Filtering postures: local enforcement for global policies

Author

Guttman, Joshua D.

Author_Institution

Mitre Corp., Bedford, MA, USA

fYear

1997

fDate

4-7 May 1997

Firstpage

120

Lastpage

129

Abstract

When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist. A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale

Keywords

authorisation; computer networks; packet switching; software performance evaluation; telecommunication network routing; filtering postures; global network access control; global policy local enforcement; network topology; optimal service; packet filtering; prototype implementation; routers; security policy; Access control; Computer networks; Data security; Filtering; Filters; Humans; Information security; National security; Network topology; Prototypes;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 1997. Proceedings., 1997 IEEE Symposium on

Conference_Location

Oakland, CA

ISSN

1081-6011

Print_ISBN

0-8186-7828-3

Type

conf

DOI

10.1109/SECPRI.1997.601327

Filename

601327