Conference Paper

Model-based configuration of VPNs

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The design of suitable configurations for virtual private networks (VPNs) is usually difficult and error-prone. The abstract objectives of design are given by high level policies representing various requirements and the designers are often faced with conflicting requirements. Moreover, it is difficult to find a suitable mapping of high level policies to those low level network configurations which correctly and completely implement the abstract objectives. We apply the approach of model-based management where the system itself as well as the management objectives are represented by graphical object instance diagrams. A combination of tool and libraries supports their interactive construction and automated analysis. The implementation of the approach focuses on VPNs which are based on the Linux IPsec software FreeS/WAN.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... They were blamed for 20 -30 deaths as a result of the non-arrival of urgently required ambulances. Another case reported at Arrowe Park Hospital on the Wirral [13] involved the modification of patient data. . In this case, a nurse was convicted under section 3 of the Computer Misuse Act 1990 with unauthorised modification of computer material and sentenced to 12 months in prison. ...
... This work mirrors the interest of the computing profession in the development of "safety critical" or "safety-related" systems that happened a decade ago about the use of systems and software to control dangerous processes for nuclear reactors, air traffic and the like. This concern was reflected in a joint study report prepared by the Institution of Electrical Engineers and the British Computer Society [13]. This concern was shared by the UK Department of Trade and Industry, which set up and co-ordinated Safety-Critical Systems Club to examine these issues. ...
... Baseline for Future Research & Development As a baseline for future R&D prototypes for configuring ipchains (packet filter) [12], FreeS/WAN (VPN) [13], Kerberos and Checkpoint FW1 (firewall) are already existing. In addition, investigations on how to integrate an auditing component that evaluates logfiles are going on. ...
... A abordagem de gerenciamento baseado em modelos (model-based management) [Lück et al., 1999, Lück et al., 2001, Lück et al., 2002, por sua vez, oferece suporte à construção de hierarquias de políticas por meio de um projeto gráfico interativo. Ela adota conceitos de ferramentas de projeto orientado a objetos e emprega um modelo do sistema a ser gerenciado que é verticalmente estruturado em camadas. ...
... O conceito de gerenciamento baseado em modelos foi proposto inicialmente em [Lück et al., 1999] e aplicado posteriormente à configuração de vários tipos de mecanismos de segurança, como, por exemplo, filtros de pacotes [Lück et al., 2001] e VPNs [Lück et al., 2002]. Essa abordagem tenciona apoiar o gerenciamento baseado em políticas mediante um modelo orientado a objetos do sistema a ser gerenciado. ...
... A modelagem dessas políticas, de acordo com os princípios mencionados na Seção 2, resulta nos dois primeiros níveis da Figura 4 (os detalhes desse procedimento estão fora do escopo do presente trabalho e podem ser encontrados em [Lück et al., 2002, Lück et al., 2001). O nível mais alto (RO) desse modelo contém um objeto AccessPermission para cada uma das políticas enumeradas acima, as quais serão referenciadas doravante como AP1-AP5. ...
Article
As the use of computers and data communication technologies spre- ads, network security systems are becoming increasingly complex, due to the incorporation of a variety of mechanisms necessary to full the protection re- quirements of the upcoming scenarios. The integrated design and management of different security technologies and mechanisms are thus of great interest. Es- pecially in large-scale environments, the employment of security services and the design of their congur ations shall be supported by a structured technique which separates the consideration of the system as a whole from the detailed de- sign of the subsystems. To accomplish this goal, this paper presents a scalable approach for the modelling of large security systems, relying on the concepts of policy-based management and model-based management. Resumo. ¿ medida que o uso de computadores e de tecnologias de comunica- Áªo de dados se amplia, os sistemas de seguranÁa de redes tornam-se crescen- temente complexos, devido ‡ incorporaÁªo dos variados tipos de mecanismos necessÆrios para satisfazer os requisitos de proteÁªo dos novos cenÆrios. Nesse contexto, o projeto e o gerenciamento integrados de diferentes tecnologias e mecanismos de seguranÁa adquirem grande relev‚ncia. Especialmente em am- bientes de larga escala, Ø desejÆvel que o emprego de serviÁos de seguranÁa e o projeto de suas congur aÁies sejam apoiados por uma tØcnica estruturada que separe a consideraÁªo do sistema como um todo do desenho detalhado de seus subsistemas. Visando atingir esse objetivo, o presente trabalho apresenta uma abordagem escalÆvel para a modelagem de sistemas de seguranÁa de redes, fundado nos conceitos de gerenciamento baseado em polÌticas e gerenciamento baseado em modelos.
... The Model-Based Management approach [5][6][7], in turn, supports the building of those policy hierarchies by means of interactive graphical design. It adopts concepts of object-oriented system design tools and employs a model of the system vertically structured into a set of layers. ...
... The concept of Model-Based Management was initially proposed by Lück et al. in [5] and later applied to the configuration of several security mechanisms such as packet-filters [6] and VPNs [7]. This approach aims to support the policybased management by the use of an object-oriented model of the system to be managed. ...
... These back-end functions evaluate the ProtocolPermissions and the PH model in order to generate the adequate configuration files for each of the security service products. Further details can be found in [6][7][8]. ...
Article
Full-text available
This report builds upon previous work on Model-based Management, and partic- ularly on the Diagram of Abstract Subsystems (DAS) approach, further elaborating on the correctness and performance of the automated policy refinement process. The modelling technique and the automated policy refinement process are firstly presented to illustrate the practical use of the DAS approach. Subsequently, the graphical model is formalised using an algebraic notation, which is thus utilised to define validation con- ditions for a layered model, i.e. conditions to which a resulting model must comply if the lower-level policy sets have been correctly generated. The scalability of the refine- ment algorithms and the additional effort needed to validate model instances are also analysed and discussed.
