DITZEL KROPIWIEC Cassio
Supervision : Guy PUJOLLE
Co-supervision : MUNARETTO Anelise
Multi-Constrained Security Policies for Delegated Firewall Administration
The management of security policies is an important issue for networks of any size. The policy must be designed to protect the internal resources from external users and also from internal users. In networks with one or only a few firewalls, defining the configuration of each device is easier. However, in larger networks, the administrator must consider the configuration of each firewall isolated and the effects of this configuration in the whole network. This thesis proposes a framework for representing and managing global network security policies for distributed firewall administration. The proposed framework defines a high-level policy language, which allows the specification of policies in mandatory, discretionary and security property models. This framework is able to handle simultaneously the three dimensions and coherently describes the resulting permissions in an abstract representation that is independent of how they will be enforced, without violating the global security goal. The framework also includes a mechanism responsible for translating the abstract representation of permissions into low-level configuration scripts/rules for firewalls of different models and vendors, allowing its use for configuration of heterogeneous networks. Each dimension can be defined by people of different roles, allowing the cooperation in definition of global policy. The framework is formalized in Z notation to demonstrate its completeness and correctness, and a scalability study is presented to demonstrate the behavior of the framework in larger networks.
Defence : 07/10/2009
Jury members :
M. Serhrouchni Ahmed
Mme. Ghernaouti Solange
M. Perros Harry (Université Caroline du Nord - Raleigh)
M. Urien Pascal
M. Pereira Fonseca Mauro Sérgio (Université de Curitiba - Brésil)
M. PUJOLLE Guy (LIP6)
M. PENNA Manoel Camillo
2006-2011 Publications
-
2011
- C. Ditzel Kropiwiec, E. Jamhour, M. De Oliveira Penna Neto, G. Pujolle : “Multi-Constraint Security Policies for Delegated Firewall Administration”, International Journal of Network Management, vol. 21 (6), pp. 469-493, (Wiley) (2011)
-
2009
- C. Ditzel Kropiwiec : “Multi-Constrained Security Policies for Delegated Firewall Administration”, thesis, defence 07/10/2009, supervision Pujolle, Guy, co-supervision : Munaretto, Anelise (2009)
-
2008
- C. Ditzel Kropiwiec, E. Jamhour, M. De Oliveira Penna Neto, G. Pujolle : “Multi-constraint Security Policies for Delegated Firewall Administration”, 19th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2008, vol. 5273, Lecture Notes in Computer Science, Samos Island, Greece, pp. 123-135, (Springer) (2008)
-
2006
- C. Ditzel Kropiwiec, E. Jamhour, M. Fonseca, F. Enembreck, G. Pujolle : “Uma Abordagem Baseada em Programação Declarativa para Configuração de Firewalls em Ambientes Heterogêneos”, SBRC 2006 - 24. Simpósio Brasileiro de Redes de Computadores, Curitiba, Brazil, pp. 407-421 (2006)