Multi-constraint security policies for delegated firewall administration

This work presents a new approach to policy representation of network security. It introduces a high-level language, where the security policies can be expressed by three policy models: mandatory, discretionary and security property. The proposed framework is capable of handling all three dimensions, being capable of generating the permissions from an abstract representation that is independent of how they are enforced, without violating the requirements of high-level security. Each dimension can be defined by people with different roles; for example, rules of the mandatory model and of the security property model could be attributed to the personnel of risk management, while rules of the discretionary model can be delegated among the network administrators in various departments of the organization. This work also presents a mechanism to represent the features implemented by different firewall models and a mechanism for translating the abstract representation in the scripts to configure the firewalls. A formal specification of the policy model validates the refinement algorithm and a study of scalability is presented to demonstrate how the algorithm behaves in large networks. Copyright © 2011 John Wiley & Sons, Ltd.

[1]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[2]  Wayne Luk,et al.  Compiling policy descriptions into reconfigurable firewall processors , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[3]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[4]  T. Markham,et al.  Security at the network edge: a distributed firewall architecture , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[6]  Xinming Ou,et al.  Network Security Management with High-level Security Policies , .

[7]  Jorge Lobo,et al.  Policy decomposition for collaborative access control , 2008, SACMAT '08.

[8]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[9]  Mark Saaltink,et al.  The Z/EVES System , 1997, ZUM.

[10]  Eli Winjum,et al.  A multidimensional approach to multilevel security , 2008, Inf. Manag. Comput. Secur..

[11]  Jianping Wu,et al.  Policy based access control framework for large networks , 2000, ICON.

[12]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[13]  Prasad Rao,et al.  Automatic management of network security policy , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[14]  Cássio Ditzel Kropiwiec Framework for distributed firewall administration in a multi-constraint security policies context , 2009 .

[15]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[16]  Geoffrey G. Xie,et al.  Network policy languages: a survey and a new approach , 2001, IEEE Netw..

[17]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Atul Prakash,et al.  FACE: a firewall analysis and configuration engine , 2005, The 2005 Symposium on Applications and the Internet.

[19]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[20]  Heiko Krumm,et al.  Policy modeling and refinement for network security systems , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[21]  Ni Jun,et al.  A Flexible Policy-Based Firewall Management Framework , 2008, 2008 International Conference on Cyberworlds.

[22]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[23]  Nora Cuppens-Boulahia,et al.  Aggregating and Deploying Network Access Control Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[24]  Duan Haixin,et al.  Policy based access control framework for large networks , 2000, Proceedings IEEE International Conference on Networks 2000 (ICON 2000). Networking Trends and Challenges in the New Millennium.