Abstract
We present the core functionality of MIRAGE, a management tool for the analysis and deployment of configuration policies over network security components, such as firewalls, intrusion detection systems, and VPN routers. We review the two main functionalities embedded in our current prototype: (1) a bottom-up analysis of already deployed network security configurations and (2) a top-down refinement of global policies into network security component configurations. In both cases, MIRAGE provides intra-component analysis to detect inconsistencies in single component deployments; and inter-component analysis, to detect multi-component deployments which are not consistent. MIRAGE also manages the description of the security architecture topology, to guarantee the proper execution of all the processes.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abou el Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: IEEE 4th Intl. Workshop on Policies for Distributed Systems and Networks, Lake Come, Italy, pp. 120–131 (2003)
Abrial, J.R.: The B-Book — Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996) ISBN 052149619-5
Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls.. In: IEEE INFOCOM 2004 (March 2004)
Al-Shaer, E.S., Hamed, H.H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3) (March 2006)
Baral, C., Lobo, J., Trajcevski, G.: Formal Characterization of Active Databases. In: Bry, F. (ed.) DOOD 1997. LNCS, vol. 1341. Springer, Heidelberg (1997)
Baek, S., Jeong, M., Park, J., Chung, T.: Policy based Hybrid Management Architecture for IP-based VPN. In: Network Operations and Management Symposium, NOMS 2000 (2000)
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A Novel Firewall Management Toolkit. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 17–31 (May 1999)
Benaïssa, N., Cansell, D., Méry, D.: Integration of Security Policy into System Modeling. In: Julliand, J., Kouchnarenko, O. (eds.) B 2007. LNCS, vol. 4355, pp. 232–247. Springer, Heidelberg (2006)
Cuppens, F., Cuppens, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop on Formal Aspects in Security and Trust, Toulouse, France, pp. 203–218 (August 2004)
Cuppens, F., Cuppens, N., Garcia-Alfaro, J.: Misconfiguration management of network security components. In: 7th International Symposium on System and Information Security (SSI 2005), Sao Paulo, Brazil, pp. 1–10 (November 2005)
Fu, Z., Wu, S., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: International Policy Workshop (January 2001)
García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Towards Filtering and Alerting Rule Rewriting on Single-Component Policies. In: Górski, J. (ed.) SAFECOMP 2006. LNCS, vol. 4166, pp. 182–194. Springer, Heidelberg (2006)
García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Analysis of policy anomalies on distributed network security setups. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 496–511. Springer, Heidelberg (2006)
Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Aggregating and Deploying Network Access Control Policies. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, pp. 532–539. IEEE Computer Society, Los Alamitos (April 2007)
Garcia-Alfaro, J., Cuppens, F., Cuppens, N.: Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies. International Journal of Information Security 7(2), 103–122 (2008)
Liu, A.X., Gouda, M.G.: Complete Redundancy Detection in Firewalls. In: 19th Annual IFIP Conference on Data and Applications Security (DBSec 2005), Storrs, Connecticut, pp. 196–209 (August 2005)
Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., Toutain, L., Elrakaiby, Y.: A Semantic Context Aware Security Policy Deployment. In: ACM Symposium on Information, Computer and Communications Security, Sydney, Australia, pp. 251–261 (March 2009)
Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-Driven Security Policy Deployment: Property Oriented Approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010)
Preda, S., Cuppens-Boulahia, N., Cuppens, F., Toutain, L.: Architecture-Aware Adaptive Deployment of Contextual Security Policies. In: Fifth International Conference on Availability, Reliability and Security (ARES 2010). IEEE Computer Society, Los Alamitos (February 2010)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)
Yuan, L., Mai, J., Su, S., Chen, H., Chuah, C., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 199–213 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S. (2011). MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2010 2010. Lecture Notes in Computer Science, vol 6514. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19348-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-19348-4_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19347-7
Online ISBN: 978-3-642-19348-4
eBook Packages: Computer ScienceComputer Science (R0)