|
Posted by securebuddha@gmail.com on January 11, 2006, 1:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello all,
I would like to take the time to present an opportunity for all
end-users to contribute to a new and leading-edge technique in the
generation and validation of firewall rulesets --- the utilization of a
custom XML application designed to accomodate firewall specific
elements known as xsdl:Iptables. This application is a subset of larger
and encompassing language to provide for valid information security
documents known as the Extensible Security Document Language.
The "xsdl:Iptables" application is generalized as such:
* a custom built XML markup language specifially designed to construct
a rule or ruleset
* each and every rule instance can be checked for well-formedness
through use of an xml parser
* each and every rule instance can be validated for proper syntax
through use of an xml parser and the
use of my custom xml schema document model
* firewall architectures can be constructed from the document instance
via custom designed stylesheets
* all documents containing firewall rules can be digitally signed
according to the XML Digital Signature industry standard
* all digitally signed documents containing firewall rules can be
verified according to the XML Digital Signature industry standard
* all documents containing firewall rules can be encrypted according to
the XML Encryption industry standard
* all encrypted documents containing firewall rules can be decrypted
according to the XML Encryption industry standard
* multiple digital signatures can be applied to a rule or ruleset via
manifests for further internal validation or review
* firewall initialization can be programmed to utilize these security
mechanism enhancements with ease
Essentially, youe the end-user can construct rules and rulesets that
are well-formed and syntactically verifiable from the start. There are
no more trial-and-error issues with regards to a rules structure. If a
rules structure is invalid; you will not be able to successfully
validate your document. The parser will also provide a high-level
explanation of the problem area generating the resultant error.
After successfully validating your document, you can choose to
digitally sign it with one or more digital signatures to provide
verification of this resources integrity. After digitally signing this
document, anyone with access to your public-key may then also be able
to verify this documents integrity. The XML Digital Signature standard
also provides for X509 and PGP key structures.
To further implement the layered approach to your security posture, you
may choose to encrypt the document. Most encryption algorithms are
available for use in your specific environmental concerns. Performing
this step after applying a digital signature provides for enforcement
of both confidentiality and integrity of this resource.
In conclusion, I am asking that you the end-users forward to me a
sanitized version of your current and developmental rules and rulesets
so that I may implement quality analysis processes to verify and
improve this product so that it may soon be released for use by the
general public. Remember this product is in an alpha developmental
state; I have many bugs and implementations to iron out. However, you
contribution may prove to be the resource that transports this
application into use throughout the open source community.
I have an example digitally signed document constructed from the
default rules provided with the Novell OpenSuSE 10.0 distribution that
may be forwarded to you upon request for more information. Myself and
the Open Source community thank you for your time and contributions.
Thomas R. Jones
XSDL Core Developer
| 
XML site map