Reliable Process for Security Policy Deployment

We focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). Our proposal is the following. First, we formally specify the security requirements of a given system by using an expressive access control model. As a result, we obtain an abstract security policy, which is free of ambiguities, redundancies or unnecessary details. Second, we deploy such an abstract policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator's job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.

[1]  F. Cuppens,et al.  Inheritance hierarchies in the Or-BAC model and application in a network environment , 2022 .

[2]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.

[3]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[4]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[5]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[6]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[7]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[8]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[9]  Nora Cuppens-Boulahia,et al.  Towards Filtering and Alerting Rule Rewriting on Single-Component Policies , 2006, SAFECOMP.

[10]  Pierre Courtieu,et al.  Hardening large-scale networks security through a meta-policy framework , 2004 .

[11]  Anas Abou El Kalam,et al.  Intrusion detection and security policy framework for distributed environments , 2005, Proceedings of the 2005 International Symposium on Collaborative Technologies and Systems, 2005..

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[14]  Nora Cuppens-Boulahia,et al.  Aggregating and Deploying Network Access Control Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[15]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.