Skip to main content
SpringerLink
Log in

MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies

  • Conference paper
Book cover Data Privacy Management and Autonomous Spontaneous Security (DPM 2010, SETOP 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6514))

Abstract

We present the core functionality of MIRAGE, a management tool for the analysis and deployment of configuration policies over network security components, such as firewalls, intrusion detection systems, and VPN routers. We review the two main functionalities embedded in our current prototype: (1) a bottom-up analysis of already deployed network security configurations and (2) a top-down refinement of global policies into network security component configurations. In both cases, MIRAGE provides intra-component analysis to detect inconsistencies in single component deployments; and inter-component analysis, to detect multi-component deployments which are not consistent. MIRAGE also manages the description of the security architecture topology, to guarantee the proper execution of all the processes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abou el Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: IEEE 4th Intl. Workshop on Policies for Distributed Systems and Networks, Lake Come, Italy, pp. 120–131 (2003)

    Google Scholar 

  2. Abrial, J.R.: The B-Book — Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996) ISBN 052149619-5

    Book  MATH  Google Scholar 

  3. Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls.. In: IEEE INFOCOM 2004 (March 2004)

    Google Scholar 

  4. Al-Shaer, E.S., Hamed, H.H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3) (March 2006)

    Google Scholar 

  5. Baral, C., Lobo, J., Trajcevski, G.: Formal Characterization of Active Databases. In: Bry, F. (ed.) DOOD 1997. LNCS, vol. 1341. Springer, Heidelberg (1997)

    Google Scholar 

  6. Baek, S., Jeong, M., Park, J., Chung, T.: Policy based Hybrid Management Architecture for IP-based VPN. In: Network Operations and Management Symposium, NOMS 2000 (2000)

    Google Scholar 

  7. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 17–31 (May 1999)

    Google Scholar 

  8. Benaïssa, N., Cansell, D., Méry, D.: Integration of Security Policy into System Modeling. In: Julliand, J., Kouchnarenko, O. (eds.) B 2007. LNCS, vol. 4355, pp. 232–247. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Cuppens, F., Cuppens, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, Toulouse, France, pp. 203–218 (August 2004)

    Google Scholar 

  10. Cuppens, F., Cuppens, N., Garcia-Alfaro, J.: Misconfiguration management of network security components. In: 7th International Symposium on System and Information Security (SSI 2005), Sao Paulo, Brazil, pp. 1–10 (November 2005)

    Google Scholar 

  11. Fu, Z., Wu, S., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: International Policy Workshop (January 2001)

    Google Scholar 

  12. García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In: Górski, J. (ed.) SAFECOMP 2006. LNCS, vol. 4166, pp. 182–194. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Analysis of policy anomalies on distributed network security setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 496–511. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Aggregating and Deploying Network Access Control Policies. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, pp. 532–539. IEEE Computer Society, Los Alamitos (April 2007)

    Chapter  Google Scholar 

  15. Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies. International Journal of Information Security 7(2), 103–122 (2008)

    Article  Google Scholar 

  16. Liu, A.X., Gouda, M.G.: Complete Redundancy Detection in Firewalls. In: 19th Annual IFIP Conference on Data and Applications Security (DBSec 2005), Storrs, Connecticut, pp. 196–209 (August 2005)

    Google Scholar 

  17. Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Toutain, L., Elrakaiby, Y.: A Semantic Context Aware Security Policy Deployment. In: ACM Symposium on Information, Computer and Communications Security, Sydney, Australia, pp. 251–261 (March 2009)

    Google Scholar 

  18. Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-Driven Security Policy Deployment: Property Oriented Approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Preda, S., Cuppens-Boulahia, N., Cuppens, F., Toutain, L.: Architecture-Aware Adaptive Deployment of Contextual Security Policies. In: Fifth International Conference on Availability, Reliability and Security (ARES 2010). IEEE Computer Society, Los Alamitos (February 2010)

    Google Scholar 

  20. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  21. Yuan, L., Mai, J., Su, S., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 199–213 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institut Télécom, Télécom Bretagne, CS 17607, 35576, Cesson-Sévigné, France

    Joaquin Garcia-Alfaro, Frédéric Cuppens, Nora Cuppens-Boulahia & Stere Preda

Authors
  1. Joaquin Garcia-Alfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stere Preda
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IT/TELECOM Bretagne, Campus de Rennes, 2 Rue de la Châtaigneraie, 35512, Cesson Sévigné, Cedex, France

    Joaquin Garcia-Alfaro

  2. IIIA-CSIC, Campus UAB, 08193, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. IT/TELECOM SudParis, 9 Rue Charles Fourier, 91011, Evry Cedex, France

    Ana Cavalli

  4. IT/TELECOM ParisTech, 46 Rue Barrault, 75634, Paris Cedex 13, France

    Jean Leneutre

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S. (2011). MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2010 2010. Lecture Notes in Computer Science, vol 6514. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19348-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19348-4_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19347-7

  • Online ISBN: 978-3-642-19348-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation