Network Access Control Interoperation using Semantic Web Techniques

William Fitzgerald, Simon Foley, Mícheál Ó . Foghlú


Network Access Control requirements are typically implemented in practice as a series of heterogeneous security-mechanism-centric policies that span system services and application domains. For example, a Network Access Control (NAC) policy might be configured in terms of firewall, proxy, intrusion prevention and user-access policies. While defined separately, these policies may interoperate in the sense that the access requirements of one may conflict and/or be redundant with respect to the access requirements of another policy. Thus, managing a large number of distinct policies becomes a major challenge in terms of deploying and maintaining a meaningful and consistent configuration. It is argued that the Semantic Web—an architecture that supports the formal representation, reasoning and sharing of heterogeneous domain knowledge—provides a natural solution to this challenge. A risk-based approach to configuring inter- operating policies is described. Each NAC mechanism has an ontology that is used to represent its configuration. This heterogeneous and interoperating policy knowledge is unified with higher-level business (risk) rules, providing a single (extensible) ontology that supports reasoning across the different NAC policy configurations.


  1. Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall Policies. In IEEE Journal on Selected Areas in Communications, Volume 1-1 (2005)
  2. Gheorghe, L.: Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter. PACKT Publishing (2006)
  3. Alesso, H.P., Smith, C.F.: Thinking on the Web: Berners-Lee, Gdel and Turing. WileyInterscience (2006)
  4. Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide. (W3C Recommendation, Technical Report)
  5. Venema, W.: TCP Wrapper: Network monitoring, access control, and booby traps. Third UNIX Security Symposium (Baltimore, September'92) (1992)
  6. Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press (2003)
  7. Haarslev, V., Mller, R.: Description Logic Systems with Concrete Domains: Applications for the Semantic Web. In: Proceedings of the International Workshop on Knowledge Representation meets Databases, (KRDB), Hamburg, Germany. (2003)
  8. Taniar, D., Rahayu, J.W.: Web Semantics Ontology. Idea Publishing (2006)
  9. O'Connor, M.J., Knublauch, H., Tu, S.W., Grossof, B., Dean, M., Grosso, W.E., Musen., M.A.: Supporting Rule System Interoperability on the Semantic Web with SWRL. (Fourth International Semantic Web Conference (ISWC2005)
  10. Standford: Protege IDE. (
  11. Foley, S.N., Fitzgerald, W.M.: Semantic Web and Firewall Alignment. First International Workshop on Secure Semantic Web (SSW'08), Cancun, Mexico (2008)
  12. Anya Kim, J.L., Kang, M.: Security Ontology for Annotating Resources. 4th International Conference on Ontologies, Databases, and Applications of Semantics, (ODBASE), Agia Napa, Cyprus. (2005)
  13. Herzog, A., Shahmehri, N., Duma, C.: An Ontology of Information Security. International Journal of Information Security and Privacy (2007)
  14. Uszok, A., Bradshaw, J., Jeffers, R., Johnson, M., Tate, A., Dalton, J., Aitken, S.: KAoS Policy Management for Semantic Web Services. In IEEE Intelligent Systems, Vol. 19, No. 4, (2004)
  15. Prez, G.M., Clemente, F.J.G., Blaya, J.A.B., Skarmeta, A.F.G.: Representing Security Policies in Web Information Systems. Policy Management for the Web (PM4W) Workshop in the 14th International World Wide Web (WWW) Conference (2005)
  16. Guttman, J.D.: Filtering Postures: Local Enforcement for Global Security Policies. IEEE Symposium on Security and Privacy, Oakland (1997)
  17. Mayer, A., Wool, A., Zishind, E.: Fang: A Firewall Analysis Engine. 2000 IEEE Symposium on Security and Privacy, p. 0177 (2000)
  18. Eronen, P., Zitting, J.: An Expert System for Analyzing Firewall Rules. (In: In Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pages 100-107)
  19. Hazelhurst, S.: A Proposal for Dynamic Access Lists for TCP/IP Packet Filtering. South African Computer Journal, Vol. 33 (2004)
  20. Marmorstein, R., Kearns, P.: A Tool for Automated iptables Firewall Analysis. (USENIX Annual Technical Conference, FREENIX Track)
  21. Golnabi, K., Min, R., Khan, L., Al-Shaer, E.: Analysis of Firewall Policy Rule Using Data Mining Techniques. In the 10th IEEE/IFIP Network Operations and Management Symposium, (NOMS) (2006)

Paper Citation

in Harvard Style

Fitzgerald W., Foley S. and Ó . Foghlú M. (2008). Network Access Control Interoperation using Semantic Web Techniques . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 26-37. DOI: 10.5220/0001743300260037

in Bibtex Style

author={William Fitzgerald and Simon Foley and Mícheál Ó . Foghlú},
title={Network Access Control Interoperation using Semantic Web Techniques},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},

in EndNote Style

JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - Network Access Control Interoperation using Semantic Web Techniques
SN - 978-989-8111-44-9
AU - Fitzgerald W.
AU - Foley S.
AU - Ó . Foghlú M.
PY - 2008
SP - 26
EP - 37
DO - 10.5220/0001743300260037