Abstract
This work presents a new policy based security framework that is able handle simultaneously and coherently mandatory, discretionary and security property policies. One important aspect of the proposed framework is that each dimension of the security policies can be managed independently, allowing people playing different roles in an organization to define security policies without violating a global security goal. The framework creates an abstract layer that permits to define security policies independently of how they will be enforced. For example, the mandatory and security property polices could be assigned to the risk management staff while the discretionary policies could be delegated among the several departments in the organization.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Markham, T., Payne, C.: Security at the Network Edge: A Distributed Firewall Architecture. In: DARPA Information Survivability Conference and Exposition (DISCEX II 2001), vol. I, p. 279 (2001)
Al-Shaer, E., Hamed, H.: Discovery of Policy Anomalies in Distributed Firewalls. In: 23rd Conference of the IEEE Communications Society (INFOCOMM), pp. 2605–2616 (2004)
Cisco Systems Inc.: Cisco PIX Firewall Command Reference (2004), http://www.cisco.com
Cisco Systems Inc.: Cisco IOS Reference Guide (2004), http://www.cisco.com
CheckPoint Software Technologies Ltd.: Stateful Inspection Technology (2005), http://www.checkpoint.com/products
Lee, T.K., Yusuf, S., Luk, W., Sloman, M., Lupu, E., Dulay, N.: Compiling Policy Descriptions into Reconfigurable Firewall Processors. In: 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 39–48 (2003)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language. In: Policy 2001: Workshop on Policies for Distributed Systems and Networks, pp. 18–39 (2001)
Haixin, D., Jianping, W., Xing, L.: Policy-Based Access Control Framework for Large Networks. In: Eighth IEEE International Conference on Networks, pp. 267–273 (2000)
Ou, X., Govindavajhala, S., Appel, A.W.: Network security management with high-level security policies. Technical report TR-714-04, Computer Science Dept, Princeton University (2004)
Burns, J., Cheng, A., Gurung, P., Rajagopalan, S., Rao, P., Rosenbluth, D., Surendran, A.V., Martin, J.D.M.: Automatic Management of Network Security Policy. In: DARPA Information Survivability Conference and Exposition, vol. II, pp. 12–26 (2001)
Guttman, J.D.: Filtering postures: local enforcement for global policies. In: IEEE Symposium on Security and Privacy, pp. 120–129 (1997)
Bartal, Y., Mayer, A.J., Nissin, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems 22(4), 381–420 (2004)
DOD: Trusted Computer Security Evaluation Criteria. DOD 5200.28-STD. Department of Defense (1985)
Albuquerque, J.P., Krumm, H., Geus, P.L.: Policy Modeling and Refinement for Network Security Systems. In: IEEE 6th International Workshop on Policies for Distributed Systems and Networks, pp. 24–33 (2005)
Spivey, J.M.: The Z notation: a reference manual. Prentice Hall International (UK) Ltd, Hertfordshire (1992)
Saaltink, M.: The Z/EVES system. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds.) ZUM 1997. LNCS, vol. 1212, pp. 72–85. Springer, Heidelberg (1997)
Kropiwiec, C.D.: Z-specification for Firewall Policies, Algorithms and Theorem Proofs (2008), http://www.ppgia.pucpr.br/jamhour/Research/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kropiwiec, C.D., Jamhour, E., Penna, M.C., Pujolle, G. (2008). Multi-constraint Security Policies for Delegated Firewall Administration. In: De Turck, F., Kellerer, W., Kormentzas, G. (eds) Managing Large-Scale Service Deployment. DSOM 2008. Lecture Notes in Computer Science, vol 5273. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87353-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-87353-2_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85999-4
Online ISBN: 978-3-540-87353-2
eBook Packages: Computer ScienceComputer Science (R0)