... Para evitar a criação de mais um modelo, nós escolhemos como ponto de partida a abordagem de Gerenciamento Baseado em Modelos (Model-Based Management -MBM) [Lück et al. 2002], uma vez que ele foi aplicado com sucesso para o contexto de redes [Porto de Albuquerque et al. 2005b] e provê ferramentas que auxiliam no projeto de políticas para ambientes de rede grandes e complexos [Porto de Albuquerque et al. 2005a]. Este modelo possui um conjunto interessante de características: ele suporta o projeto de políticas de segurança em diferentes níveis de abstração; utiliza refinamento e validação automática entre níveis de abstração auxiliando no processo de especificação; e utiliza uma representação gráfica que permite a manutenção de uma política consistente em todos os níveis de abstração. ...
... O outro modelo baseado em visualizaçãoé a abordagem de Gerenciamento Baseado em Modelos (MBM) [Lück et al. 2002, Porto de Albuquerque et al. 2005b. O MBM apresenta a política em diferentes níveis de abstração, criando uma hierarquia de políticas que permite ao administrador especificar a política usando uma abordagem top-down, permitindo criar um mapeamento direto entre os requisitos de segurança organizacionais e a política de configuração derivada destes. ...
... Essa visão expandida engloba objetos que representam terminais, processos e interfaces de rede do sistema e que auxiliam no processo de geração automática de parâmetros de configuração. Essa visão expandida está relacionada ao nível Processos e Recursos (Process & Resources -PR) dos primeiros trabalhos sobre MBM [Lück et al. 2002] Um modelo de exemploé apresentado na Figura 2. Ele representa uma visão simplificada da regra "permitir que funcionários acessem o servidor web da empresa". A AccessPermission no nível superior (RO)é uma abstração dessa regra eé refinada através dos níveis até uma representação mais próxima do sistema real, que inclui terminais, interfaces de rede, etc. ...
Article
Full-text available
Managing the configuration of security mechanisms of today's com- puters environment is becoming increasingly complex, especially with large scale networks. Security administrators face the challenge of designing and maintaining security policies for a huge number of heterogeneous mechanisms and operating systems to ensure the protection of these environments. To sup- port the configuration of both network and operating system security in one single model, this work presents an extension to the Model-Based Management applied to networks that include operating system policy management.
... Completely automated policy refinement, however, is not possible if high-level policies are to be kept as the sole input in the process, since system-specific details have to necessarily be considered during the refinement process. Therefore, our approach of model-based management (MBM) utilizes a hierarchically structured system model, which represents the networked IT systems on three interrelated levels of abstraction [4]. The high level policies are directly linked with the highest model layer. ...
... Our modeling builds upon the Model-based Management approach [4] and employs a three-layered model whose structure is shown inFig. 1. ...
... Our modeling builds upon the Model-based Management approach [4] and employs a three-layered model whose structure is shown in Fig. 1. The horizontal dashed lines of the figure delimit the abstraction levels of the model: ...
Conference Paper
Full-text available
The security mechanisms employed in current networked environments are increasingly complex, and their configuration management has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining and monitoring a huge number of mechanisms, most of which have complicated and heterogeneous configuration syntaxes. Consequently, configuration errors are nowadays a frequent cause of security vulnerabilities. This paper summarizes results from a doctoral thesis that offers an approach to the configuration management of network security systems specially suited to the needs of the complex environments of today's organizations. The approach relies upon policy-based management and model-based management, extending these approaches with a modeling framework that allows the design of security systems to be performed in a modular fashion. The model is segmented into logical units (so-called Abstract Subsystems) that enclose a group of security mechanisms and other relevant system entities, offering a more abstract representation of them. In this manner, the administrator is able to design a security system-including its different mechanism types and their mutual relations-by means of an abstract and uniform modeling technique. A software tool supports the approach, offering a diagram editor for models. After the model is complete, the tool performs an automated policy refinement, deriving configuration parameters for each security mechanism in the system.
... This editor incorporates the concept of focus & context-that originated from research on information visualisation-through the techniques of fisheye-view [11] and semantic zooming [3,7]. Furthermore, our work builds upon the policy hierarchy [6] and model-based management [5] approaches in order to assist the above-mentioned configuration management phases of deployment and maintenance. A system model organised in different abstraction layers thus affords a step-wise, tool-assisted system modelling, along with an automated policy refinement that culminates in the generation of low-level configuration parameters. ...
... Our modelling builds upon the Model-based Management approach [5] and employs a three-layered model whose structure is shown in Fig. 1. The horizontal dashed lines of the figure delimit the abstraction levels of the model: Roles & Objects (RO), Subjects & Resources (SR), and Diagram of Abstract Subsystems (DAS). ...
... Additionally, each AS in a DAS is also associated with a detailed view of the system's actual mechanisms. This expanded view encompasses objects that represent hosts, processes, protocols and network interfaces of the system (this detailed view is related to the level PH of the works on model-based management [5]) and supports the process of automated generation of configuration parameters (Sect. 4.4). ...
Conference Paper
Full-text available
The security mechanisms employed in today's networked en- vironments are increasingly complex and their configuration manage- ment has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining, and monitoring a huge number of mechanisms, most of which have complicated and heteroge- neous configuration syntaxes. This work offers an approach for improving the configuration management of network security systems in large-scale environments. We present a configuration process supported by a mod- elling technique that uniformly handles different mechanisms and by a graphical editor for the system design. The editor incorporates focus and context concepts for improving model visualisation and navigation.
