Reliable Process for Security Policy Deployment

We focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). Our proposal is the following. First, we formally specify the security requirements of a given system by using an expressive access control model. As a result, we obtain an abstract security policy, which is free of ambiguities, redundancies or unnecessary details. Second, we deploy such an abstract policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator’s job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.

💡 Research Summary

The paper addresses the long‑standing problem of configuring and managing heterogeneous network security devices—firewalls, VPN/IPSec tunnels, and intrusion detection systems (IDSs)—in a way that eliminates policy anomalies such as intra‑ and inter‑firewall conflicts, tunneling overlaps, and IDS‑firewall inconsistencies. The authors propose a two‑stage, model‑driven deployment process built on the Organization‑Based Access Control (OrBAC) framework.

In the first stage, security requirements are captured in an abstract, technology‑independent policy expressed in OrBAC. OrBAC provides a rich meta‑model consisting of organizations, roles, activities, views, and contexts. An organization corresponds to a logical grouping of network elements (e.g., a LAN, a firewall, a VPN gateway). Roles are assigned to subjects (hosts, servers, interfaces) and inherit permissions through a role hierarchy. Activities abstract network services (e.g., “ALL TCP”, “WEB”), while views group objects (IP addresses, sub‑nets) that share the same protection rules. Contexts encode conditional aspects such as “protected” (requiring an IPSec tunnel) or “vulnerability” (triggering an IDS alert). Permissions are written as logical predicates of the form IsPermitted(subject, action, object) and can be automatically propagated down the hierarchy, thereby removing redundancy and clarifying intent.

The second stage consists of two compilation passes. The first pass traverses the organization hierarchy and produces a set of “multi‑target” rules that are still device‑agnostic but already free of intra‑policy anomalies thanks to the formal OrBAC semantics. The second pass maps these generic rules onto the concrete syntax and capabilities of each security device. For example, a rule destined for a NetFilter‑based firewall becomes an iptables entry; a rule for a Cisco PIX device is translated into an ACL line; IPSec policies are rendered as tunnel configuration files; IDS signatures are generated from the same abstract definition. This two‑step pipeline guarantees that the final configurations are consistent with the original high‑level policy and that no conflicting rules are introduced during translation.

The authors position their work against related literature. Earlier approaches either relied on pure RBAC extensions, offered only manual refinement, or provided audit tools that detect anomalies without a global policy view. Some systems (e.g., Cisco Security Manager) support heterogeneous devices but lack a formal policy model and automatic device discovery, leading to incomplete automation. By contrast, the OrBAC‑based method integrates a formal, expressive policy language with automatic device discovery and compilation, thus covering the full lifecycle from specification to deployment.

A concrete XML schema is presented to store the OrBAC policy, including organization hierarchy, role inheritance, activity definitions, and optional context elements. The paper illustrates the methodology on a multi‑site corporate network (Corp 111.222.0.0/16) that includes external firewalls, internal firewalls, VPN gateways, and IDS sensors. The XML representation captures entities, exclusions (e.g., “Internet” = 0.0.0.0/0 excluding Corp), role assignments (e.g., R_DNS_srv inherits from R_Srv), and permission tuples.

Experimental evaluation shows that, compared with manual configuration, the proposed process reduces deployment time from hours to minutes, eliminates duplicate or contradictory rules, and automatically generates correct IPSec tunnel parameters and IDS signatures aligned with the intended protection contexts. The authors claim that the approach not only simplifies the administrator’s workload but also provides provable guarantees of anomaly‑free configurations.

In conclusion, the paper delivers a comprehensive, formally grounded framework for reliable security policy deployment. It combines (1) a high‑level, expressive OrBAC policy model, (2) a two‑phase automatic compilation engine, and (3) systematic anomaly detection at the abstract level. Future work is outlined to include dynamic policy updates, integration with cloud‑based virtual security appliances, and formal verification tools to further strengthen the correctness guarantees.