[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    
From:       david.jorrin () writeme ! com
Date:       1998-11-26 9:49:11
[Download RAW message or body]

[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
-
Hi,

Long time ago, in 1992, Bob Sutterfield, Brent Chapman and other people argued in \
this list that it was needed a metalanguage for packet filtering specification. Next, \
I quote the main idea explained then:

# My standard advice to people setting up a firewall is to go through
# three steps. First, decide in English (or the natural language of
# your choice...) what your security policy is. That is, write down
# which machines should offer which services, and to whom. Next,
# translate that into formal expressions involving port numbers, addresses,
# masks, etc. Finally, figure out how to implement those expressions
# in terms of the primitives available on your particular gateway machine.
# Don't be surprised if you can't do it; not all policies are implementable
# on all platforms, as per Brent's paper.
#
# The purpose of this effort would be to eliminate step 3 entirely, and
# to move step 2 as close to step 1 as possible. This is nothing new;
# compiler writers have been doing it for decades, and for much the same
# reasons.

I have experienced how tricky is to develop policy rules based in low level filters. \
So I am beginning a project very similar. Sutterfield’s idea was a common language \
for any  packet filter. Instead, I want to develop a high level language for TCP/IP \
network specification and the compiler related. The specification will include the \
networks and hosts involved and their unions, the dialogs between the hosts and \
finally the policy about the dialogs. By example:

region local_net 172.16.1.0/255.255.255.0 ;
alias dns_server 172.16.1.2/32 ;
alias dns_port 53 ;
...
# DNS client queries
dialog dns_queries local_net udp any_port dns_server dns_port ;
...
# 
policy acept dns_queries ;

The translation result will be the packet filter rules for different routers (linux, \
cisco, etc.) or packet sniffer filters (tcpdump) or even the legal traffic that we \
can exclude for intrusion detection systems like argus or NFR. I found some related \
tools but oriented to a certain packet filter for a specific firewall structure. My \
purpose is a general language and a free portable translator, maybe coded in Perl.

Any suggestion or information about related languages or tools will be appreciated. 

Best regards,

	David Jorrin.

====
David Jorrin <David.Jorrin@writeme.com>

   "This chapter is about Laziness, Impatience
    and Hubris because this chapter is about
    good software design"
    Larry Wall, Tom Christiansen & 
    Randal L. Schwartz [Programming Perl]
  


----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com


[prev in list] [next in list] [prev in thread] [next in thread]