.

    Google Scholar 

  8. K. Heiler, R. Wies: Policy Driven Configuration Management of Network Devices. In [Eji96], pg. 674–689, 1996.

    Google Scholar 

  9. A. Lazar et al. (eds.): Integrated Network Management V, Proc. 5th IFIP/IEEE Int. Symposium on Integrated Network Management, Chapman & Hall, London, 1997.

    Google Scholar 

  10. I. Lück, M. Schönbach, A. Mester and H. Krumm: Derivation of Backup Service Management Applications from Service and System Models. In: R. Stadler, B. Stiller (Eds.), Active Technologies for Network and Service Management, Proc. DSOM.99, pages 243–255, Zürich, Oct. 1999, LNCS 1700, Springer-Verlag.

    Google Scholar 

  11. D. McBride: Successful Deployment of IT Service Management in the Distributed Enterprise; White paper, Hewlett-Packard Company, Palo Alto, 1998.

    Google Scholar 

  12. J. Moffet, M. Sloman: Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communications, 11, 9, 1993.

    Article  Google Scholar 

  13. C.P. Pfleeger: Security in Computing (second edition). Prentice-Hall, Inc. 1997.

    Google Scholar 

  14. G. Rodosek, T. Kaiser: Determining the Availability of Distributed Applications; in [Laz97], pg. 207–218, 1997.

    Google Scholar 

  15. R. Sandhu, E. Coyne, H. Feinstein, Ch. Youman: Role-Based Access Control Models. IEEE Computer 29(2), pg. 38–47, 1996.

    Google Scholar 

  16. C.L. Schuba and E.H. Spafford: A Reference Model for Firewall Technology. First Annual Sprint Applied Research parTners Advanced Networking (SPARTAN) Symposium, March 1997.

    Google Scholar 

  17. M. Sloman: Policy Driven Management for Distributed Systems. Journal of Network and Systems Management, Plenum Press, Vol. 2, No. 4, 1994.

    Google Scholar 

  18. G. Booch, J. Rumbaugh, I. Jacobson: The Unified Modelling Language User Guide; Addison-Wesley, Reading, 1997.

    Google Scholar 

  19. R. Wies: Using a Classification of Management Policies for Policy Specification and Policy Transformation. In Proc. of the 4th IFIP/IEEE Int. Symposium on Integrated Network Management, Santa Barbara, 1995.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Materna Information & Communications, Voβkuhle 37, D-44141, Dortmund, Germany

    Ingo Lück

  2. FB Informatik LS IV, Universität Dortmund, D-44221, Dortmund, Germany

    Christian Schäfer & Heiko Krumm

Authors
  1. Ingo Lück
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Schäfer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Heiko Krumm
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Imperial College, 180 Queen’s Gate, SW7 2BZ, London, UK

    Morris Sloman  & Emil C. Lupu  & 

  2. Bell Labs, 600 Mountain Ave., Murray Hill, 07974, NJ, USA

    Jorge Lobo

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lück, I., Schäfer, C., Krumm, H. (2001). Model-Based Tool-Assistance for Packet-Filter Design. In: Sloman, M., Lupu, E.C., Lobo, J. (eds) Policies for Distributed Systems and Networks. POLICY 2001. Lecture Notes in Computer Science, vol 1995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44569-2_8

Download citation

  • DOI: https://doi.org/10.1007/3-540-44569-2_8

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-41610-4

  • Online ISBN: 978-3-540-44569-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation