Abstract
The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.
This work was supported by funding from the French ministry of research, under the ACI DESIRS project; and the Spanish Government (CICYT) project SEG2004-04352-C04-04.
Please use the following format when citing this chapter: Garcia-Alfaro, J., Cuppens, F., and Cuppens-Boulahia, N., 2007, in IFIP International Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter. H., Eloff, M, Labuschagne, I-, Eloff, J., von Solms, R., (Boston: Springer), pp. 97–108.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Analysis of Policy Anomalies on Distributed Network Security Setups. In 11th European Symposium On Research In Computer Security (Esorics 2006), pp. 496–511, Hamburg, Germany, 2006.
Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In Intl. Conference on Computer Safety, Reliability, and Security (Safecomp 2006), pp. 182–194, Gdansk, Poland, 2006.
Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Aggregating and Deploying Network Access Control Policies. In Symposium on Frontiers in Availability, Reliability and Security (FARES), 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, 2007.
Bartal, Y., Mayer, A., Nissim, K., Wool, A. Firmato: A novel firewall management toolkit ACM Transactions on Computer Systems (TOCS), 22(4):381–420, 2004.
Cuppens, F., Cuppens-Boulahia, N., and Alfaro, J. G. Detection and Removal of Firewall Misconfiguration. In Intl. Conference on Communication, Network and Information Security (CNIS05), pp. 154–162, 2005.
Cuppens, F., Cuppens-Boulahia, N., and Alfaro, J. G. Misconfiguration Management of Network Security Components. In 7th Intl. Symposium on System and Information Security, Sao Paulo, Brazil, 2005.
Cuppens, F., Cuppens-Boulahia, N., Sans, T. and Miege, A. A formal approach to specify and deploy a network security policy. In 2nd Workshop on Formal Aspects in Security and Trust, pp. 203–218, 2004.
Date, C. J. A guide to the SQL standard. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 1989.
Gabillon, A. A formal access control model for XML databases. Lecture notes in computer science, 3674, pp. 86–103, February 2005.
Godik, S., Moses, T., and et al. extensible Access Control Markup Language (XACML) Version 2. Standard, OASIS. February 2005.
Hamed, H. and Al-Shaer, E. On autonomic optimization of firewall policy organization, Journal of High Speed Networks, 15(3):209–227, 2006.
Liu, A. X., Gouda, M. G., Ma, H. H., and Ngu, A. H. Firewall Queries. In Proceedings of the 8th International Conference on Principles of Distributed Systems (OPODIS-04), pp. 197–212, 2004.
Mayer, A., Wool, A., Ziskind, E. Fang: A firewall analysis engine. Security and Privacy Proceedings, pp. 177–187, 2000.
Paul, O., Laurent, M., and Gombault, S. A full bandwidth ATM Firewall. In Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), pp. 206–221, 2000.
Podey, B., Kessler, T., and Melzer, H.D. Network Packet Filter Design and Performance. Information Networking, Lecture notes in computer science, 2662, pp. 803–816, 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N. (2007). Management of Exceptions on Access Control Policies. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_9
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)