Date Added: May 2009
The authors focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). The proposal is the following. First, they formally specify the security requirements of a given system by using an expressive access control model. As a result, they obtain a paper security policy, which is free of ambiguities, redundancies or unnecessary details. Second, they deploy such a paper policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator's job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.