Skip to Main content Skip to Navigation
Journal articles

Multi-Constraint Security Policies for Delegated Firewall Administration

Abstract : This work presents a new approach to policy representation of network security. It introduces a high-level language, where the security policies can be expressed by three policy models: mandatory, discretionary and security property. The proposed framework is capable of handling all three dimensions, being capable of generating the permissions from an abstract representation that is independent of how they are enforced, without violating the requirements of high-level security. Each dimension can be defined by people with different roles; for example, rules of the mandatory model and of the security property model could be attributed to the personnel of risk management, while rules of the discretionary model can be delegated among the network administrators in various departments of the organization. This work also presents a mechanism to represent the features implemented by different firewall models and a mechanism for translating the abstract representation in the scripts to configure the firewalls. A formal specification of the policy model validates the refinement algorithm and a study of scalability is presented to demonstrate how the algorithm behaves in large networks.
Document type :
Journal articles
Complete list of metadatas
Contributor : Lip6 Publications <>
Submitted on : Wednesday, June 24, 2015 - 5:29:30 PM
Last modification on : Thursday, March 21, 2019 - 1:11:16 PM

Links full text



Cassio Ditzel Kropiwiec, Edgard Jamhour, Manoel Camillo de Oliveira Penna Neto, Guy Pujolle. Multi-Constraint Security Policies for Delegated Firewall Administration. International Journal of Network Management, Wiley, 2011, 21 (6), pp.469-493. ⟨10.1002/nem.774⟩. ⟨hal-01167813⟩



Record views