Conflicts in policy-based distributed systems management

Lupu, Emil; Sloman, Morris

doi:10.1109/32.824414

Cited by 465 publications

(293 citation statements)

References 33 publications

(43 reference statements)

Supporting

Mentioning

273

Contrasting

Unclassified

Order By: Relevance

“…In this context we consider a policy to be a high level statement as to how calls should be processed in the system. This can be seen as a refinement of Lupu et al's definition [LS99]:…”

Section: Logic and Policies For Call Processingmentioning

confidence: 94%

Use of Logic to Describe Enhanced Communications Services

Reiff-Marganiec

Turner

2002

Formal Techniques for Networked and Distributed Sytems — FORTE 2002

View full text Add to dashboard Cite

Abstract. New functionality is added to telecommunications systems in the form of features or services. However, this is a very provider-centric approach, not giving much control to the user. We consider a logic that allows the user to express preferences as to how they wish calls to be handled. This logic is encapsulated in a user-friendly policy description language. The transferability of a policy description language (Ponder) developed for system management and access control is discussed.

show abstract

“…In this context we consider a policy to be a high level statement as to how calls should be processed in the system. This can be seen as a refinement of Lupu et al's definition [LS99]:…”

Section: Logic and Policies For Call Processingmentioning

confidence: 94%

Use of Logic to Describe Enhanced Communications Services

Reiff-Marganiec

Turner

2002

Formal Techniques for Networked and Distributed Sytems — FORTE 2002

View full text Add to dashboard Cite

show abstract

“…This could prove to be a viable approach in applications that are not time critical, but it still requires manual intervention. B Another approach found in the literature ( [5,8]) is to enforce only the policy with the highest priority in the set -assuming policies have been assigned priorities. This scheme is often mentioned in the context of quality of service policy, and its usefulness may be constrained to that niche.…”

Section: Strategies For Conflict Resolutionmentioning

confidence: 99%

“…Another conflict detection approach exploiting domain overlapping is found in [8]. It focuses on modality conflicts, where policies are typed (positive and negative authorisation and obligation policy).…”

Section: Related Workmentioning

confidence: 99%

Generic Policy Conflict Handling Using a priori Models

Kempter

Danciu²

2005

Ambient Networks

View full text Add to dashboard Cite

Abstract. The promise of policy-based management is lessened by the risk of conflicts between policies. Even with careful conception of the policies it is difficult if not impossible to avoid conflicts completely. However, it is in principle possible to detect and resolve conflicts either statically or at runtime. Taking advantage of existing managed systems models it is even possible to detect and resolve policy conflicts not addressed until now. In this paper we present a generic approach to automated policy conflict detection based on existing knowledge about a managed system. We describe a methodology to derive conflict definitions from invariants of managed systems models, and show how these can be used to detect and resolve policy conflicts automatically.

show abstract

“…Our work applied the concepts to a specific policy service by defining IPSec security requirements in a high level. Some recent work [13,14] analyzed two types of conflicts: one is co-existence of both positive and negative policies, which can be detected by checking syntax; the other one is application specific conflicts. In this research, we analyzed IPSec specific conflicts caused by topological interaction etc.…”

Section: Related Workmentioning

confidence: 99%

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

Huang³

et al. 2001

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intradomain and inter-domain environment.

show abstract

Conflicts in policy-based distributed systems management

Cited by 465 publications

References 33 publications

Use of Logic to Describe Enhanced Communications Services

Use of Logic to Describe Enhanced Communications Services

Generic Policy Conflict Handling Using a priori Models

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

Contact Info

Product

Resources

About