Multi-constraint security policies for delegated firewall administration

Authors:
Cássio Ditzel Kropiwiec;Edgard Jamhour;Manoel Camillo Penna;Guy Pujolle
Affiliations:
LIP6, Université Pierre et Marie Curie, Paris, France;PPGIA, Pontifical Catholic University of Parana, Curitiba, Brazil;PPGIA, Pontifical Catholic University of Parana, Curitiba, Brazil;LIP6, Université Pierre et Marie Curie, Paris, France
Venue:
International Journal of Network Management
Year:
2011

Citing 13
Cited 0

The Z notation: a reference manual

The Z notation: a reference manual
The Ponder Policy Specification Language

POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
The Z/EVES System

ZUM '97 Proceedings of the 10th International Conference of Z Users on The Z Formal Specification Notation
Filtering postures: local enforcement for global policies

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Compiling Policy Descriptions into Reconfigurable Firewall Processors

FCCM '03 Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Firmato: A novel firewall management toolkit

ACM Transactions on Computer Systems (TOCS)
FACE: A Firewall Analysis and Configuration Engine

SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Policy Modeling and Refinement for Network Security Systems

POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Aggregating and Deploying Network Access Control Policies

ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
Specifications of a high-level conflict-free firewall policy language for multi-domain networks

Proceedings of the 12th ACM symposium on Access control models and technologies
Policy decomposition for collaborative access control

Proceedings of the 13th ACM symposium on Access control models and technologies
A Flexible Policy-Based Firewall Management Framework

CW '08 Proceedings of the 2008 International Conference on Cyberworlds
Network policy languages: a survey and a new approach

IEEE Network: The Magazine of Global Internetworking

Quantified Score

Hi-index	0.00

Visualization

Abstract

This work presents a new approach to policy representation of network security. It introduces a high-level language, where the security policies can be expressed by three policy models: mandatory, discretionary and security property. The proposed framework is capable of handling all three dimensions, being capable of generating the permissions from an abstract representation that is independent of how they are enforced, without violating the requirements of high-level security. Each dimension can be defined by people with different roles; for example, rules of the mandatory model and of the security property model could be attributed to the personnel of risk management, while rules of the discretionary model can be delegated among the network administrators in various departments of the organization. This work also presents a mechanism to represent the features implemented by different firewall models and a mechanism for translating the abstract representation in the scripts to configure the firewalls. A formal specification of the policy model validates the refinement algorithm and a study of scalability is presented to demonstrate how the algorithm behaves in large networks. Copyright © 2011 John Wiley & Sons, Ltd.