Ponencias (Lenguajes y Sistemas Informáticos)
URI permanente para esta colecciónhttps://hdl.handle.net/11441/11394
Examinar
Examinando Ponencias (Lenguajes y Sistemas Informáticos) por Materia "ACL"
Mostrando 1 - 4 de 4
- Resultados por página
- Opciones de ordenación
Ponencia A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs(IEEE Computer Society, 2010) Pozo Hidalgo, Sergio; Varela Vaca, Ángel Jesús; Martínez Gasca, Rafael; Universidad de Sevilla. Departamento de Lenguajes y Sistemas Informáticos; Ministerio de Educación y Ciencia (MEC). España; Universidad de Sevilla. TIC-258: Data-centric Computing Research HubDeveloping and managing firewall Access Control Lists (ACLs) are hard, time-consuming, and error-prone tasks for a variety of reasons. Complexity of networks is constantly increasing, as it is the size of firewall ACLs. Networks have different access control requirements which must be translated by a network administrator into firewall ACLs. During this task, inconsistent rules can be introduced in the ACL. Furthermore, each time a rule is modified (e.g. updated, corrected when a fault is found, etc.) a new inconsistency with other rules can be introduced. An inconsistent firewall ACL implies, in general, a design or development fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. In this paper we propose a complete and minimal consistency diagnosis process which has worst-case quadratic time complexity with the number of rules in a set of inconsistent rules. There are other proposals of consistency diagnosis algorithms. However they have different problems which can prevent their use with big, real-life, ACLs: on the one hand, the minimal ones have exponential worst-case time complexity; on the other hand, the polynomial ones are not minimal.Ponencia AFPL2, An Abstract Language for Firewall ACLs with NAT support(IEEE Computer Society, 2009) Pozo Hidalgo, Sergio; Varela Vaca, Ángel Jesús; Martínez Gasca, Rafael; Universidad de Sevilla. Departamento de Lenguajes y Sistemas Informáticos; Ministerio de Educación y Ciencia (MEC). España; Universidad de Sevilla. TIC-258: Data-centric Computing Research HubThe design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although high-level languages have been proposed to model firewall ACLs, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, etc. In this paper the most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis, a new domain specific language for firewall ACLs (AFPL2) is proposed, supporting more features that other languages do not cover (e.g. NAT). As the result of our design methodology, AFPL2 is very lightweight and easy to use. AFPL2 can be translated to existing low-level firewall languages, or be directly interpreted by firewall platforms, and is an extension to a previously developed language.Ponencia Efficient data structures for local inconsistency detection in firewall ACL updates(SciTePress, 2009) Pozo Hidalgo, Sergio; Martínez Gasca, Rafael; Rosa Troyano, Francisco Fernando de la; Universidad de Sevilla. Departamento de Lenguajes y Sistemas Informáticos; Ministerio de Educación y Ciencia (MEC). España; Universidad de Sevilla. TIC-258: Data-centric Computing Research HubFiltering is a very important issue in next generation networks. These networks consist of a relatively high number of resource constrained devices and have special features, such as management of frequent topology changes. At each topology change, the access control policy of all nodes of the network must be automatically modified. In order to manage these access control requirements, Firewalls have been proposed by several researchers. However, many of the problems of traditional firewalls are aggravated due to these networks particularities, as is the case of ACL consistency. A firewall ACL with inconsistencies implies in general design errors, and indicates that the firewall is accepting traffic that should be denied or vice versa. This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc. Detecting inconsistencies is of extreme importance in the context of highly sensitive applications (e.g. health care). We propose a local inconsistency detection algorithm and data structures to prevent automatic rule updates that can cause inconsistencies. The proposal has very low computational complexity as both theoretical and experimental results will show, and thus can be used in real time environments.Ponencia MDA-Based Framework for Automatic Generation of Consistent Firewall ACLs with NAT(Springer, 2009) Pozo Hidalgo, Sergio; Varela Vaca, Ángel Jesús; Martínez Gasca, Rafael; Universidad de Sevilla. Departamento de Lenguajes y Sistemas Informáticos; Ministerio de Educación y Ciencia (MEC). España; Universidad de Sevilla. TIC-258: Data-centric Computing Research HubThe design and management of firewall ACLs is a very hard and er ror-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although several high-level languages have been proposed to model firewall access control policies, none of them has been widely adopted by the industry due to a combination of factors: high complex ity, no support of important features of firewalls, no common development process, etc. In this paper, a development process for Firewall ACLs based on the Model Driven Architecture (MDA) framework is proposed. The framework supports the market leaders firewall platforms and is user-extensible. The most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis a new DSL language for firewall ACLs, AFPL2, covering most features other languages do not cover, is proposed. The language is then used as the platform independent meta model, the first part of the MDA-based framework.