An Analysis Method of NAC Configuration Conflict Based on Ontology

Network Access Control policy might be configured in terms of firewalls, proxys, intrusion prevention systems and user-access policies. These policies may interoperate in the sense that the access requirements of one may conflict and/or be redundant with respect to the access requirements of another when defined separately. And it is unusual to include infrastructure policy rules in an application policy that constrain the kinds of application information that different principals may access. Hence, an improperly configured infrastructure may unintentionally hinder the normal operation of application. This paper proposals an analysis method of NAC configuration based on ontologies, and gives an corresponding algorithm to automatically represent and generate the semantics of any access control configuration. The analysis method uses ontologies representing the semantics of NAC configruation, and uses reasoning based ontologies to analyse the conflict in the NAC configuration. Result of the experiment shows that our method can automatically figure out where the conflicts happen in configurations, and figure out the conflict entities and confilct operatings considering system services and application domains.