Representação e Aplicação de Políticas de Segurança em Firewalls de Redes Híbridas
Resumo
O gerenciamento de políticas de segurança em firewalls de redes híbridas é um processo desafiador, principalmente devido a diversidade de soluções e fabricantes (e.g., Cisco NGFW, Check Point, Fortigate, IPTables), cada um com suas linguagens, interfaces e modelos de operação. Neste trabalho é proposta uma linguagem genérica para representação de políticas de segurança utilizadas em firewalls, denominada FWlang. A linguagem foi especificada para representar os seis tipos de políticas de firewalls modernos, incluindo ACL, NAT 1to1, NAT Nto1, traffic shapping, roteamento estático e filtros de URL, e implementada e incorporada à solução de gerenciamento de firewalls FWunify. A avaliação demonstra o potencial de simplificação apresentado pela linguagem, chegando a uma redução de 72% no número de termos necessários para aplicar um determinado grupo de políticas a três firewall diferentes.
Referências
Bartal, Y., Mayer, A., Nissim, K., and Wool, A. (2004). Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst., 22:381–420.
Bodei, C., Degano, P., Galletta, L., Focardi, R., Tempesta, M., and Veronese, L. (2018). Languageindependent synthesis of firewall policies. In IEEE EuroS&P, pages 92–106. IEEE.
Cisco Systems (2017). A Rede Baseada em Intenção. [link].
Clemm, A., Ciavaglia, L., Granville, L. Z., and Tantsura, J. (2019). Intent-Based Networking - Concepts and Overview. Internet-Draft draft-clemm-nmrg-dist-intent-03, Internet Engineering Task Force.
Datta, R., Choi, S., Chowdhary, A., and Park, Y. (2018). P4Guard: Designing P4 based firewall. In IEEE Military Communications Conference (MILCOM), pages 1–6. IEEE.
Fiessler, A., Lorenz, C., Hager, S., and Scheuermann, B. (2018). FireFlow-high performance hybrid SDNfirewalls with OpenFlow. In IEEE 43rd LCN, pages 267–270. IEEE.
Fiorenza, M., Kreutz, D., Mansilha, R., de Macedo, D. D. J., Feitosa, E., and Immich, R. (2021).
Representação e aplicação de políticas de segurança em firewalls de redes híbridas (vers˜ao estendida). [link].
Fiorenza, M. M., Kreutz, D., and Mansilha, R. (2020). Gerenciamento de firewalls em redes híbridas. In Anais do XX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Firewalld (2021). Rich Language Documentation. [link].
Gartner (2019). Technology Insight for Network Security Policy Management. [link].
IBM X-Force (2020). X-Force Threat Intelligence Index. https://www.ibm.com/downloads/cas/DEDOLR3W.
Jacobs, A. S., Pfitscher, R. J., Ferreira, R. A., and Granville, L. Z. (2018). Refining network intents for self-driving networks. In Proceedings of the Afternoon Workshop on Self-Driving Networks, SelfDN 2018, page 15–21, New York, NY, USA. Association for Computing Machinery.
Krit, S.-d. and Haimoud, E. (2017). Overview of firewalls: Types and policies: Managing windows embedded firewall programmatically. In International Conference on Engineering & MIS (ICEMIS), pages 1–7. IEEE.
Lobo, J., Marchi, M., and Provetti, A. (2012). Firewall configuration policies for the specification and implementation of private zones. In IEEE International Symposium on Policies for Distributed Systems and Networks, pages 78–85. IEEE.
Netfilter (2021). Documentation about the netfilter/iptables project. http://www.netfilter.org/documentation/.
pfSense (2020). The pfSense Documentation. [link].
Pozo, S., Varela-Vaca, A., and Gasca, R. (2009). AFPL2, an abstract language for firewall ACLs with NAT support. In Second International Conference on Dependability, pages 52–59. IEEE.
Riftadi, M. and Kuipers, F. (2019). P4i/o: Intent-based networking with P4. In IEEE Conference on NetSoft, pages 438–443. IEEE.
Sanvito, D., Moro, D., Gulli, M., Filippini, I., Capone, A., and Campanella, A. (2018). Onos intent monitor and reroute service: enabling plug&play routing logic. In 4th IEEE NetSoft, pages 272–276. IEEE.
Scarfone, K. and Hoffman, P. (2009). Guidelines on firewalls and firewall policy. NIST Special Publication,800:41.
Scheid, E. J., Widmer, P., Rodrigues, B. B., Franco, M. F., and Stiller, B. (2020). A controlled natural language to support intent-based blockchain selection. In IEEE ICBC, pages 1–9. IEEE.
Singh, A., Aujla, G. S., and Bali, R. S. (2020). Intent-based network for data dissemination in softwaredefined vehicular edge computing. IEEE Transactions on Intelligent Transportation Systems, pages 1–9.
Soule, R., Basu, S., Marandi, P. J., Pedone, F., Kleinberg, R., Sirer, E. G., and Foster, N. (2018). Merlin: A language for managing network resources. IEEE/ACM Trans. Netw., 26(5):2188–2201.
Tian, B., Zhang, X., Zhai, E., Liu, H. H., Ye, Q., Wang, C., Wu, X., Ji, Z., Sang, Y., Zhang, M., Yu, D., Tian, C., Zheng, H., and Zhao, B. Y. (2019). Safely and automatically updating in-network ACL configurations with intent language. In Proceedings of the ACM SIGCOMM, page 214–226. ACM.
Vinh Tran, T. and Ahn, H. (2016). Flowtracker: A SDN stateful firewall solution with adaptive connection tracking and minimized controller processing. In ICSN, pages 1–5.
VMware (2020). What is intent-based networking (IBN)? [link].
Voronkov, A., Iwaya, L. H., Martucci, L. A., and Lindskog, S. (2017). Systematic literature review on usability of firewall configuration. ACM Comput. Surv., 50(6).
Wei, Y., Peng, M., and Liu, Y. (2020). Intent-based networks for 6g: Insights and challenges. Digital Communications and Networks, 6(3):270–280.
Zeydan, E. and Turk, Y. (2020). Recent advances in intent-based networking: A survey. In IEEE 91st Vehicular Technology Conference (VTC-Spring), pages 1–5. IEEE.
Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., and Pitcher, C. (2007). Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of the 12th ACM SACMAT, page 185–194.