Systematic Deployment of Network Security Policy in Centralized and Distributed Firewalls

Firewalls are the most widely adopted technology for protecting private networks. However, most firewalls in Internet have been plagued with policy errors. An important source of errors stem from the lack of automatic tools ensuring a correct deployment of a network security policy expressed in a high level language, into firewall configurations. In this paper, we propose a formal and automatic method for deploying a security policy, written in an expressive language into both centralized and distributed firewall configurations. Further-more, our method verifies that no in coherences exist within the security policy. When inconsistencies are detected, the usual feedback returned permits us to propose a discrepancy resolution approach. Moreover, we propose an approach for optimizing the security policy. The correctness of our method is proved. Finally, it has been implemented in a prototype. The first results are very promising.