... In this context we find the policy based management approach which considers abstract security policies [4,12,18,20,33,34] that can be represented at different levels [25,30], ranging from business goals to device-specific configuration parameters. The process that transforms a definite goal into the corresponding configurations is called derivation process [2,24,31]. ...
... Different works focus on suitable tool assistance. The approach of model based management [18,20] utilizes object-oriented models of managed system to support the derivation which is divided into three abstraction levels. The designer graphically defines the three abstraction level models and the tool guides the derivation. ...
Article
Full-text available
Security policy models allow reasoning about security goals achievements. When security mechanisms are implemented, it is difficult to formally validate the security properties against the security goals especially in a network environment. To assess the implemented security properties, one should consider details regarding the network topology, the forwarding as well as filtering and transform engines. In this paper, we present a Colored Petri Net based tool which allows to describe graphically a given network topology, the network security mechanisms and the security goals required. The tool computes the different functionalities to set up the security properties and formally validates the solution using the dead state of the generated reachability graph analysis. Different security properties such as confidentiality and availability can be studied.
... Within this context, policy-based network management offers a promising approach, since it describes the behaviour of different mechanisms by means of abstract and uniform policies [23]. Model-based Management (MBM) [16,17] is a policy-based approach that employs an object-oriented layered model. It aims to provide a smooth transition from an abstract view of the system to be managed and the policies that apply to it down to reaching a detailed system representation at the most inferior layer. ...
... As for the vertical subdivision, it differentiates between the model of the actual managed system (on the lefthand side) and the security policies that regulate this system (on the right-hand side). The two topmost levels are gathered from previous work on MBM [16,17] and extended. The RO level is based on concepts from Role-Based Access Control (RBAC) [11,21], and the second level (SR inFig. ...
Article
Full-text available
Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled.
... Thus, policy-based management uses those relatively low-level policies with distributed management agents that will communicate with each other, interpreting and executing policies specifically assigned to corresponding management roles. The Model-Based Management approach567, in turn, supports the building of those policy hierarchies by means of interactive graphical design. It adopts concepts of object-oriented system design tools and employs a model of the system vertically structured into a set of layers. ...
... The concept of Model-Based Management was initially proposed by Lück et al. in [5] and later applied to the configuration of several security mechanisms such as packet-filters [6] and VPNs [7] . This approach aims to support the policybased management by the use of an object-oriented model of the system to be managed. ...
Conference Paper
Full-text available
As the use of computers and data communication technologies spreads, network security systems are becoming increasingly complex, due to the incorporation of a variety of mechanisms necessary to fulfil the protection requirements of the upcoming scenarios. The integrated design and management of different security technologies and mechanisms are thus of great interest. Especially in large-scale environments, the employment of security services and the design of their configurations shall be supported by a structured technique which separates the consideration of the system as a whole from the detailed design of subsystems. To accomplish this goal, this paper presents a scalable approach for the modelling of large security systems, relying on the concepts of policy-based management and model-based management.
... The work group has recently published a whitepaper [11] describing the framework integration with Microsoft Windows Media DRM. In a wider context, our work is related to the Model-based Management (MBM) [12], [13]. This approach employs an object-oriented layered model that aims at providing a smooth transition from an abstract view of the system to be managed and the policies that apply to it down to reaching a detailed system representation at the most inferior layer. ...
... This approach employs an object-oriented layered model that aims at providing a smooth transition from an abstract view of the system to be managed and the policies that apply to it down to reaching a detailed system representation at the most inferior layer. It was already applied to the management of different security mechanism types, such as Virtual Private Networks [12], and to the integrated management of a number of network security mechanisms in large-scale, complex network environments [13], [5]. Furthermore, the SIRENA project [4] shows that the MBM approach can be profitably used with the GRBAC to address requirements of dynamic environment conditions. ...
Article
Full-text available
Through the past years, several digital rights man-agement (DRM) solutions for controlled dissemination of dig-ital information have been developed using cryptography and other technologies. Within so many different solutions, however, interoperability problems arise, which increase the interest on integrated design and management of these technologies. Pursu-ing these goals, this paper presents a framework which aims at promoting interoperability among DRM systems, using a service-oriented architecture (SOA) and a high-level policy modeling approach.
... However, regarding the tool-assisted building of policy hierarchies and the automation of the policy refinement process, considerable research remains to be done. The Model-Based Management (MBM) approach [2, 3] supports the building of policy hierarchies by means of an interactive graphical design. It adopts concepts of objectoriented system design and employs a model of the system that is vertically structured into a set of layers. ...
... The Model-Based Management (MBM) approach [2, 3] aims to support policy-based management by the use of an object-oriented model of the system to be managed. Based upon this model, a policy refinement can be accomplished such that configuration parameters for security mechanisms can be automatically derived. ...
Conference Paper
Full-text available
In today's network environments the integrated design and management of different security technologies and mechanisms are of great interest. Especially in large networks, the security management should be supported by approaches with an appropriate level of abstraction, such that a system can be considered independently of the complex configuration details of its various component mechanisms. Furthermore, the employment of the security services and the design of their configurations should be supported by a structured technique that separates the consideration of the system as a whole from the detailed design of the subsystems. Pursuing these goals, this papers offers an approach to modeling network security systems, based on the concepts of policy-based management and model-based management, and analyzes the policy representation and refinement as well as the model validation enabled by this modeling.
... There are considerable number of approaches to policy specification both for security management and policy driven network management purposes as reported by Slomam and Lupu (2002). However, Model Based Management (MBM) proposed in (Luck et al, 2001 andLuck et al, 2002) will be adopted as the basis of the research policy modelling. The MBM approach supports the building of policy hierarchies by means of an interactive graphical design. ...
