Title :
Filtering postures: local enforcement for global policies
Author :
Guttman, Joshua D.
Author_Institution :
Mitre Corp., Bedford, MA, USA
Abstract :
When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist. A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale
Keywords :
authorisation; computer networks; packet switching; software performance evaluation; telecommunication network routing; filtering postures; global network access control; global policy local enforcement; network topology; optimal service; packet filtering; prototype implementation; routers; security policy; Access control; Computer networks; Data security; Filtering; Filters; Humans; Information security; National security; Network topology; Prototypes;
Conference_Titel :
Security and Privacy, 1997. Proceedings., 1997 IEEE Symposium on
Conference_Location :
Oakland, CA
Print_ISBN :
0-8186-7828-3
DOI :
10.1109/SECPRI.1997.601327
