Network-Level Access Control Policy Analysis and Transformation

Network-level access control policies are often specified by various people (network, application, and security administrators), and this may result in conflicts or suboptimal policies. We have defined a new formal model for policy representation that is independent of the actual enforcement elements, along with a procedure that allows the easy identification and removal of inconsistencies and anomalies. Additionally, the policy can be translated to the model used by the target access control element to prepare it for actual deployment. In particular, we show that every policy can be translated into one that uses the “First Matching Rule” resolution strategy. Our policy model and optimization procedure have been implemented in a tool that experimentally demonstrates its applicability to real-life cases.

[1]  Andrea Baiocchi,et al.  Automatic Conflict Analysis and Resolution of Traffic Filtering Policy for Firewall and Security Gateway , 2007, 2007 IEEE International Conference on Communications.

[2]  S. Zukowski Introduction to Lattice Theory , 1990 .

[3]  Mohsen Rezvani,et al.  Analyzing and resolving anomalies in firewall security policies based on propositional logic , 2009, 2009 IEEE 13th International Multitopic Conference.

[4]  Jadwiga Indulska,et al.  Dynamic policy model for large evolving enterprises , 2001, Proceedings Fifth IEEE International Enterprise Distributed Object Computing Conference.

[5]  George Pavlou,et al.  Policy refinement for IP differentiated services Quality of Service management , 2006, IEEE Transactions on Network and Service Management.

[6]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[7]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[8]  Antonius P. J. Engbersen,et al.  Fast and scalable packet classification , 2003, IEEE J. Sel. Areas Commun..

[9]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[10]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[11]  Cataldo Basile,et al.  Algebraic Models to Detect and Solve Policy Conflicts , 2007 .

[12]  Morris Sloman,et al.  Policies Hierarchies for Distributed Systems Management , 1993, IEEE J. Sel. Areas Commun..

[13]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[14]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[15]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[16]  Adel Bouhoula,et al.  Tuple Based Approach for Anomalies Detection within Firewall Filtering Rules , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[17]  Yoshiaki Katayama,et al.  A topological approach to detect conflicts in firewall policies , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[18]  Cataldo Basile,et al.  Towards an algebraic approach to solve policy conflicts , 2004 .

[19]  Chen Lin,et al.  Analysis And Classification of IPSec Security Policy Conflicts , 2006, 2006 Japan-China Joint Workshop on Frontier of Computer Science and Technology.

[20]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[21]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[22]  Cataldo Basile,et al.  Geometric Interpretation of Policy Specification , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[23]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[24]  Jonathan S. Turner,et al.  Scalable packet classification using distributed crossproducing of field labels , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[25]  Morris Sloman,et al.  The representation of policies as system objects , 1991, COCS '91.