Localizing Firewall Security Policies

Abstract

In complex networks, filters may be applied at different nodes to control how packets flow. In this paper, we study how to locate filtering functionality within a network. We show how to enforce a set of security goals while allowing maximal service subject to the security constraints. To implement our results we present a tool that given a network specification and a set of control rules automatically localizes the filters and generates configurations for all the firewalls in the network. These configurations are implemented using an extension of Mignis - an open source tool to generate firewalls from declarative, semantically explicit configurations. Our contributions include a way to specify security goals for how packets traverse the network, an algorithm to distribute filtering functionality to different nodes in the network to enforce a given set of security goals, and a proof that the results are compatible with a Mignis-based semantics for network behavior.