[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject:
From: david.jorrin () writeme ! com
Date: 1998-11-26 9:49:11
[Download RAW message or body]
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
-
Hi,
Long time ago, in 1992, Bob Sutterfield, Brent Chapman and other people argued in \
this list that it was needed a metalanguage for packet filtering specification. Next, \
I quote the main idea explained then:
# My standard advice to people setting up a firewall is to go through
# three steps. First, decide in English (or the natural language of
# your choice...) what your security policy is. That is, write down
# which machines should offer which services, and to whom. Next,
# translate that into formal expressions involving port numbers, addresses,
# masks, etc. Finally, figure out how to implement those expressions
# in terms of the primitives available on your particular gateway machine.
# Don't be surprised if you can't do it; not all policies are implementable
# on all platforms, as per Brent's paper.
#
# The purpose of this effort would be to eliminate step 3 entirely, and
# to move step 2 as close to step 1 as possible. This is nothing new;
# compiler writers have been doing it for decades, and for much the same
# reasons.
I have experienced how tricky is to develop policy rules based in low level filters. \
So I am beginning a project very similar. Sutterfield’s idea was a common language \
for any packet filter. Instead, I want to develop a high level language for TCP/IP \
network specification and the compiler related. The specification will include the \
networks and hosts involved and their unions, the dialogs between the hosts and \
finally the policy about the dialogs. By example:
region local_net 172.16.1.0/255.255.255.0 ;
alias dns_server 172.16.1.2/32 ;
alias dns_port 53 ;
...
# DNS client queries
dialog dns_queries local_net udp any_port dns_server dns_port ;
...
#
policy acept dns_queries ;
The translation result will be the packet filter rules for different routers (linux, \
cisco, etc.) or packet sniffer filters (tcpdump) or even the legal traffic that we \
can exclude for intrusion detection systems like argus or NFR. I found some related \
tools but oriented to a certain packet filter for a specific firewall structure. My \
purpose is a general language and a free portable translator, maybe coded in Perl.
Any suggestion or information about related languages or tools will be appreciated.
Best regards,
David Jorrin.
====
David Jorrin <David.Jorrin@writeme.com>
"This chapter is about Laziness, Impatience
and Hubris because this chapter is about
good software design"
Larry Wall, Tom Christiansen &
Randal L. Schwartz [Programming Perl]
----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic