Network security policy refinement process: Expression and analysis

Today, users need to access their granted services from anywhere and at any time. Network security management must evolve to satisfy these requirements. The policy based network management approach proposes to separate the rules that govern the system from the functionalities provided by it. Nevertheless, the policy rules should be consistent, correct against the objectives and enforceable onto the devices. This problem becomes complex considering the dependencies of the rules – each rule on a device can impact another rule on another device – and each device needs specific configuration according to the technologies implemented.This article presents a formal framework for the refinement of network security management information. It includes three abstraction levels: the network security objectives, the network security tactics and the network security devices configurations. The information models of each abstraction level are formally specified and analysed (consistency, correctness and feasibility). A WBEM implementation of the formal refinement framework proves its feasibility in management architectures.

[1]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[2]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[3]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[4]  Emil C. Lupu,et al.  A role based framework for distributed systems management , 1998 .

[5]  Bassem Nasser,et al.  Network Security Management: A Formal Evaluation Tool Based on RBAC Policies , 2004, Net-Con.

[6]  Bert Wijnen,et al.  An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks , 2002, RFC.

[7]  Heiko Krumm,et al.  Model-Based Tool-Assistance for Packet-Filter Design , 2001, POLICY.

[8]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[9]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[10]  Morris Sloman,et al.  Policies Hierarchies for Distributed Systems Management , 1993, IEEE J. Sel. Areas Commun..

[11]  Bassem Nasser,et al.  A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies , 2005, Electron. Notes Theor. Comput. Sci..

[12]  Jeffrey O. Kephart,et al.  The Vision of Autonomic Computing , 2003, Computer.

[13]  Axel van Lamsweerde,et al.  Goal-oriented requirements enginering: a roundtrip from research to practice [enginering read engineering] , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[14]  Ingo Lück,et al.  Model-based configuration of VPNs , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[15]  Romain Laborde,et al.  Implementation of a Formal Security Policy Refinement Process in WBEM Architecture , 2007, Journal of Network and Systems Management.

[16]  Yechiam Yemini,et al.  Towards autonomic networks , 2003 .

[17]  Bert Wijnen,et al.  An Architecture for Describing SNMP Management Frameworks , 1998, RFC.

[18]  Romain Laborde,et al.  A Security Management Information Model Derivation Framework: From Goals to Configurations , 2005, Formal Aspects in Security and Trust.

[19]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[20]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.