Abstract
Today’s protocol specifications only define the behaviour of principals representing communication endpoints. But in addition to endpoints, networks contain midpoints, which are machines that observe or filter traffic between endpoints. In this paper, we explain why midpoints should handle protocols differently from endpoints and thus midpoint specifications are needed. With a case study, using the TCP protocol and three different firewalls as midpoints, we illustrate the consequences of the current lack of protocol specifications for midpoints, namely that the same protocol is implemented differently by the different firewalls. We then propose a solution to the problem: We give an algorithm that generates a midpoint automaton from specifications of endpoint automata. We prove that the resulting midpoint automata are correct in that they forward only those messages that could have resulted from protocol-conform endpoints. Finally, we illustrate the algorithm on the TCP protocol.
This work was partially supported by armasuisse. It represents the views of the authors.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Al-Shaer, E., Hamed, H.: Management and translation of filtering security policies. In: Proc. 38th Int. Conf. Communications (ICC 2003), May 2003, pp. 256–260. IEEE Computer Society Press, Los Alamitos (2003)
Bhargavan, K., Chandra, S., McCann, P.J., Gunter, C.A.: What packets come: automata for network monitoring. In: POPL, pp. 206–219 (2001)
Bishop, S., Fairbairn, M., Norrish, M., Sewell, P., Smith, M., Wansbrough, K.: Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations. In: POPL, Charleston, South Carolina, USA, pp. 55–66. ACM Press, New York (2006), http://www.cl.cam.ac.uk/users/pes20/Netsem/tech-paper.pdf
Chow, T.S.: Testing software design modeled by finite-state machines. IEEE Transactions on Software Engineering 4, 178–187 (1978)
Chan, W.Y.L., Vuong, S.T., Ito, M.R.: An improved protocol test generation procedure based on UIOS. In: SIGCOMM, pp. 283–294 (1989)
Welte, H., et al.: netfilter/iptables (ip_conntrack 2.1), http://www.netfilter.org/
Fujiwara, S., von Bochmann, G., Khendek, F., Amalou, M., Ghedamsi, A.: Test selection based on finite state models. IEEE Transactions on Software Engineering 17(6), 591–603 (1991)
Gill, A.: State-identification experiments in finite automata. Information and Control 4, 132–154 (1961)
Network Working Group. RFC 2979: Behavior of and requirements for internet firewalls (October 2000)
Network Working Group. RFC 3234: Middleboxes: Taxonomy and issues (February 2002)
Network Working Group. RFC 3360: Inappropriate tcp resets considered harmful (August 2002)
University of Southern California Information Sciences Institute. RFC 793: Transmission control protocol (September 1981)
Checkpoint Software Technologies Ltd. Checkpoint R55W, http://www.checkpoint.com/
Mealy, G.H.: Method for synthesizing sequential circuits. Bell System Technical Journal 34, 1045–1079 (1955)
Microsoft. ISA server v4.0.2161.50, http://www.microsoft.com/isaserver/default.mspx
Mayer, A., Wool, A., Ziskind, E.: Offline firewall analysis. International Journal of Information Security, 125–144 (2005)
Paxson, V.: Automated packet trace analysis of TCP implementations. In: SIGCOMM, pp. 167–179 (1997)
Senn, D., Basin, D., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 226–241. Springer, Heidelberg (2005)
Sabnani, K., Dahbura, A.: A protocol test generation procedure. Computer Networks and ISDN Systems 15, 285–297 (1988)
von Bidder, D., Basin, D., Caronni, G.: Midpoints versus endpoints: From protocols to firewalls. Technical report 552, ETH Zürich, Department of Computer Science (March 2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
von Bidder-Senn, D., Basin, D., Caronni, G. (2007). Midpoints Versus Endpoints: From Protocols to Firewalls. In: Katz, J., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2007. Lecture Notes in Computer Science, vol 4521. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72738-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-72738-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72737-8
Online ISBN: 978-3-540-72738-5
eBook Packages: Computer ScienceComputer Science (R0)