Skip to main content
Log in

Improving packet filters management through automatic and dynamic schemes

AMÉLIORATION DES TECHNIQUES DE GESTION DES ROUTEURS FILTRANTS AU MOYEN DE MÉTHODES AUTOMATIQUES ET DYNAMIQUES

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

The development of complex access control architectures raises the problem of their management. In this article, we describe an architecture providing packet filters automatic configuration in Internet based networks. Our architecture improves existing proposals in three different fields. It suppresses the security officer interactions with the management architecture when topology changes occur thus preventing temporary security holes. Moreover our architecture proposes three optimisations to provide the access control processes with efficient configurations. Simulations show that the complexity of these configurations is close to the complexity found in configurations created by hand. Finally we describe how the notion of access control integrity can be incorporated in our management architecture at a reasonable cost.

Résumé

Le développement ďarchitectures complexes de contrôle ďaccès soulève le problème de leur gestion. Dans cet article, nous décrivons une architecture assurant la configuration automatique de routeurs filtrants dans un réseau Internet. Notre proposition améliore les solutions existantes dans trois domaines. Elle supprime tout ďabord les interactions entre le responsable de sécurité et le système de gestion en cas de changements topologiques permettant de ce fait ďéviter des trous temporaires de sécurité. Elle se base sur trois optimisations permettant ďassurer une configuration efficace des routeurs. Nos simulations montrent que la complexité de ces configurations est proche de celle de configurations créées à la main. Enfin nous montrons comment notre architecture peut prendre en compte la notion ďintégrité du contrôle ďaccès à un coût raisonnable.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Backman (D.), Basking in Glory-SNMPv3,Network Computing (August 1998).

  2. Bartal (Y),Mayer (A.),Nissim (K.),Wool (A.), Firmato: A Novel Firewall Management Toolkit,ieee Symposium on Security and Privacy (May 1999).

  3. Bellovin (S.), Distributed Firewalls,login: (November 1999), pp. 37–49.

  4. Chapman (B.),Zwicky (E.), Building Internet Firewalls,O’Reilly & Associates (1995).

  5. Chan (K.),Seligson (J.),Durham (D.),Gai (S.),McCloghrie (K.),Herzog (S.),Reichmeyer (F),Yavatkar (R.),Smith (A.), rfc3084, cops Usage for Policy Provisioning (cops-pr),Network Working Group, IETF (March 2001).

  6. Cheswick (B.),Bellovin (S.), Firewalls and internet security, repelling the wily hacker,Addison-Wesley publishing company (1994).

  7. Falk (R.),Trommer (M.), Integrated Management of Network and Host Based Security Mechanisms,3rd Australasian Conference on Information Security and Privacy (July 1998).

  8. Fall (K.),Varadhan (K.), ns Notes and Documents (September 1999).

  9. Guttman (J.D.), Filtering Postures: Local Enforcement for Global Policies,IEEE Symposium on Security and Privacy (May 1997).

  10. Hinrichs (S.), Policy-Based Management: Bridging the Gap,15th Annual Computer Security Applications Conference (December 1999).

  11. Hyland (P.),Sandhu (R.), Management of Network Security Application,21st National Information Systems Security Conference (October 1998).

  12. Lakshman (T.V.),Stiliadis (D.), High-Speed Policy based Packet Forwarding Using Efficient Multi-dimensional Range Matching,acm sigcomm Conference (September 1998).

  13. M-wall firewall administrator documentation, Matranet (1998).

  14. Paul (O.), www.rennes.enst-bretagne.fr/~paul/acm.zip (October 1999).

  15. Srinivasan (V.),Suri (S.),Varghese (G.), Packet Classification using Tuple Space Search,acm sigcomm Conference (September 1999).

  16. Stallings (W.), snmp, snmpv2 and cmip, The pratical guide to network management Standards,Addison-Wesley publishing company (1993).

  17. Steinacker (M.), Samson, Security and Management Services in Open Networks,Final Report, race r2058 Project (January 1995).

  18. Xu (J.),Singhal (M.),Degroat (J.), A Novel Hardware Cache Architecture to support layer-four Packet Classification at Memory Access Speeds,Technical report. The Ohio State University (February 1999).

Download references

Author information

Authors and Affiliations

Authors

Additional information

This work is funded by dret

Rights and permissions

Reprints and permissions

About this article

Cite this article

Paul, O., Laurent, M. Improving packet filters management through automatic and dynamic schemes. Ann. Télécommun. 56, 595–608 (2001). https://doi.org/10.1007/BF03008836

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03008836

Key words

Mots clés

Navigation