Article
Full-text available
There are considerable number of approaches to policy specification both for security and policy driven network management. This specification sort security policies into two basic types: authorization and obligation policies. Most of the researches in security policies specification over the years focus on authorization policy modelling. In this paper, we report our approach in developing an information security policy model with specific emphasis on delegation of roles as a form of obligation policy. Whilst noting the previous research works on delegation modelling, we considered subjects and roles attributes in refining and formulating delegation relation attributes rules using concept of set theory. The work was further extended by developing a formal model for role hierarchy based on permissions and integrating it into the delegation model developed to eliminate flatness of subject roles. Future works proposed include the development of a formal model for revocation after delegation and extension of the model with the principle of separation of duties.
... In common the model is divided into different abstraction layers ranging from a very abstract enterprise view, including the high-level policies to be enforced, to low-level system elements like specific hosts, devices, and network protocol stacks. This approach was successfully applied for the creation of firewall [4], VPN [5] and Kerberos V configurations. ...
Conference Paper
Full-text available
The management of distributed and embedded service systems is a complex task as the services are exposed to changing environments which have to be reflected by the services' configurations. These configurations are commonly based on abstract management policies. Embedded devices usually lack the resources to perform the necessary computations to derive an actual configuration from an abstract policy. Thus we developed a two phase management approach that splits up the management process into a design-time and a runtime task. At design-time a model of the managed system is created. This model is augmented by high-level, environment-aware management policies that are automatically refined to low-level service configurations using graph-transformation techniques. This phase is based on the concepts of model-based management and on parts of the generalized role based access control model to handle the modeling of the environment-aware policies. The runtime phase covers the enforcement of the environment-aware management policies by a set of management services responsible for the setting of suitable service configurations.
... Common policy-based management approaches [8] apply low level policies to describe management demands. Systems applying the model-based ap- proach [9] use abstract high-level policies from which concrete service configurations are automatically created. The refinement process for policies uses the concept of a policy hierarchy [10] which divides the model into different layers of abstraction (cf.figure 2). ...
Conference Paper
Full-text available
The automatic integration of devices into dynamic, automatically configured networks alone does not take advantage of the entire potential of service oriented architectures (SOA). Using service management, independent services can be directed to perform meta tasks in a SOA network. In this paper we describe and evaluate the service management tool MOBASEC, which consists of two parts: at system runtime, management services are running in order to enforce management policies. The second part of the tool is a graphical model editor which supports the user in setting up the desired management policies easily. This research is part of the European SIRENA (Service Infrastructure for Real-time Embedded Networked Applications). The use of MOBASEC was evaluated by the project in automotive application and the results are summarized here.
... The introduction of a system administration language provides significant benefits in terms of simplifying repetitive tasks as well as allowing customization through an object-oriented interface. The network management community has developed a range of technologies for managing heterogeneous networks, including models, mechanisms and standards for efficiently managing networks, including performing low-level configuration tasks on managed elements [2],[4], [6], [14], [1], [11], [13], [19]. This technology is usually combined with higher-level GUIs and is therefore subject to the same set of problems outlined in Section I. ...
Conference Paper
We present a systems-management approach that enables administrators to effectively handle the challenge of increasing numbers of hosts, routers, users, and services in the networks to manage. Our approach is to map the actions of an administrator on a single host (such as creating a new user account) to the network at large, while maintaining the exact same interface. Our system amplifies the administrator's actions appropriately throughout the network, and confirms the correct propagation of all configuration changes throughout the distributed system. We argue that this approach allows administrators to easily manage several aspects of a large domain, because it provides a familiar and intuitive interface. Such a system can be used as a front-end to any other automation system used to manage large domains. To determine the feasibility of our approach, we implemented it on the OpenBSD system. We discuss the prototype implementation, along with the limitations to our approach that it exposes.
... With respect to related work, the representation of services has been explored in [1], [2]. Several approaches for provisioning services such as service object-based approach [3], profile-based service provisioning [4] and model-based configuration [5] have been looked at. This work undertakes a comprehensive provisioning architecture for multiple IP services in the context of the current challenges faced by service providers. ...
Conference Paper
The paper discusses an architecture for a provisioning system that meets the challenges currently facing service providers in a service and subscriber-based OSS (operations support system) environment. The architecture makes a clear separation between a provisioning core, which is a general framework for provisioning services, and service definitions that model the provisioning view of a service. The architecture is distributed, scalable and extensible and is especially suited for scenarios where a large number of services is expected to be offered, deployed, and managed. The service definitions can be used by the other OSS components to correlate information to provide complete device-to-service-to-subscriber diagnostics for faults, performance degradations, and accounting. It is argued that this approach leads to natural, efficient and effective management solutions.
... It does not consider the informational part of the refinement problem. The model-based management approach [6,7] utilizes object-oriented models of a managed system to support the derivation which is divided in three abstraction levels: Roles & Objects, Subjects & Resources, and Processes & Hosts. Each level is a refinement of the upper one. ...
... Common policy-based management approaches [2] apply low level policies to describe management demands. Systems created using the model-based approach [3] use much more abstract highlevel policies to describe the desired behavior, from which concrete service configurations are automatically created. The model is divided into three horizontal and three vertical layers as depicted inFig. 1 . ...
Conference Paper
Full-text available
The management of distributed service systems is a com- plex task as changes in the system and the environment may induce reconguration tasks to be handled. In this pa- per, we deal with the automated reconguration of service- oriented, embedded systems. Depending on the environ- ment such a system encounters, some of the services may need to be recongured depending on certain conditions like temperature or battery state. In our approach, the task of automatic adaptation to a changing environment is di- vided into two parts: At design time, various congurations are generated for a service and are mapped to specic en- vironmental conditions. For this we adopt the approach of model-based management and GRBAC to ease the creation of complex management policies. At runtime, a recong- uration service gets aware of changes in the environment, selects the appropriate congurations for the services it is responsible for, and enforces the new congurations.
