Stere Preda, Nora Cuppens-Boulahia, Frédéric Cuppens, Joaquin G. Alfaro, Laurent Toutain



We focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). Our proposal is the following. First, we formally specify the security requirements of a given system by using an expressive access control model. As a result, we obtain an abstract security policy, which is free of ambiguities, redundancies or unnecessary details. Second, we deploy such an abstract policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator’s job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.


  1. Abou el Kalam, A., Baida, R. E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., and Trouessin, G. Organization Based Access Control. In IEEE 4th Intl. Workshop on Policies for Distributed Systems and Networks, pp. 120-131, Lake Come, Italy, 2003.
  2. Abou el Kalam, A., Briffaut, J., Toinard, C., and Blanc, M. Intrusion detection and security policy framework for distributed environments. In Collaborative Technologies and Systems, pp.100-106, Missouri, USA, 2005.
  3. Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In Intl. Conference on Computer Safety, Reliability, and Security, pp. 182- 194, Poland, 2006.
  4. Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Analysis of Policy Anomalies on Distributed Network Security Setups. In 11th European Symposium On Research In Computer Security, pp. 496-511, Germany, 2006.
  5. Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Aggregating and Deploying Network Access Control Policies. In 1rst Symposium on Frontiers in Availability, Reliability and Security (FARES), 2nd International Conference on Availability, Reliability and Security (ARES2007), Vienna, Austria, 2007.
  6. Al-Shaer, E. S., Hamed, H. H., and Masum, H. Conflict Classification and Analysis of Distributed Firewall Policies. In IEEE Journal on Selected Areas in Communications, 23(10):2069-2084, 2005.
  7. Bartal, Y., Mayer, A., Nissim, K., and Wool, A. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pp. 17-31, Oakland, California, 1999.
  8. Blanc, M., Clemente, P., Courtieu, P., Franche, S., Oudot, L., Toinard, C. and Vessiller, L. Hardening largescale networks security through a meta-policy framework. In Third Workshop on the Internet, Telecommunications and Signal Processing, Adelaide, Australia, 2004.
  9. Cuppens, F., Cuppens-Boulahia, N., and Miege, A. Inheritance hierarchies in the OrBAC Model and application in a network environment. In 2nd Foundations of Computer Security Workshop (FCS'04), Turku, Finlande, 2004.
  10. Cuppens, F., Cuppens-Boulahia, N., and Ben Ghorbel, M. High-level conflict management strategies in advanced access control models. In Workshop on Information and Computer Security (ICS 2006), Timisoara, Roumania, 2006.
  11. Cuppens, F., Cuppens-Boulahia, N., Sans, T. and Miege, A. A formal approach to specify and deploy a network security policy. In 2nd Workshop on Formal Aspects in Security and Trust, pp. 203-218, Toulouse, France, 2004.
  12. Fu, Z., Wu, S. F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C. IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In Policy 2001 Workshop, pp. 39-56, 2001.
  13. Hamed, H. H. and Al-Shaer, E. S. Taxonomy of conflicts in network security policies. In IEEE Communications, 44(3):134-141, 2006.
  14. Hassan, A. and Hudec, L. Role Based Network Security Model: A Forward Step towards Firewall Management. In Workshop On Security of Information Technologies, Algiers, 2003.
  15. Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. Role-Based Access Control Models. IEEE Computer, 29(2):38-47, 1996.
  16. Welte, H., Kadlecsik, J., Josefsson, M., McHardy, P., and et al. The netfilter project: firewalling, nat and packet mangling for linux 2.4x and 2.6.x. [Online]. Available from:

Paper Citation

in Harvard Style

Preda S., Cuppens-Boulahia N., Cuppens F., G. Alfaro J. and Toutain L. (2007). RELIABLE PROCESS FOR SECURITY POLICY DEPLOYMENT . In Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007) ISBN 978-989-8111-12-8, pages 5-15. DOI: 10.5220/0002119200050015

in Bibtex Style

author={Stere Preda and Nora Cuppens-Boulahia and Frédéric Cuppens and Joaquin G. Alfaro and Laurent Toutain},
booktitle={Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)},

in EndNote Style

JO - Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)
SN - 978-989-8111-12-8
AU - Preda S.
AU - Cuppens-Boulahia N.
AU - Cuppens F.
AU - G. Alfaro J.
AU - Toutain L.
PY - 2007
SP - 5
EP - 15
DO - 10.5220/0002119200050015