Abstract
The development of complex access control architectures raises the problem of their management. In this article, we describe an architecture providing packet filters automatic configuration in Internet based networks. Our architecture improves existing proposals in three different fields. It suppresses the security officer interactions with the management architecture when topology changes occur thus preventing temporary security holes. Moreover our architecture proposes three optimisations to provide the access control processes with efficient configurations. Simulations show that the complexity of these configurations is close to the complexity found in configurations created by hand. Finally we describe how the notion of access control integrity can be incorporated in our management architecture at a reasonable cost.
Résumé
Le développement ďarchitectures complexes de contrôle ďaccès soulève le problème de leur gestion. Dans cet article, nous décrivons une architecture assurant la configuration automatique de routeurs filtrants dans un réseau Internet. Notre proposition améliore les solutions existantes dans trois domaines. Elle supprime tout ďabord les interactions entre le responsable de sécurité et le système de gestion en cas de changements topologiques permettant de ce fait ďéviter des trous temporaires de sécurité. Elle se base sur trois optimisations permettant ďassurer une configuration efficace des routeurs. Nos simulations montrent que la complexité de ces configurations est proche de celle de configurations créées à la main. Enfin nous montrons comment notre architecture peut prendre en compte la notion ďintégrité du contrôle ďaccès à un coût raisonnable.
Similar content being viewed by others
References
Backman (D.), Basking in Glory-SNMPv3,Network Computing (August 1998).
Bartal (Y),Mayer (A.),Nissim (K.),Wool (A.), Firmato: A Novel Firewall Management Toolkit,ieee Symposium on Security and Privacy (May 1999).
Bellovin (S.), Distributed Firewalls,login: (November 1999), pp. 37–49.
Chapman (B.),Zwicky (E.), Building Internet Firewalls,O’Reilly & Associates (1995).
Chan (K.),Seligson (J.),Durham (D.),Gai (S.),McCloghrie (K.),Herzog (S.),Reichmeyer (F),Yavatkar (R.),Smith (A.), rfc3084, cops Usage for Policy Provisioning (cops-pr),Network Working Group, IETF (March 2001).
Cheswick (B.),Bellovin (S.), Firewalls and internet security, repelling the wily hacker,Addison-Wesley publishing company (1994).
Falk (R.),Trommer (M.), Integrated Management of Network and Host Based Security Mechanisms,3rd Australasian Conference on Information Security and Privacy (July 1998).
Fall (K.),Varadhan (K.), ns Notes and Documents (September 1999).
Guttman (J.D.), Filtering Postures: Local Enforcement for Global Policies,IEEE Symposium on Security and Privacy (May 1997).
Hinrichs (S.), Policy-Based Management: Bridging the Gap,15th Annual Computer Security Applications Conference (December 1999).
Hyland (P.),Sandhu (R.), Management of Network Security Application,21st National Information Systems Security Conference (October 1998).
Lakshman (T.V.),Stiliadis (D.), High-Speed Policy based Packet Forwarding Using Efficient Multi-dimensional Range Matching,acm sigcomm Conference (September 1998).
M-wall firewall administrator documentation, Matranet (1998).
Paul (O.), www.rennes.enst-bretagne.fr/~paul/acm.zip (October 1999).
Srinivasan (V.),Suri (S.),Varghese (G.), Packet Classification using Tuple Space Search,acm sigcomm Conference (September 1999).
Stallings (W.), snmp, snmpv2 and cmip, The pratical guide to network management Standards,Addison-Wesley publishing company (1993).
Steinacker (M.), Samson, Security and Management Services in Open Networks,Final Report, race r2058 Project (January 1995).
Xu (J.),Singhal (M.),Degroat (J.), A Novel Hardware Cache Architecture to support layer-four Packet Classification at Memory Access Speeds,Technical report. The Ohio State University (February 1999).
Author information
Authors and Affiliations
Additional information
This work is funded by dret
Rights and permissions
About this article
Cite this article
Paul, O., Laurent, M. Improving packet filters management through automatic and dynamic schemes. Ann. Télécommun. 56, 595–608 (2001). https://doi.org/10.1007/BF03008836
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF03008836
Key words
- Telecommunication network
- Packet transmission
- Network router
- Filtering
- Network architecture
- Internet
- Network management
- Distributed system
- Simulation
- Integrity