Policy-based networking: applications to firewall management

摘要

This paper describes a policy-based approach to firewall management. The Policy-Based Networking (PBN) architecture proposed by the Policy Framework Group of Internet Engineering Task Force (IETF) is analysed, together with the communication protocols, policy specification languages, and the necessary information models. An overview of policy specification languages applicability to PBN architecture is presented paying particular attention to the specification of security policies through Security Policy Specification Language (SPSL). The Common Open Policy Service protocol (COPS) and its variant, COPS for Policy provisioning (COPS-PR), both used for the transport of policy information, are also presented. The paper continues with a description of an application of the PBN architecture to firewall management. The proposed architecture is presented and its implementation issues are analysed with some usage examples. The paper concludes with the evaluation of the policy-based approach to firewall management.