The representation of policies as system objects
COCS '91 Proceedings of the conference on Organizational computing systems
Conflicts in Policy-Based Distributed Systems Management
IEEE Transactions on Software Engineering
Dynamic Policy Model for Large Evolving Enterprises
EDOC '01 Proceedings of the 5th IEEE International Conference on Enterprise Distributed Object Computing
IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution
POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
Survey and taxonomy of packet classification techniques
ACM Computing Surveys (CSUR)
Analysis And Classification of IPSec Security Policy Conflicts
FCST '06 Proceedings of the Japan-China Joint Workshop on Frontier of Computer Science and Technology
Geometric Interpretation of Policy Specification
POLICY '08 Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks
A topological approach to detect conflicts in firewall policies
IPDPS '09 Proceedings of the 2009 IEEE International Symposium on Parallel&Distributed Processing
Modeling and Management of Firewall Policies
IEEE Transactions on Network and Service Management
Policy refinement for IP differentiated services Quality of Service management
IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies
IEEE Communications Magazine
Fast and scalable packet classification
IEEE Journal on Selected Areas in Communications
Conflict classification and analysis of distributed firewall policies
IEEE Journal on Selected Areas in Communications
Policy hierarchies for distributed systems management
IEEE Journal on Selected Areas in Communications
On the notion of redundancy in access control policies
Proceedings of the 18th ACM symposium on Access control models and technologies
Hi-index | 0.00 |
Network-level access control policies are often specified by various people (network, application, and security administrators), and this may result in conflicts or suboptimal policies. We have defined a new formal model for policy representation that is independent of the actual enforcement elements, along with a procedure that allows the easy identification and removal of inconsistencies and anomalies. Additionally, the policy can be translated to the model used by the target access control element to prepare it for actual deployment. In particular, we show that every policy can be translated into one that uses the "First Matching Rule" resolution strategy. Our policy model and optimization procedure have been implemented in a tool that experimentally demonstrates its applicability to real-life cases.