Firewall configuration management using XACML policies

This paper proposes an architecture for XACML based management of firewall configurations in large enterprise networks. The goal of this architecture is to allow administrators and end-users to manage their firewalls, while enforcement of organizational policy is ensured to prevent unacceptable traffic gaining access to the private network domain. The central architectural component is the domain policy server which pushes organizational policy down to firewalls deployed in its domain. In addition to its reporting function, the domain policy server monitors and verifies policy changes, i.e. checks for inter- and intrafirewall anomalies, on any firewall within its domain. The proposed architecture includes firewall agent components, where one resides on each firewall, through which coordinated operations on firewall policies are achievable. Firewall policies, topologies, and configuration messages that are stored and exchanged within the architecture are presented in XML. Although available XACML is used for the representation of firewall policies, two DTDs are developed to express topologies and configuration messages. A prototype implementation of this architecture is presented in this paper along with examples of firewall configuration management operations.