... One theme is model-based approaches to predicting system performance. Examples include the Microsoft SQL Server Tuning Advisor [1] and configuration of Virtual Private Networks [13]. In all cases, a model is constructed that relates configuration parameters to system performance. ...
Conference Paper
Resource managers (RMs) often expose configuration parameters that have a significant impact on the performance of the systems they manage. Configuring RMs is challenging because it requires accurate estimates of performance for a large number of configuration settings and many workloads, which scales poorly if configuration assessment requires running performance benchmarks. We propose an approach to evaluating RM configurations called model fuzzing that combines measurement and simple models to provide accurate and scalable configuration evaluation. Based on model fuzzing, we develop a methodology for configuring RMs that considers multiple evaluation criteria (e.g., high throughput, low number of threads). Applying this methodology to the .NET thread pool, we find a configuration that increases throughput by 240% compared with the throughput of a poorly chosen configuration. Using model fuzzing reduces the computational requirements to configure the .NET thread pool from machine-years to machine-hours.
... It does not consider the informational part of the refinement problem. The model-based management approach [6,7] utilizes object-oriented models of a managed system to support the derivation which is divided in three abstraction levels: Roles & Objects, Subjects & Resources, and Processes & Hosts. Each level is a refinement of the upper one. ...
Article
Full-text available
Security mechanisms enforcement consists in configuring devices with the aim that they cooperate and guarantee the defined security goals. In the network context, this task is complex due to the number, the nature, and the interdependencies of the devices to consider. In previous papers, we have proposed a formal framework that focuses on network security information management refinement. The framework includes three abstraction levels: the network security objectives, the network security tactics, and the network security device configurations. The information models of each abstraction level (consistency, correctness and feasibility) are formally specified and analyzed. In this paper we present the integration of this formal refinement process in the WBEM initiative in order to provide a management infrastructure that guarantees the validity of the deployed security configurations.
... There are considerable number of approaches to policy specification both for security management and policy driven network management purposes as reported by Slomam and Lupu (2002). However, Model Based Management (MBM) proposed in (Luck et al, 2001 andLuck et al, 2002) will be adopted as the basis of the research policy modelling. The MBM approach supports the building of policy hierarchies by means of an interactive graphical design. ...
Article
Full-text available
There are considerable number of approaches to policy specification both for security and policy driven network management. This specification sort security policies into two basic types: authorization and obligation policies. Most of the researches in security policies specification over the years focus on authorization policy modelling. In this paper, we report our approach in developing an information security policy model with specific emphasis on delegation of roles as a form of obligation policy. Whilst noting the previous research works on delegation modelling, we considered subjects and roles attributes in refining and formulating delegation relation attributes rules using concept of set theory. The work was further extended by developing a formal model for role hierarchy based on permissions and integrating it into the delegation model developed to eliminate flatness of subject roles. Future works proposed include the development of a formal model for revocation after delegation and extension of the model with the principle of separation of duties. Categories and Subject Descriptors: F.4 [Mathematical Logic and Formal Languages] -F.4.1 Mathematical Logic – Model Theory.
... Our system reaches beyond networking, extending the set of services that participate in the security domain. Other work that aims to aid the administrator in specifying policies for VPNs can be found in [18,17]. ...
Conference Paper
Full-text available
Large scale distributed applications such as electronic commerce and online marketplaces combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security and privacy issues, which are exacerbated by the complexity of the operating environment. In order to handle policies at multiple locations, the usual tools available (firewalls and compartmented file storage) get to be used in ways that are clumsy and prone to failure. We propose a new approach, virtual private services. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains, each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points. We describe our architecture and a prototype implementation, and present a preliminary performance evaluation confirming that our overhead of policy enforcement using is small.
Conference Paper
Full-text available
Service-orientation supports the construction of flexible and comprehensive industrial applications. The growing scale and complexity of the applications, however, demand for enhanced self-management functions providing efficient self-adaptation and repair mechanisms. We propose the approach of policy-controlled self-management which has been developed and successfully tested in the context of Web Service based control applications. We use hierarchically structured management policies where high-level policies serve as abstract definitions of management objectives and low-level policies represent concrete rules for resource monitoring and correcting interventions. The definition, analysis, refinement and deployment of the policies are supported by an interactive graphical modeling tool.
Article
Full-text available
Currently institutions and individuals more and more depend on secure and reliable operation of information systems, while comprehensive intranets and connections to the growing internet increase the vulnerability of the systems. Therefore modern computer networks require special protection against attacks. Several protection mechanisms and security services are employed which enable the enforcement of abstract security objectives and policies: • Authentication services like Kerberos support the verification of communicating parties and of the integrity of their messages. • Authorization services manage user privileges and control access to resources accordingly. • Virtual private network services, remote user access services and encrypted communication channels restrict the access to networks and support authentic and confidential communication. • Firewalls and virus detectors filter the network traffic in order to repel harmful communication. • Hardening of operating system configurations of the network nodes reduces the possible points of external and internal attacks. • Monitoring, logging, and audit, as well as tripwire systems and automated intrusion detection systems serve for the purpose of early detection and response to attacks and intrusions. • Security scanner tools shall track down remaining vulnerabilities. As those security services and mechanisms are increasingly employed, importance and costs of security management are growing. The management tasks comprise initially the installation and configuration of the security services as well as during operation their monitoring, audit, adaptation, and reconfiguration. Proper abstraction, integration and tool support are key factors to ease the management task.
Article
Full-text available
Security administrators face the challenge of designing, deploying and maintaining a variety of configuration files related to security systems, especially in large-scale networks. These files have heterogeneous syntaxes and follow differing semantic concepts. Nevertheless, they are interdependent due to security services having to cooperate and their configuration to be consistent with each other, so that global security policies are completely and correctly enforced. To tackle this problem, our approach supports a comfortable definition of an abstract high-level security policy and provides an automated derivation of the desired configuration files. It is an extension of policy-based management and policy hierarchies, combining model-based management (MBM) with system modularization. MBM employs an object-oriented model of the managed system to obtain the details needed for automated policy refinement. The modularization into abstract subsystems (ASs) segment the system—and the model—into units which more closely encapsulate related system components and provide focused abstract views. As a result, scalability is achieved and even comprehensive IT systems can be modelled in a unified manner. The associated tool MoBaSeC (Model-Based-Service-Configuration) supports interactive graphical modelling, automated model analysis and policy refinement with the derivation of configuration files. We describe the MBM and AS approaches, outline the tool functions and exemplify their applications and results obtained. Copyright © 2010 John Wiley & Sons, Ltd.
Conference Paper
Full-text available
The security mechanisms employed in today's networked environments are increasingly complex and their configuration management has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining and monitoring a huge number of mechanisms, most of which have complicated and heterogeneous configuration syntaxes. A consequence of this is that configuration errors are a frequent cause of security vulnerabilities. This work offers a management process for the configuration of network security sys-tems that is built upon the model-based management approach. We present a modelling technique that uniformly handles different types of mechanisms and a supporting graphical editor for the design of the system. The editor incorpo-rates focus and context concepts in order to improve the visualization and the navigation of large models. Resumo. Os mecanismos de segurança empregados em ambientes de redes atu-ais são de crescente complexidade e o gerenciamento de suas configurações adquire, portanto, um papel fundamental para proteção desses ambientes. Par-ticularmente em redes de computadores de larga escala, os administradores de segurança vêem-se confrontados com o desafio de projetar, implementar, manter e monitorar um elevado número de mecanismos, os quais em sua maioria pos-suem sintaxes de configuração heterogênea e complicada. Uma conseqüência dessa situação é que erros de configuração são causas freqüentes de vulnera-bilidades de segurança. O presente trabalho oferece uma sistemática para o gerenciamento da configuração de sistemas de segurança de redes, construída sobre a abordagem de gerenciamento baseado em modelos. Apresentamos aqui uma técnica de modelagem que trata uniformemente diferentes tipos de meca-nismos e é apoiada por um editor gráfico para o projeto do sistema. O editor incorpora conceitos de foco e contexto para facilitar a visualização e navegação de grandes modelos.
Article
Full-text available
Large scale distributed applications such as electronic commerce and online marketplaces combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security and privacy issues, which are exacerbated by the complexity of the operating environment. In order to handle policies at multiple locations, the usual tools available (firewalls and compartmented file storage) get to be used in ways that are clumsy and prone to failure. We propose a new approach, virtual private services. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains, each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points. We describe our architecture and a prototype implementation, and present a preliminary performance evaluation confirming that our overhead of policy enforcement using is small.
Article
Full-text available
Vortrag der GI-Jahrestagung: Sicherheit in komplexen, vernetzten Umgebungen, Workshop im Rahmen der Jahrestagung 2005 der Gesellschaft für Informatik Informatik LIVE!, 19. - 22. September 2005 in Bonn, Deutschland
Article
Policy refinement is an important technology to resolve the configuration complexity of access control policies in distributed applications. Existing methods for policy refinement describe and refine policies layer by layer. However, they are weak in dealing with the relationship between policies. In this study, policies and the relationship between them are described based on the policy refinement tree where policies conflict analysis is performed on the leaf nodes to allow using R-refutation calculus of open logic to analyze refinement policy correlation properties. This method can resolve conflicting policies while correctly maintaining mutual exclusion, combination, access path coordination, and refinement mapping of policies. It can also resolve conflicting policies of different types in order, and freely make a choice among conflicting policies. Experiments and performance analysis demonstrate that the presented method meets the need of dynamic adaption of policy refinement for service-oriented application systems on SaaS platform.
Conference Paper
We present a model-driven approach to rapid service introduction, in which the need for writing and integrating custom integration code in existing operations systems is replaced by interface mapping between service components and management components of operations systems. In particular, services are represented as dependency models, from which mappings to management interfaces of individual OSS components can be derived. Through strategic use of XML, XSLT, and related technologies, our approach is applicable to a wide variety of services and operations systems. A working prototype system has been developed, which includes a custom modeling tool and OSS environment. By separately developing and deploying VoIP and push-to-talk (PTT) services in the prototype, we have successfully demonstrated viability of our approach.
Conference Paper
Distributed embedded applications increasingly operate in changing environments where the application security depends on the type and properties of the currently used communication services and employed devices. While vulnerabilities, threats, and available security function processing power are changing, the applications, however, should automatically adapt to the varying conditions in order to maintain the necessary security without endeavor of users. We report on the security management subproject of the SIRENA project where we apply a special combination of policy-based management with model-based management in order to support fully automated security management functions at runtime as well as tool-assisted security requirement definition and system design. Within an application model, the definition of the application's high-level security policy is of special importance. It represents the abstract security requirements and forms the starting point for the automated derivation of suitable security subsystem configurations which enforce the policy under changing environment conditions. The abstract policy representation relies on the generalized role based access control model (GRBAC)
Conference Paper
Web services are rapidly becoming the technology of choice for integrating distributed application components in heterogeneous computing environments. In this paper, we present a novel e-commerce prototype application that itself would not be feasible without the leverage provided by underlying Web services technologies for flexible design and rapid prototyping. The application is a model-driven service brokerage that allows service providers to model, advertise, validate, and create a wide range of services (e.g. Internet access services such as DSL, cable, video-on-demand, etc) in an open marketplace in an automated fashion. The application answers real needs expressed by today's large service providers and goes beyond the current state-of-the-art in online communication marketplaces. It consists of several functional components, i.e. a service dependency modeling tool, brokerage engine, location services, and workflow engine - that have been independently developed on diverse platforms, e.g., J2EE, .NET. To efficiently integrate these components, we have designed a distributed Web services architecture, in which one Web service functions as a "hub" between previously disconnected components, another works as a "wrapper" of legacy data systems, while another "orchestrates" invocations of these services. Use of Web services has enabled parallel and independent development and testing, greatly increasing productivity and reducing time to get the system operational. It has also fostered the development of new brokerage features, which would have been difficult to plan without first experimenting with a "live" system.
