Filtering postures: local enforcement for global policies

Oakland, CA May 04-May 07

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/SECPRI.1997.601327

1997 IEEE Symposium on Security and P ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by J.D. Guttman

	ASCII Text	x
	J.D. Guttman, "Filtering postures: local enforcement for global policies," Security and Privacy, IEEE Symposium on, pp. 0120, 1997 IEEE Symposium on Security and Privacy, 1997.

	BibTex	x
	@article{ 10.1109/SECPRI.1997.601327, author = {J.D. Guttman}, title = {Filtering postures: local enforcement for global policies}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {1997}, issn = {1540-7993}, pages = {0120}, doi = {http://doi.ieeecomputersociety.org/10.1109/SECPRI.1997.601327}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Filtering postures: local enforcement for global policies SN - 1540-7993 SP EP A1 - J.D. Guttman, PY - 1997 KW - authorisation; filtering postures; global policy local enforcement; packet filtering; global network access control; routers; security policy; network topology; optimal service; prototype implementation VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

J.D. Guttman, Mitre Corp., Bedford, MA, US

A Abstract: When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist. A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale.

Index Terms:

authorisation; filtering postures; global policy local enforcement; packet filtering; global network access control; routers; security policy; network topology; optimal service; prototype implementation

Citation:

J.D. Guttman, "Filtering postures: local enforcement for global policies," sp, pp.0120, 1997 IEEE Symposium on Security and Privacy, 1997

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.