Abstract
Current firewall configuration languages have no well founded semantics. Each firewall implements its own algorithm that parses specific proprietary languages. The main consequence is that network access control policies are difficult to manage and most firewalls are actually wrongly configured. In this paper, we present an access control language based on XML syntax whose semantics is interpreted in the access control model Or-BAC (Organization Based Access Control). We show how to use this language to specify high-level network access control policies and then to automatically derive concrete access control rules to configure specific firewalls through a translation process. Our approach provides clear semantics to network security policy specification, makes management of such policy easier for the administrator and guarantees portability between firewalls.
Chapter PDF
Similar content being viewed by others
References
Bartal, Y., Mayer, A., Nissim, K., and Wool, A. (1999). Firmato: A novel firewall management toolkit. In 20th IEEE Symposium on Security and Privacy, pages 17–31, Oakland, California.
Checkpoint (2004). Firewall-1. In http://www.checkpoint.com/.
Cuppens, F., Cuppens-Boulahia, N., and Miège, A. (2004a). Inheritance hierarchies in the Or-BAC Model and application in a network environment. In Second Foundations of Computer Security Workshop (FCS'04), Turku, Finland.
Cuppens, F., Cuppens-Boulahia, N., Sans, T., and Miège, A. (2004b). A Formal Approach to Specify and Deploy a Network Security Policy. In http://www.rennes.enst-bretagne.fr/fcuppens/articles/fast2004.pdf (full version of the paper presented at FAST 2004).
Cuppens, F. and Miège, A. (2003a). Conflict management in the Or-BAC model.
Cuppens, F. and Miège, A. (2003b). Modelling contexts in the Or-BAC model. In 19th Annual Computer Security Applications Conference, Las Vegas.
Cuppens, F. and Miège, A. (2004). Administration Model for Or-BAC. Journal of Computer Systems Science and Engineering (CSSE). To appear.
Degu, C. and Bastien, G. (2003). CCP Cisco Secure PIX firewall Advanced Exam Certification Guide.
Hassan, A. and Hudec, L. (2003). Role Based Network Security Model: A Forward Step towards Firewall Management. In Workshop On Security of Information Technologies, Algiers.
Kalam, A. A. E., Baida, R. E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C, and Trouessin, G. (2003). Organization Based Access Control. In Proceedings of IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Come, Italy.
Kurland, V. (2003). Firewall Builder. White paper.
Mayer, A., Wool, A., and Ziskind, E. (2000). Fang: A Firewall Analysis Engine. In 21th IEEE Symposium on Security and Privacy, pages 177–187, Oakland, California.
Russell, R. (2002). Linux 2.4 Packet Filtering. In http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html.
Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer, 29(2):38Ű47.
Tsaousis, C. (2004). FireHOL, R5 VI. 159. In http://firehol.sourceforge.net/.
W3C (2004). Extensible Markup Language (XML) 1.0 (Third Edition). In http://www.w3.org/TR/REC-xml/.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A. (2005). A Formal Approach to Specify and Deploy a Network Security Policy. In: Dimitrakos, T., Martinelli, F. (eds) Formal Aspects in Security and Trust. IFIP WCC TC1 2004. IFIP International Federation for Information Processing, vol 173. Springer, Boston, MA. https://doi.org/10.1007/0-387-24098-5_15
Download citation
DOI: https://doi.org/10.1007/0-387-24098-5_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24050-3
Online ISBN: 978-0-387-24098-5
eBook Packages: Computer ScienceComputer Science (R0)