tailieunhanh - A FORMAL APPROACH TO SPECIFY AND DEPLOY A NETWORK SECURITY POLICY

An organization must tell individuals why information about them is collected, how to contact the organization with inquiries or complaints, what types of third parties the information will be disclosed to, and the options and means the organization provides individuals to limit the use and disclosure of the information. Notice must be provided to individuals in clear language at the point when individuals are first asked to provide personal information or as soon thereafter as is practicable. In all circumstances, the organization must inform individuals before it uses information for any purpose other than that for which it was originally collected, or before it discloses. | A FORMAL APPROACH TO SPECIFY AND DEPLOY A NETWORK SECURITY POLICY Frédéric Cuppens1 Nora Cuppens-Boulahia1 Thierry Sans1 Alexandre Miège1 2 1GET ENST Bretagne 2 rue de la Chừtaigneraie 35512 Cesson Sévigné Cedex France 2 GET ENST 46 rue Barrault 75634 Paris Cedex 13 France Abstract Current firewall configuration languages have no well founded semantics. Each firewall implements its own algorithm that parses specific proprietary languages. The main consequence is that network access control policies are difficult to manage and most firewalls are actually wrongly configured. In this paper we present an access control language based on XML syntax whose semantics is interpreted in the access control model Or-BAC Organization Based Access Control . We show how to use this language to specify high-level network access control policies and then to automatically derive concrete access control rules to configure specific firewalls through a translation process. Our approach provides clear semantics to network security policy specification makes management of such policy easier for the administrator and guarantees portability between firewalls. 1. Introduction It is well known in the computer security community that specifying and managing access control rules is a hard task whatever the level of abstraction considered. These access control rules are actually part of a more global set of rules called an organizational policy. We argue that this organizational policy has to be unfolded to obtain packages of access control rules. Each rule package is handled by a security component. For instance environmental security package physical security package operating system security package staff package and network security package. Firewalls are those components that deal with network security packages. They are used to block to some extent any suspicious communication from Internet to the private local area network LAN and to deny the members of the private LAN access the all .