MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies

  • Joaquin Garcia-Alfaro
  • Frédéric Cuppens
  • Nora Cuppens-Boulahia
  • Stere Preda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6514)


We present the core functionality of MIRAGE, a management tool for the analysis and deployment of configuration policies over network security components, such as firewalls, intrusion detection systems, and VPN routers. We review the two main functionalities embedded in our current prototype: (1) a bottom-up analysis of already deployed network security configurations and (2) a top-down refinement of global policies into network security component configurations. In both cases, MIRAGE provides intra-component analysis to detect inconsistencies in single component deployments; and inter-component analysis, to detect multi-component deployments which are not consistent. MIRAGE also manages the description of the security architecture topology, to guarantee the proper execution of all the processes.


Network security Access control Analysis of configurations OrBAC Policy refinement 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abou el Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: IEEE 4th Intl. Workshop on Policies for Distributed Systems and Networks, Lake Come, Italy, pp. 120–131 (2003)Google Scholar
  2. 2.
    Abrial, J.R.: The B-Book — Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996) ISBN 052149619-5CrossRefzbMATHGoogle Scholar
  3. 3.
    Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls.. In: IEEE INFOCOM 2004 (March 2004)Google Scholar
  4. 4.
    Al-Shaer, E.S., Hamed, H.H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3) (March 2006)Google Scholar
  5. 5.
    Baral, C., Lobo, J., Trajcevski, G.: Formal Characterization of Active Databases. In: Bry, F. (ed.) DOOD 1997. LNCS, vol. 1341. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Baek, S., Jeong, M., Park, J., Chung, T.: Policy based Hybrid Management Architecture for IP-based VPN. In: Network Operations and Management Symposium, NOMS 2000 (2000)Google Scholar
  7. 7.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 17–31 (May 1999)Google Scholar
  8. 8.
    Benaïssa, N., Cansell, D., Méry, D.: Integration of Security Policy into System Modeling. In: Julliand, J., Kouchnarenko, O. (eds.) B 2007. LNCS, vol. 4355, pp. 232–247. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Cuppens, F., Cuppens, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, Toulouse, France, pp. 203–218 (August 2004)Google Scholar
  10. 10.
    Cuppens, F., Cuppens, N., Garcia-Alfaro, J.: Misconfiguration management of network security components. In: 7th International Symposium on System and Information Security (SSI 2005), Sao Paulo, Brazil, pp. 1–10 (November 2005)Google Scholar
  11. 11.
    Fu, Z., Wu, S., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: International Policy Workshop (January 2001)Google Scholar
  12. 12.
    García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In: Górski, J. (ed.) SAFECOMP 2006. LNCS, vol. 4166, pp. 182–194. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Analysis of policy anomalies on distributed network security setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 496–511. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Aggregating and Deploying Network Access Control Policies. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, pp. 532–539. IEEE Computer Society, Los Alamitos (April 2007)CrossRefGoogle Scholar
  15. 15.
    Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies. International Journal of Information Security 7(2), 103–122 (2008)CrossRefGoogle Scholar
  16. 16.
    Liu, A.X., Gouda, M.G.: Complete Redundancy Detection in Firewalls. In: 19th Annual IFIP Conference on Data and Applications Security (DBSec 2005), Storrs, Connecticut, pp. 196–209 (August 2005)Google Scholar
  17. 17.
    Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Toutain, L., Elrakaiby, Y.: A Semantic Context Aware Security Policy Deployment. In: ACM Symposium on Information, Computer and Communications Security, Sydney, Australia, pp. 251–261 (March 2009)Google Scholar
  18. 18.
    Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-Driven Security Policy Deployment: Property Oriented Approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Preda, S., Cuppens-Boulahia, N., Cuppens, F., Toutain, L.: Architecture-Aware Adaptive Deployment of Contextual Security Policies. In: Fifth International Conference on Availability, Reliability and Security (ARES 2010). IEEE Computer Society, Los Alamitos (February 2010)Google Scholar
  20. 20.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  21. 21.
    Yuan, L., Mai, J., Su, S., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 199–213 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Joaquin Garcia-Alfaro
    • 1
  • Frédéric Cuppens
    • 1
  • Nora Cuppens-Boulahia
    • 1
  • Stere Preda
    • 1
  1. 1.Institut TélécomTélécom BretagneCesson-SévignéFrance

Personalised recommendations