Conference Paper
Full-text available
The CORBA security services support the flexible provision of security features. Their employment, however, has to be tailored to the assets and threats of a system. We relate the corresponding analysis and design of CORBA systems with traditional security analysis, risk assessment, and countermeasure planning as it is in the scope of information system security standards. Since security analysis tends to be difficult and error-prone, we combine that proposal with our object-oriented security analysis and modeling approach. It employs object-oriented modeling techniques and tool-assistance in order to facilitate the analysis and assure its quality even in case of extensive systems.
Conference Paper
Full-text available
The backup of large data sets is preferably performed automatically outside of regular working hours. In highly structured computer networks, how- ever, faults and exceptions may relatively frequently occur resulting in unsuc- cessful subprocesses. Therefore automated fault and configuration management is of interest. We report on a corresponding management system. Besides of monitoring and information provision it performs automated fault analysis and recovery functions under extension of the service management approach to the function-oriented management of information processing services. Moreover, it is model-based. An interactively constructed object-oriented model specifies management objectives and represents dependencies between the backup serv- ice provided and the services used. Moreover, the model is input to the deriva- tion of the management application code. Thus, the combination of service management and modeling supports the productive development of automated management applications. The system is implemented on the basis of the Java Dynamic Management Kit and performs the management of a commercial net- work backup system in a heterogeneous environment.
Conference Paper
Full-text available
The design of suitable packet-filters protecting subnets against network-based attacks is usually difficult and error-prone. Therefore, tool-assistance shall facilitate the design task and shall contribute to the correctness of the filters, i.e., the filters should be consistent with the other security mechanisms of the computer network, in particular with its access control schemes. Moreover, they should just enable the corresponding necessary traffic. Our tool approach applies a three-layered model describing the access control and network topology aspects of the system on three levels of abstraction. Each lower layer refines its upper neighbour and is accompanied with access control models. At the top level, role based access control is applied. The lowest level specifies packet filter configurations which can be implemented by means of the Linux kernel extension IPchains. The derivation of filter configurations is substantially supported by tool assistance in the course of an interactive design process.
Conference Paper
Full-text available
A policy-based management system is only really useful if it allows not only high level description of abstract policy, but also enables such policy to be refined and eventually mapped into an appropriate configuration for controlling devices in the managed system. Such a full integration has only been discussed in the literature but not realised so far. Our approach, implemented as the POWER prototype, demonstrates a way towards making it a reality in practice
Conference Paper
Full-text available
In recent years, packet filtering firewalls have seen some impressive technological advances (e.g., stateful inspection, transparency, performance, etc.) and widespread deployment. In contrast, firewall and security management technology is lacking. We present Firmato, a firewall management toolkit, with the following distinguishing properties and components: (1) an entity relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity relationship model; (3) a model compiler translating the global knowledge of the model into firewall-specific configuration files; and (4) a graphical firewall rule illustrator. We demonstrate Firmato's capabilities on a realistic example, thus showing that firewall management can be done successfully at an appropriate level of abstraction. We implemented our toolkit to work with a commercially available firewall product. We believe that our approach is an important step towards streamlining the process of configuring and managing firewalls, especially in complex, multi firewall installations
Article
Full-text available
This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in [1], and [2], with adjustments that have resulted through experiences gained by prototype implementations, market analysis, and observations made by Jansen [3], and Hoffman [4]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, and in a manner that is consistent with the current set of laws, regulations, and practices that face businesses today.
Chapter
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intra-domain and inter-domain environment.
Conference Paper
There has been a vast amount of research and development effort aimed at providing solutions and products that address the security needs in the information age. Each solution tends to address only a particular facet of the security problem and only accessible to limited protocols or applications. Moreover, ad hoc deployment of some solutions (e.g., firewalls and IPsec) can hinder our ability to collaborate across networks. A very important question is how any application can discover policy restrictions brought about by these solutions/mechanisms, and make efficient use of them to satisfy the application's security goals. The Celestial project addresses this question by developing a security management architecture that can (1) automatically discover effective security policies and mechanisms along any network path, (2) dynamically configure security mechanisms across protocol layers and across the network, (3) adaptively re-configure these mechanisms to maintain certain levels of security services when the network is under stress. This paper describes the Celestial system design and implementation, and reports the current status of the project
Article
Distributed system management, involves monitoring the activity of a system, making management decisions and performing control actions to modify the behavior of the system. Most of the research on management has concentrated on management mechanisms related to network management or operating systems. However, in order to automate the management of very large distributed systems, it is necessary to be able to represent and manipulate management policy within the system. These objectives are typically set out in the form of general policies which require detailed interpretation by the system managers. The paper explores the refinement of general high-level policies into a number of more specific policies to form a policy hierarchy in which each policy in the hierarchy represents, to its maker, his plans to meet his objectives and, to its subject, the objectives which he must plan to meet. Management action policies are introduced, and the distinction between imperatival and authority policies is made. The relationship of hierarchies of imperatival policies to responsibility, and to authority policies, is discussed. An outline approach to the provision of automated support for the analysis of policy hierarchies is provided, by means of a more formal definition of policy hierarchy refinement relationships in Prolog
Article
Separating management policy from the automated managers which interpret the policy facilitates the dynamic change of behaviour of a distributed management system. This permits it to adapt to evolutionary changes in the system being managed and to new application requirements. Changing the behaviour of automated managers can be achieved by changing the policy without have to reimplement them -- this permits the reuse of the managers in different environments. It is also useful to have a clear specification of the policy applying to human managers in an enterprise. This paper describes the work on policy which has come out of two related ESPRIT funded projects, SysMan and IDSM. Two classes of policy are elaborated -- authorisation policies define what a manager is permitted to do and obligation policy define what a manager must do. Policies are specified as objects which define a relationship between subjects (managers) and targets (managed objects). Domains are used to group the object...
