Systematic review of automatic translation of high-level security policy into firewall rules

TL;DR

This paper systematically reviews methods for automatically translating high-level security policies into firewall rules, highlighting progress, challenges, and the potential for improved security policy enforcement.

Contribution

It provides a comprehensive survey of over twenty approaches for automatic policy translation and discusses their evolution, advantages, and remaining limitations.

Findings

Most approaches use specialized domain languages for rule generation

Formal specifications and ontologies are employed in some methods

Significant progress has been made, but key challenges remain

Abstract

Firewalls are security devices that perform network traffic filtering. They are ubiquitous in the industry and are a common method used to enforce organizational security policy. Security policy is specified on a high level of abstraction, with statements such as "web browsing is allowed only on workstations inside the office network", and needs to be translated into low-level firewall rules to be enforceable. There has been a lot of work regarding optimization, analysis and platform independence of firewall rules, but an area that has seen much less success is automatic translation of high-level security policies into firewall rules. In addition to improving rules' readability, such translation would make it easier to detect errors.This paper surveys of over twenty papers that aim to generate firewall rules according to a security policy specified on a higher level of abstraction. It also presents an overview of similar features in modern firewall systems. Most approaches define specialized domain languages that get compiled into firewall rule sets, with some of them relying on formal specification, ontology, or graphical models. The approaches' have improved over time, but there are still many drawbacks that need to be solved before wider application.