Distributed Perimeter Firewall Policy Management Framework
Metadata[+] Show full item record
A perimeter firewall is the first line of defense that stops unwanted packets (based on defined firewall policies) entering the organization that deploys it. In the real world, every organization maintains a perimeter firewall between internet (which could be untrusted) and its own network (private network). In addition, organizations maintain internal firewalls to safeguard individual departments and data center servers based on various security and privacy requirements. In general, if we consider firewall setup in multinational organization's network environment, every branch has perimeter firewall and a set of internal firewalls. Every branch has its own security policies defined based on its specific security requirements, type of information, information processing systems, location-based compliance requirements, etc. As the branches of the multinational organizations span across the globe, managing the policies at every branch and ensuring the compliance and consistency of security policies are quite complex. Any misconfiguration of firewall policies even at a single branch may pose risk to the overall organization in terms of financial loss and reputation. In this dissertation, we present our framework to automate the policy management of distributed perimeter firewalls of a multi-national organization. We introduce new categories of policies to support centralized management of distributed firewalls and to ensure consistency and compliance of organizational and location-based policies. We define procedures for the initialization of firewall policies and policy updates. Our scheme is highly automatic that needs minimum human intervention to incorporate a set of new policies or update existing policies in distributed firewalls.
Table of Contents
Introduction -- Literature review -- Distributed perimeter firewall policy management -- Efficient design of Firewall temporal policies -- Identification of unsafe locations in IP and cellular based networks -- Conclusion and future work