Management of exceptions on access control policies

Joaquin Garcia Alfaro; Frederic Cuppens; Nora Cuppens-Boulahia

doi:10.1007/978-0-387-72367-9_9

Management of exceptions on access control policies

Joaquin Garcia Alfaro
, Frederic Cuppens
, Nora Cuppens-Boulahia

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.

Original language	English
Title of host publication	New Approaches for Security, Privacy and Trust in Complex Environments
Subtitle of host publication	Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa
Editors	Hein Venter, Jan Eloff, Mariki Eloff, Les Labuschagne, Rossouw Solms
Pages	97-108
Number of pages	12
DOIs	https://doi.org/10.1007/978-0-387-72367-9_9
Publication status	Published - 26 Nov 2007
Externally published	Yes

Publication series

Name	IFIP International Federation for Information Processing
Volume	232
ISSN (Print)	1571-5736

Access to Document

10.1007/978-0-387-72367-9_9

Cite this

Alfaro, J. G., Cuppens, F., & Cuppens-Boulahia, N. (2007). Management of exceptions on access control policies. In H. Venter, J. Eloff, M. Eloff, L. Labuschagne, & R. Solms (Eds.), New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa (pp. 97-108). (IFIP International Federation for Information Processing; Vol. 232). https://doi.org/10.1007/978-0-387-72367-9_9

Alfaro, Joaquin Garcia ; Cuppens, Frederic ; Cuppens-Boulahia, Nora. / Management of exceptions on access control policies. New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa. editor / Hein Venter ; Jan Eloff ; Mariki Eloff ; Les Labuschagne ; Rossouw Solms. 2007. pp. 97-108 (IFIP International Federation for Information Processing).

@inproceedings{8fdee1c7930e414789de36d4de54243b,

title = "Management of exceptions on access control policies",

abstract = "The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.",

author = "Alfaro, \{Joaquin Garcia\} and Frederic Cuppens and Nora Cuppens-Boulahia",

year = "2007",

month = nov,

day = "26",

doi = "10.1007/978-0-387-72367-9\_9",

language = "English",

isbn = "0387723668",

series = "IFIP International Federation for Information Processing",

pages = "97--108",

editor = "Hein Venter and Jan Eloff and Mariki Eloff and Les Labuschagne and Rossouw Solms",

booktitle = "New Approaches for Security, Privacy and Trust in Complex Environments",

}

Alfaro, JG, Cuppens, F & Cuppens-Boulahia, N 2007, Management of exceptions on access control policies. in H Venter, J Eloff, M Eloff, L Labuschagne & R Solms (eds), New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa. IFIP International Federation for Information Processing, vol. 232, pp. 97-108. https://doi.org/10.1007/978-0-387-72367-9_9

Management of exceptions on access control policies. / Alfaro, Joaquin Garcia; Cuppens, Frederic; Cuppens-Boulahia, Nora.
New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa. ed. / Hein Venter; Jan Eloff; Mariki Eloff; Les Labuschagne; Rossouw Solms. 2007. p. 97-108 (IFIP International Federation for Information Processing; Vol. 232).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Management of exceptions on access control policies

AU - Alfaro, Joaquin Garcia

AU - Cuppens, Frederic

AU - Cuppens-Boulahia, Nora

PY - 2007/11/26

Y1 - 2007/11/26

N2 - The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.

AB - The use of languages based on positive or negative expressiveness is very common for the deployment of security policies (i.e., deployment of permissions and prohibitions on firewalls through singlehanded positive or negative condition attributes). Although these languages may allow us to specify any policy, the single use of positive or negative statements alone leads to complex configurations when excluding some specific cases of general rules that should always apply. In this paper we survey such a management and study existing solutions, such as ordering of rules and segmentation of condition attributes, in order to settle this lack of expressiveness. We then point out to the necessity of full expressiveness for combining both negative and positive conditions on firewall languages in order to improve this management of exceptions on access control policies. This strategy offers us a more efficient deployment of policies, even using fewer rules.

UR - https://www.scopus.com/pages/publications/36248989621

U2 - 10.1007/978-0-387-72367-9_9

DO - 10.1007/978-0-387-72367-9_9

M3 - Conference contribution

AN - SCOPUS:36248989621

SN - 0387723668

SN - 9780387723662

T3 - IFIP International Federation for Information Processing

SP - 97

EP - 108

BT - New Approaches for Security, Privacy and Trust in Complex Environments

A2 - Venter, Hein

A2 - Eloff, Jan

A2 - Eloff, Mariki

A2 - Labuschagne, Les

A2 - Solms, Rossouw

ER -

Alfaro JG, Cuppens F, Cuppens-Boulahia N. Management of exceptions on access control policies. In Venter H, Eloff J, Eloff M, Labuschagne L, Solms R, editors, New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, S. Africa. 2007. p. 97-108. (IFIP International Federation for Information Processing). doi: 10.1007/978-0-387-72367-9_9

Management of exceptions on access control policies

Abstract

Publication series

Access to Document

Other files and links

Fingerprint

Cite this