Management of Exceptions on Access Control Policies

  • J. G. Alfaro
  • F. Cuppens
  • N. Cuppens-Boulahia
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.


Access Control Security Policy Match Strategy Access Control Policy Default Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Analysis of Policy Anomalies on Distributed Network Security Setups. In 11th European Symposium On Research In Computer Security (Esorics 2006), pp. 496–511, Hamburg, Germany, 2006.Google Scholar
  2. 2.
    Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In Intl. Conference on Computer Safety, Reliability, and Security (Safecomp 2006), pp. 182–194, Gdansk, Poland, 2006.Google Scholar
  3. 3.
    Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Aggregating and Deploying Network Access Control Policies. In Symposium on Frontiers in Availability, Reliability and Security (FARES), 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, 2007.Google Scholar
  4. 4.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A. Firmato: A novel firewall management toolkit ACM Transactions on Computer Systems (TOCS), 22(4):381–420, 2004.Google Scholar
  5. 5.
    Cuppens, F., Cuppens-Boulahia, N., and Alfaro, J. G. Detection and Removal of Firewall Misconfiguration. In Intl. Conference on Communication, Network and Information Security (CNIS05), pp. 154–162, 2005.Google Scholar
  6. 6.
    Cuppens, F., Cuppens-Boulahia, N., and Alfaro, J. G. Misconfiguration Management of Network Security Components. In 7th Intl. Symposium on System and Information Security, Sao Paulo, Brazil, 2005.Google Scholar
  7. 7.
    Cuppens, F., Cuppens-Boulahia, N., Sans, T. and Miege, A. A formal approach to specify and deploy a network security policy. In 2nd Workshop on Formal Aspects in Security and Trust, pp. 203–218, 2004.Google Scholar
  8. 8.
    Date, C. J. A guide to the SQL standard. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 1989.Google Scholar
  9. 9.
    Gabillon, A. A formal access control model for XML databases. Lecture notes in computer science, 3674, pp. 86–103, February 2005.Google Scholar
  10. 10.
    Godik, S., Moses, T., and et al. extensible Access Control Markup Language (XACML) Version 2. Standard, OASIS. February 2005.Google Scholar
  11. 11.
    Hamed, H. and Al-Shaer, E. On autonomic optimization of firewall policy organization, Journal of High Speed Networks, 15(3):209–227, 2006.Google Scholar
  12. 12.
    Liu, A. X., Gouda, M. G., Ma, H. H., and Ngu, A. H. Firewall Queries. In Proceedings of the 8th International Conference on Principles of Distributed Systems (OPODIS-04), pp. 197–212, 2004.Google Scholar
  13. 13.
    Mayer, A., Wool, A., Ziskind, E. Fang: A firewall analysis engine. Security and Privacy Proceedings, pp. 177–187, 2000.Google Scholar
  14. 14.
    Paul, O., Laurent, M., and Gombault, S. A full bandwidth ATM Firewall. In Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), pp. 206–221, 2000.Google Scholar
  15. 15.
    Podey, B., Kessler, T., and Melzer, H.D. Network Packet Filter Design and Performance. Information Networking, Lecture notes in computer science, 2662, pp. 803–816, 2003.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • J. G. Alfaro
    • 1
    • 2
  • F. Cuppens
    • 1
  • N. Cuppens-Boulahia
    • 1
  1. 1.GET/ENST-Bretagne35576 Cesson SévignéFrance
  2. 2.Universitat Oberta de Catalunya08018 BarcelonaSpain

Personalised recommendations