How It Works
How It Works
FDT is a tool designed for managing complex networks and is actually very simple. By combining a network description & a security policy model, FDT identifies all the security rules required for all the machines in the network. It then generates a set of security rules for every machine on the network.
In the current version these security rules are then applied manually to each individual machine, in future versions it is planned that the application of firewalls may be automated.
When you use FDT there are 3 different stages :
- Describe and document a network.
In order to use FDT, the first thing you must do is describe that network and the components in it. This is actually quite a lengthy task, but it is always useful to document systems well and this activity can be viewed as a documentation activity.
The network model is created and maintained using a graphical user interface.
- Describe network security policies.
This is the novel part of FDT, using the graphical interface you can define security policies (which we call Imperatives) that are to be applied across a network. So for instance one imperative would be to allow anyone web access to a web server and a second imperative would be to allow staff and a web server to send SQL requests to an SQL server.
The benefits of using a high level holistic approach to describe firewall policies are that :
- It is very simple and easy to do
- It is Machine independent
- There is no possibility for errors (providing the security policies are correct & complete)
- It acts as a form of documentation
- Create & Apply Firewall Rules using the specified security policies.
Once the network and the firewall policies that operate across that network are defined the FDT tool, combines these two separate models to generate detailed firewall descriptions for individual machines within that network.
Part of the documentation process includes describing the type of each machine. FDT uses this information to create firewall rules, in a format appropriate for each specific machine type.
Some machines on the network may have no firewalling capability, in which case no firewall rules are created. Other machines, may be Ciscos, Unix, or Windows types, in which case the firewall rulesets created will be appropriate for the machine type.
This is the core benefit of using FDT as it allows the operator of FDT, to create extremely complex firewall rulesets in a provably correct fashion.