A Network Security Policy Model and Its Realization Mechanism

  • Chenghua Tang
  • Shuping Yao
  • Zhongjie Cui
  • Limin Mao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4318)


The large-scale network environment incarnates interconnection of different security domains. There are different security policies in the domain or among the domains, and conflicts can arise in the set of policies which lack of trust and consultation. A network security policy model is proposed in this paper. By defining and describing security policy and domain, the policies’ integrity, validity, consistency, conflicts detecting, resolving and releasing are studied. The policy implementation mechanism is based on rule engine. This paper gives the achieve steps and efficiency analysis. The technology can be adapted to establishing and controlling the policy service in the extensive network environment.


Security policy domain rule engine access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Yavatkar, R., Pendarakis, D., Guerin, R.: A framework for Policy-based Admission Control (2000),
  2. 2.
    Osborn, S., Sandhu, R.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM transaction on Information and System Security (2000)Google Scholar
  3. 3.
    Sandhu, R., Conyne, E.J., Lfeinstein, H., Youman, C.E.: Role based access control models. IEEE Computer (1996)Google Scholar
  4. 4.
    Shou-peng, L.I., Hong-bo, S.: Security policies for Information Systems. Acta Electronica Sinica (2003)Google Scholar
  5. 5.
    Schaad, A.: Detection conflicts in a role-based delegation model. In: The 17th Annual Security Applications Conf. (ACSAC 2001), New Orleans, Louisiana (2001)Google Scholar
  6. 6.
    Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall policies (2005),
  7. 7.
    Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations (1997),
  8. 8.
  9. 9.
    Jonathan, D., Morris, S.: Policy Conflict Analysis in Distributed System Management (1993),
  10. 10.
    Wahl, M., Howes, T., Kille, S.: Lightweight Directory Access Protocol (v3) (1997),
  11. 11.
    Kohli, M., Lobo, J.: Realizing Network Control Policies Using Distributed Action Plans. Journal of Network and Systems Management 11(3), 305–327 (2003)CrossRefGoogle Scholar
  12. 12.
    Forgy, C.: Rete: A Fast Algorithm for the Many Pattern/ Many Object Pattern Match Problem. Artificial Intelligence 19(1), 17–37 (1982)CrossRefGoogle Scholar
  13. 13.
    Proctor, M., Neale, M., Lin, P., Frandsen, M.: JBoss Rules User Guide 3.0 (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chenghua Tang
    • 1
  • Shuping Yao
    • 1
  • Zhongjie Cui
    • 1
  • Limin Mao
    • 1
  1. 1.Lab of Computer Network Defense TechnologyBeijing Institute of TechnologyBeijingP.R.China

Personalised recommendations