Publication No 36779

Author(s)

Kiesel, S.; Kögel, J.*

Title

An operating system independent API for firewall control: design and implementation for Linux

Topics

Network Security

Keywords

FIREWALL; LINUX; SECURITY

Abstract

Firewalls are a crucial building block for securing interconnections between networks of different security domains. Newer IP based applications such as IP telephony require that packet filters are configured dynamically by sessionaware entities. Several architectures and protocols were proposed for firewall remote control (e. g., IETF MIDCOM and NSIS). However, on the nodes that could host the control entity no common local interface for managing packet filter rules exists. This forces developers of firewall control entities to use firewall specific interfaces and limits portability across operating systems and firewall implementations. This paper describes the design of an operating system independent interface, which allows the firewall control entity to modify firewall rules from user space. We implemented this interface for Netfilter chains of the Linux operating system kernel taking functional and security requirements into account. Based on measurements, we analyze the performance characteristics and conclude that the approach is feasible for small to medium network setups.

Year

2008

Reference entry

Kiesel, S.; Kögel, J.
An operating system independent API for firewall control: design and implementation for Linux
Proceedings of the 14th Open European Summer School (EUNICE 2008), Brest, September 2008

BibTex file

Download  [BIBTEX]

Full Text

Download  [PDF]