I would like to take the time to present an opportunity for all end-users to contribute to a new and leading-edge technique in the generation and validation of firewall rulesets --- the utilization of a custom XML application designed to accomodate firewall specific elements known as xsdl:Iptables. This application is a subset of larger and encompassing language to provide for valid information security documents known as the Extensible Security Document Language.
The "xsdl:Iptables" application is generalized as such:
- a custom built XML markup language specifially designed to construct a rule or ruleset
- each and every rule instance can be checked for well-formedness through use of an xml parser
- each and every rule instance can be validated for proper syntax through use of an xml parser and the use of my custom xml schema document model
- firewall architectures can be constructed from the document instance via custom designed stylesheets
- all documents containing firewall rules can be digitally signed according to the XML Digital Signature industry standard
- all digitally signed documents containing firewall rules can be verified according to the XML Digital Signature industry standard
- all documents containing firewall rules can be encrypted according to the XML Encryption industry standard
- all encrypted documents containing firewall rules can be decrypted according to the XML Encryption industry standard
- multiple digital signatures can be applied to a rule or ruleset via manifests for further internal validation or review
- firewall initialization can be programmed to utilize these security mechanism enhancements with ease
Essentially, youe the end-user can construct rules and rulesets that are well-formed and syntactically verifiable from the start. There are no more trial-and-error issues with regards to a rules structure. If a rules structure is invalid; you will not be able to successfully validate your document. The parser will also provide a high-level explanation of the problem area generating the resultant error.
After successfully validating your document, you can choose to digitally sign it with one or more digital signatures to provide verification of this resources integrity. After digitally signing this document, anyone with access to your public-key may then also be able to verify this documents integrity. The XML Digital Signature standard also provides for X509 and PGP key structures.
To further implement the layered approach to your security posture, you may choose to encrypt the document. Most encryption algorithms are available for use in your specific environmental concerns. Performing this step after applying a digital signature provides for enforcement of both confidentiality and integrity of this resource.
In conclusion, I am asking that you the end-users forward to me a sanitized version of your current and developmental rules and rulesets so that I may implement quality analysis processes to verify and improve this product so that it may soon be released for use by the general public. Remember this product is in an alpha developmental state; I have many bugs and implementations to iron out. However, you contribution may prove to be the resource that transports this application into use throughout the open source community.
I have an example digitally signed document constructed from the default rules provided with the Novell OpenSuSE 10.0 distribution that may be forwarded to you upon request for more information. Myself and the Open Source community thank you for your time and contributions.
Thomas R. Jones XSDL Core Developer