Managing semantic‐aware policies in a distributed firewall scenario

The purpose of the paper is to provide a two‐tier framework for managing semantic‐aware distributed firewall policies to be applied to the devices existing in one administrative domain.

Special attention is paid to the CIM‐based information model defined as the ontology to be used in this framework and the AI‐based reasoning mechanisms and components used to perform the conflict discovery tasks over the distributed firewall policies.

Mechanisms presented allow the solving some of the current issues of the network‐centric security model being used in the Internet. The two‐tier framework designed provides semantic‐aware mechanisms to perform conflict detection and automatic enforcement of policy rules in the distributed firewall scenario. This framework is based on the use of a standard information model and a semantic‐aware policy language to formally define (and then process) firewall policies.

Ongoing work is focused on identifying all kind of conflicts and anomalies that may exist in firewall systems; in parallel to this task a semi‐automatic resolver of conflicting policies is currently under design.

Network and security administrators can specify firewall policies and validate them to find syntactic and semantic errors (i.e. policy conflicts). A framework for automated validation and distribution of policies at different levels is included. This ensures that firewall policies produce the desired effects, facilitating the creation and maintenance of firewall rules in one administrative domain.

A practical and novel two‐tier system that provides detection of conflicts in rules existing in a distributed firewall scenario and the automatic and secure deployment of these rules. A packet‐filtering model, which is simple and powerful enough for the conflict discovery and rule analysis processes, has been proposed. Moreover, ontology and rule reasoning are being proposed as techniques for the conflict detection problem in this particular scenario.