Skip to main content

Advertisement

SpringerLink
Log in

Formal validation of automated policy refinement in the management of network security systems

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Abrams, M., Bailey, D.: Abstraction and refinement of layered security policy. In: Abrams, M., Jajodia, S., Podell, H. (eds.) Information Security: An Integrated Collection of Essays, pp. 126–136. IEEE Computer Society Press, Los Alamitos (1994)

  2. Bartal Y., Mayer A.J., Nissim K., Wool A.: Firmato: a novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    Article  Google Scholar 

  3. Burns, J., Cheng, A., Gurung, P., Rajagopalan, S., Rao, P., Rosenbluth, D., Surendran, A., D.M., Jr.: Automatic management of network security policy. In: DARPA Information Survivability Conference and Exposition (DISCEX II’01), vol. 2 (2001)

  4. Common Criteria Project: Common Criteria for Information Technology Security Evaluation (CC 2.2), Part 2: Security functional requirements (2004)

  5. Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miége, A.: A formal approach to specify and deploy a network security policy. In: Formal Aspects in Security and Trust (FAST 2004) (2004)

  6. de Albuquerque, J.P.: Model-based Configuration Management of Security Systems in Complex Network Environments. PhD thesis, Institute of Computing, University of Campinas (2006)

  7. de Albuquerque, J.P., Isenberg, H., Krumm, H., de Geus, P.L.: Improving the configuration management of large network security systems. In: Schönwälder, J., Serrat, J. (eds.) Ambient Networks: 16th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2005, Barcelona, 24–26 Oct 2005, Proceedings, vol. 3775 of Lecture Notes in Computer Science, pp. 36–47. Springer, Berlin (2005)

  8. de Albuquerque, J.P., Krumm, H., de Geus, P.L.: On scalability and modularisation in the modelling of security systems. In: di Vimercati, S.D.C., Syverson, P.F., Gollmann, D. (eds.) Computer Security—ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, 12–14 Sept 2005, Proceedings, vol. 3679 of Lecture Notes in Computer Science, pp. 287–304. Springer, Berlin (2005)

  9. de Albuquerque, J.P., Krumm, H., de Geus, P.L.: Policy modelling and refinement for network security systems. In: 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), 6–8 June 2005, Stockholm, pp. 24–33, IEEE Computer Society, Washington (2005)

  10. de Albuquerque, J.P., Krumm, H., de Geus, P.L.: Model-based management of security services in complex network environments. In: IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubioquitous Networks and Services, NOMS 2008, 7–11 Apr 2008, Salvador, pp. 1031–1036 (2008)

  11. Ferraiolo, D., Kuhn, R. Role-based access control. In: Proceeedings of 15th NIST-NCSC National Security Computer Conference, Baltimore (1992)

  12. Ferraiolo D.F., Barkley J.F., Kuhn D.R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. 2(1), 34–64 (1999)

    Article  Google Scholar 

  13. Guttman, J.D.: Filtering postures: local enforcement for global policies. In: SP ’97: Proceedings of the 1997 IEEE Symposium on Security and Privacy, p. 120. IEEE Computer Society, Washington (1997)

  14. Institute of Electrical and Electronics Engineers, New York: IEEE Standard Glossary of Software Engineering Terminology (1990)

  15. Lück, I.: Model-based Security Service Configuration. PhD thesis, University of Dortmund, Germany (2006)

  16. Lück, I., Schäfer, C., Krumm, H.: Model-based tool-assistance for packet-filter design. In: Sloman, E.L.M., Lobo, J. (eds.) Proceedings of IEEE Workshop Policy 2001: Policies for Distributed Systems and Networks, number 1995 in Lecture Notes in Computer Science, pp. 120–136. Springer, Heidelberg (2001)

  17. Lück, I., Vögel, S., Krumm, H.: Model-based configuration of VPNs. In: Stadtler, R., Ulema, M. (eds.) Proceedings of 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, pp. 589–602. IEEE, Florence (2002)

  18. Moffett J.D., Sloman M.S.: Policy hierarchies for distributed system management. IEEE JSAC Special Issue Netw. Manage. 11(9), 11 (1993)

    Google Scholar 

  19. Mont, M., Baldwin, A., Goh, C.: POWER prototype: Towards integrated policy-based management. In: Hong, J., Weihmayer, R. (eds.) Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS2000), pp. 789–802, Hawaii (2000)

  20. Sandhu R.S.: Lattice-based access control models. IEEE Comput. 26(11), 9–19 (1993)

    Google Scholar 

  21. Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)

    Google Scholar 

  22. Sandhu, R.S., Samarati, P.: Access control: principles and practice. IEEE Commun. 32(9) (1994)

  23. Sloman M.: Policy driven management for distributed systems. J. Netw. Syst. Manage. 2(4), 333–360 (1994)

    Article  Google Scholar 

  24. Sloman M., Lupu E.C.: Security and management policy specification. IEEE Netw. Special Issue Policy-Based Netw. 16(2), 10–19 (2002)

    Google Scholar 

  25. Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., Waldbusser, S.: Terminology for Policy-Based Management. Internet Engineering Task Force, (2001) RFC 3198

  26. Wies R.: Using a classification of management policies for policy specification and policy transformation. In: Sethi, A.S., Raynaud, Y., Fure-Vincent, F. (eds) Integrated Network Management IV, vol. 4, pp. 44–56. Chapman & Hall, Santa Barbara (1995)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Arts, Sciences and Humanities, University of Sao Paulo, Rua Arlindo Béttio, 1000, Ermelino Matarazzo, São Paulo, SP, 03828-000, Brazil

    João Porto de Albuquerque

  2. Department of Computer Science, Technical University of Dortmund, 44221, Dortmund, Germany

    Heiko Krumm

  3. Institute of Computing, University of Campinas, Campinas, SP, 13083-852, Brazil

    Paulo Lício de Geus

Authors
  1. João Porto de Albuquerque
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Heiko Krumm
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paulo Lício de Geus
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to João Porto de Albuquerque.

Rights and permissions

Reprints and permissions

About this article

Cite this article

de Albuquerque, J.P., Krumm, H. & de Geus, P.L. Formal validation of automated policy refinement in the management of network security systems. Int. J. Inf. Secur. 9, 99–125 (2010). https://doi.org/10.1007/s10207-010-0101-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-010-0101-6

Keywords

Search

Navigation