Article
Policies are derived from management goals and define the desired behavior of distributed heterogeneous systems, applications, and networks. To apply and deal with this idea, a number of concepts have been defined. Numerous policy definitions, policy hierarchies and policy models have evolved which are all very different, as they were developed from diverse points of view and without a common policy classification. This paper presents and structures the characteristics of policies by introducing a general classification for policies and showing how this classification leads to and aids in the specification of policies. Furthermore, we outline the ideas of a policy life cycle, and that of policy transformation. Policy transformation is a refinement process with conflict resolution which converts policies to become applicable within a management system using management services, such as systems management functions, distributed services, etc. The paper further looks at aspects to be considered when defining policy templates and concludes with a number of open issues still to be looked at in this field of management policies.
Wool: Firmato: A Novel Firewall [ 1 13 I. Luck, C. Schiifer, H. K " m : Model-based Tool-Assistance for Packet-[l8] IETF: IP Security Protocol (IPsec). IETF working group description
  • Y Bartal
  • A Mayer
  • K Nissim
Y. Bartal, A. Mayer, K. Nissim and A. Wool: Firmato: A Novel Firewall [ 1 13 I. Luck, C. Schiifer, H. K " m : Model-based Tool-Assistance for Packet-[l8] IETF: IP Security Protocol (IPsec). IETF working group description, available 1191 D.F. Ferraiolo, J.F. Barkley and D.R. Kuhn: A Role Based Access Control
IpsecNPN Security Policy: Correctness, Conflict Detection, and Resolution Linux FreeSNAN: Open source implementation of IPSEC & IKE for Linux
  • Z Fu
  • S Wu
  • H Huang
  • K Loh
Z. Fu, S. Wu, H. Huang, K. Loh et al.: IpsecNPN Security Policy: Correctness, Conflict Detection, and Resolution. in M. Sloman, J. Lobo, E. Lupu (Eds.): Policy 2001, LNCS 1995, Springer-Verlag, pp. 39-56,2001. [ 161 Linux FreeSNAN: Open source implementation of IPSEC & IKE for Linux. 2001, available via http://www.freeswan.orgl [ 171 Desktop Management Taskforce: Common Information Model -Specification
Policy Driven Management for Distributed Systems Journal of Sloman: Policy Hierarchies for Distributed Systems Management. Network and Systems Management
  • M J Slomansi
  • M Moffet
M. Sloman: Policy Driven Management for Distributed Systems. Journal of [SI J. Moffet, M. Sloman: Policy Hierarchies for Distributed Systems Management. Network and Systems Management, Plenum Press, Vol. 2, No. 4, 1994. IEEE Journal on Selected Areas in Communications, 1 1, 9, 1993.
Celestial Security Management O'Reilly&Associates
  • Ch Xu
  • F Gong
  • S Wu
  • I Baldine
Ch. Xu, F. Gong, S. Wu, I. Baldine et al.: Celestial Security Management O'Reilly&Associates, 1998 Management. Morgan Kaufmann, San Francisco, 1999. System. in: Proc. of DARPA Information Survivability Conference & Exhibition, Vol. I, ~ ~ 1 6 2 -1 7 2, IEEE, 1999.
Towards Integrated Policy-Based Management. in Proc. of the IEEEAFIP Int. Symposium on Network Operations and Management NOMS Derivation of Backup Service Management Applications from Service and System Models Active Technologies for Network and Service Management
  • M Casassa
  • A Mont
  • C Baldwin
  • I Gohio
  • M Luck
  • A Schonbach
  • H Mester
  • Krumm
M. Casassa Mont, A. Baldwin, C. Goh: POWER Prototype: Towards Integrated Policy-Based Management. in Proc. of the IEEEAFIP Int. Symposium on Network Operations and Management NOMS 2000, IEEE, 2000. [IO] I. Luck, M. Schonbach, A. Mester and H.Krumm: Derivation of Backup Service Management Applications from Service and System Models. In: R. Stadler, B. Stiller (Eds.), Active Technologies for Network and Service Management, Proc. DSOM'99, pages 243-255, Zurich, Oct. 1999, LNCS 1700, Springer-Verlag. Filter Design. In: M. Sloman, E. Lupu, J. Lobo (Eds.), Policy 2001, LNCS 1995, pp. 120-136, Springer-Verlag, 2001. [ 121 Tigris: Argo UML Vision. Project descriptions and specifications, 2000, available via http://www.tigris.org/vision.html 1131 P. Herrmann, H. Krumm: Object-Oriented Security Analysis and Modeling.
Solsoft: Global Network Security, Visual Policy Design and Policy Management System, Description
  • Solsoft