Équipe : Phare
Date de départ : 11/07/2009
The management of security policies is an important issue for networks of any size. The policy must be designed to protect the internal resources from external users and also from internal users. In networks with one or only a few firewalls, defining the configuration of each device is easier. However, in larger networks, the administrator must consider the configuration of each firewall isolated and the effects of this configuration in the whole network. This thesis proposes a framework for representing and managing global network security policies for distributed firewall administration. The proposed framework defines a high-level policy language, which allows the specification of policies in mandatory, discretionary and security property models. This framework is able to handle simultaneously the three dimensions and coherently describes the resulting permissions in an abstract representation that is independent of how they will be enforced, without violating the global security goal. The framework also includes a mechanism responsible for translating the abstract representation of permissions into low-level configuration scripts/rules for firewalls of different models and vendors, allowing its use for configuration of heterogeneous networks. Each dimension can be defined by people of different roles, allowing the cooperation in definition of global policy. The framework is formalized in Z notation to demonstrate its completeness and correctness, and a scalability study is presented to demonstrate the behavior of the framework in larger networks.

Soutenance : 10/07/2009 - 10h00 - Site Passy-Kennedy - salle 549

Membres du jury :

M. Serhrouchni Ahmed
Mme. Ghernaouti Solange
M. Perros Harry (Université Caroline du Nord - Raleigh)
M. Urien Pascal
M. Pereira Fonseca Mauro Sérgio (Université de Curitiba - Brésil)
M. PENNA Manoel Camillo

Publications 2006-2011