Network Security Management: A Formal Evaluation Tool Based on RBAC Policies

The complexity of factors to consider makes increasingly difficult the design of network security policies. Network security management is by nature a distributed function supplied by the coordination of a variety of devices with different capabilities. Formal evaluation techniques should be used to ensure that correct security network strategy are enforced. In this paper, we propose a new formal tool which allows to describe a given network security strategy, a network topology and the security goals required. The tool includes an evaluation method that checks some security properties and provides information to refine the strategy used. We introduce an example of VPN architecture which validates our approach.

[1]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[2]  Bassem Nasser,et al.  A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies , 2005, Electron. Notes Theor. Comput. Sci..

[3]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[4]  William A. Wulf,et al.  Specification and verification of security policies , 1996 .

[5]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[6]  Bashar Nuseibeh,et al.  Modelling access policies using roles in requirements engineering , 2003, Inf. Softw. Technol..

[7]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[8]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[9]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[10]  Susan Hinrichs,et al.  Policy-based management: bridging the gap , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[11]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Joshua D. Guttman,et al.  Authentication and Confidentiality via IPSEC , 2000, ESORICS.

[13]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[14]  Nicholas R. Jennings,et al.  Agent-based control systems: Why are they suited to engineering complex systems? , 2003 .

[15]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[16]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[17]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[18]  Jonathan D. Moffett,et al.  Control principles and role hierarchies , 1998, RBAC '98.