When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly.
We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist.
A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale.
Work supported by the National Security Agency under United States Army CECOM contract DAAB 07-96-C-E601. This paper appears in the Proceedings, 1997 IEEE Symposium on Security and Privacy.
