Network-level access control policy analysis and transformation

Authors:
Cataldo Basile;Alberto Cappadonia;Antonio Lioy
Affiliations:
Dipartimento di Automatica ed Informatica, Politecnico di Torino, Turin, Italy;Dipartimento di Automatica ed Informatica, Politecnico di Torino, Turin, Italy;Dipartimento di Automatica ed Informatica, Politecnico di Torino, Turin, Italy
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2012

Citing 14
Cited 1

The representation of policies as system objects

COCS '91 Proceedings of the conference on Organizational computing systems
Conflicts in Policy-Based Distributed Systems Management

IEEE Transactions on Software Engineering
Dynamic Policy Model for Large Evolving Enterprises

EDOC '01 Proceedings of the 5th IEEE International Conference on Enterprise Distributed Object Computing
IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
Survey and taxonomy of packet classification techniques

ACM Computing Surveys (CSUR)
Analysis And Classification of IPSec Security Policy Conflicts

FCST '06 Proceedings of the Japan-China Joint Workshop on Frontier of Computer Science and Technology
Geometric Interpretation of Policy Specification

POLICY '08 Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks
A topological approach to detect conflicts in firewall policies

IPDPS '09 Proceedings of the 2009 IEEE International Symposium on Parallel&Distributed Processing
Modeling and Management of Firewall Policies

IEEE Transactions on Network and Service Management
Policy refinement for IP differentiated services Quality of Service management

IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies

IEEE Communications Magazine
Fast and scalable packet classification

IEEE Journal on Selected Areas in Communications
Conflict classification and analysis of distributed firewall policies

IEEE Journal on Selected Areas in Communications
Policy hierarchies for distributed systems management

IEEE Journal on Selected Areas in Communications

On the notion of redundancy in access control policies

Proceedings of the 18th ACM symposium on Access control models and technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network-level access control policies are often specified by various people (network, application, and security administrators), and this may result in conflicts or suboptimal policies. We have defined a new formal model for policy representation that is independent of the actual enforcement elements, along with a procedure that allows the easy identification and removal of inconsistencies and anomalies. Additionally, the policy can be translated to the model used by the target access control element to prepare it for actual deployment. In particular, we show that every policy can be translated into one that uses the "First Matching Rule" resolution strategy. Our policy model and optimization procedure have been implemented in a tool that experimentally demonstrates its applicability to real-life cases.