TY - JOUR
T1 - Firmato
T2 - A novel firewall management toolkit
AU - Bartal, Yair
AU - Mayer, Alain
AU - Nissim, Kobbi
AU - Wool, Avishai
PY - 2004/11
Y1 - 2004/11
N2 - In recent years packet-filtering firewalls have seen some impressive technological advances (e.g., stateful inspection, transparency, performance, etc.) and wide-spread deployment. In contrast, fire-wall and security management technology is lacking. In this paper we present Firmato, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity-relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; (3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files; and (4) a graphical firewall rule illustrator. We implemented a prototype of our toolkit to work with several commercially available fire-wall products. This prototype was used to control an operational firewall for several months. We believe that our approach is an important step toward streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations.
AB - In recent years packet-filtering firewalls have seen some impressive technological advances (e.g., stateful inspection, transparency, performance, etc.) and wide-spread deployment. In contrast, fire-wall and security management technology is lacking. In this paper we present Firmato, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity-relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; (3) a model compiler, translating the global knowledge of the model into firewall-specific configuration files; and (4) a graphical firewall rule illustrator. We implemented a prototype of our toolkit to work with several commercially available fire-wall products. This prototype was used to control an operational firewall for several months. We believe that our approach is an important step toward streamlining the process of configuring and managing firewalls, especially in complex, multi-firewall installations.
UR - http://www.scopus.com/inward/record.url?scp=10944269775&partnerID=8YFLogxK
U2 - 10.1145/1035582.1035583
DO - 10.1145/1035582.1035583
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:10944269775
SN - 0734-2071
VL - 22
SP - 381
EP - 420
JO - ACM Transactions on Computer Systems
JF - ACM Transactions on Computer Systems
IS - 4
ER -