Network-level access control policy analysis and transformation

IEEE/ACM Transactions on Networking

Volumn 20, Issue 4, 2012, Pages 985-998

  Basile, Cataldo ^a   Cappadonia, Alberto ^a   Lioy, Antonio ^a  

^a POLITECNICO DI TORINO   (Italy)

Author keywords

Firewall configuration; policy anomalies; policy conflict; policy transformation; policy translation

Indexed keywords

ACCESS CONTROL POLICIES; CONTROL ELEMENTS; FIREWALL CONFIGURATION; FORMAL MODEL; IDENTIFICATION AND REMOVAL; MATCHING RULES; OPTIMIZATION PROCEDURES; POLICY CONFLICT; POLICY MODEL; POLICY TRANSFORMATION; RESOLUTION STRATEGY; SECURITY ADMINISTRATOR;

ELECTRICAL ENGINEERING; SOFTWARE ENGINEERING;

ACCESS CONTROL;

EID: 84865344402     PISSN: 10636692     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNET.2011.2178431     Document Type: Article

References (29)

1. A. Westerinen, "Terminology for policy-based management," RFC-3198, Nov. 2001.
2. E. Al-Shaer and H. Hamed, "Modeling and management of firewall policies," IEEE Trans. Netw. Service Manage., vol. 1, no. 1, pp. 2-10, Apr. 2004.
3. E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, "Conflict classification and analysis of distributed firewall policies," IEEE J. Sel. Areas Commun., vol. 23, no. 10, pp. 2069-2084, Oct. 2005.
4. H. Hamed and E. Al-Shaer, "Taxonomy of conflicts in network security policies," IEEE Commun.Mag., vol. 44, no. 3, pp. 134-141, Mar. 2006.
5. C. Basile and A. Lioy, "Towards an algebraic approach to solve policy conflicts," in Proc.WOLFASI, Turku, Finland, July 2004, pp. 319-338.
6. C. Basile, A. Cappadonia, and A. Lioy, "Geometric interpretation of policy specification," in Proc. IEEE Policy, New York, NY, Jun. 2008, pp. 78-81.
7. M. Benelbahri and A. Bouhoula, "Tuple based approach for anomalies detection within firewall filtering rules," in Proc. IEEE ISCC, Aveiro, Portugal, Jul. 2007, pp. 63-70.
8. S. Thanasegaran, Y. Yin, Y. Tateiwa, Y. Katayama, and N. Takahashi, "A topological approach to detect conflicts in firewall policies," in Proc. IEEE IPDPS, Rome, Italy, May 2009, pp. 1-7.
9. S. Ferraresi, S. Pesic, L. Trazza, and A. Baiocchi, "Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway," in Proc. IEEE ICC, Glasgow, Scotland, 2007, pp. 1304-1310. (Pubitemid 351145716)
10. M. Rezvani and R. Aryan, "Analyzing and resolving anomalies in firewall security policies based on propositional logic," in Proc. IEEE INMIC, Islamabad, Pakistan, 2009, pp. 1-7.
11. J. Zao, "Semantic model for IPSec policy interaction," Internet Draft, Mar. 2000.
12. Z. Fu, S. F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu, "IPSec/VPN security policy: Correctness, conflict detection and resolution," in Proc. IEEE Policy, Bristol, U.K., 2001, pp. 39-56. (Pubitemid 33225339)
13. Z. Li, X. Cui, and L. Chen, "Analysis and classification of IPSec security policy conflicts," in Proc. FCST, Aizu, Japan, Nov. 2006, pp. 83-88. (Pubitemid 47159898)
14. A.K.Bandara,E.C.Lupu, A.Russo, N. Dulay,M. Sloman, P. Flegkas, M. Charalambides, and G. Pavlou, "Policy refinement for IP differentiated services quality of service management," IEEE Trans. Netw. Service Manage., vol. 3, no. 2, pp. 2-13, Apr. 2006.
15. J. D. Moffett and M. S. Sloman, "The representation of policies as system objects," in Proc. SIGOIS, Atlanta, GA, 1991, pp. 171-184.
16. J. D. Moffett and M. S. Sloman, "Policy hierarchies for distributed system management," IEEE J. Sel. Areas Commun., vol. 11, no. 9, pp. 1404-1414, Nov. 1993.
17. J. D.Moffett and M. S. Sloman, "Policy conflict analysis in distributed system management," J. Org. Comput., vol. 4, no. 1, pp. 1-22, 1993.
18. E. Lupu and M. Sloman, "Conflicts in policy-based distributed system management," IEEE Trans. Softw. Eng., vol. 25, no. 6, pp. 852-869, Nov. 1999. (Pubitemid 30583219)
19. M. Sloman, "Policy driven management for distributed systems," J. Netw. Syst. Manage., vol. 2, no. 4, pp. 333-360, 1994.
20. N. Dunlop, J. Indulska, and K. A. Raymond, "Dynamic policy model for large evolving enterprises," in Proc. EDOC, Seattle, WA, Sep. 2001, pp. 193-197.
21. K. A. R. N. Dunlop and J. Indulska, "A formal specification of conflicts in dynamic policy-based management system," CRC for Enterprise Distributed Systems, Univ. Queensland, Brisbane, Australia, DSTC Tech. Rep., Aug. 2001.
22. G. Szasz, Introduction to Lattice Theory. New York: Academic, 1963.
23. B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, "Policy core information model," RFC 3060, Feb. 2001.
24. "Precedence rules used to resolve access conflicts at a target," IBM Lotus Domino and Notes Information Centre, 2011 [Online]. Available: http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp
25. C. Basile,A. Cappadonia, andA. Lioy, "Algebraic models to detect and solve policy conflicts," in Proc. MMM-ACNS, St. Petersburg, Russia, 2007, pp. 242-247.
26. G. Birkhoff, Lattice Theory. Providence, RI: Amer. Math. Soc., 1967.
27. D. Taylor and J. Turner, "Scalable packet classification using distributed crossproducting of field labels," Dept. Comput. Sci. Eng., Washington Univ., Washington, DC, Tech. Rep. WUCSE-2004-38, 2004.
28. D. Taylor, "Survey and taxonomy of packet classification techniques," Comput. Surveys, vol. 37, no. 3, pp. 238-275, 2005. (Pubitemid 43892671)
29. J. van Lunteren and T. Engbersen, "Fast and scalable packet classification," IEEE J. Sel. Areas Commun., vol. 21, no. 4, pp. 560-571, May 2003.