Proceedings ArticleDOI
Automatic management of network security policy
J. Burns,A. Cheng,P. Gurung,S. Rajagopalan,Prasad Rao,D. Rosenbluth,A.V. Surendran,D.M. Martin +7 more
- Vol. 2, pp 12-26
Reads0
Chats0
TLDR
The paper aims to reduce human involvement in network management by building a practical network reconfiguration system so that simple security policies stated as positive and negative invariants are upheld as the network changes.Abstract:
The paper describes work in our project funded by the DARPA Dynamic Coalitions program to design, develop, and demonstrate a system for automatically managing security policies in dynamic networks. Specifically, we aim to reduce human involvement in network management by building a practical network reconfiguration system so that simple security policies stated as positive and negative invariants are upheld as the network changes. The focus of this project is a practical tool to help systems administrators verifiably enforce simple multi-layer network security policies. Our key design considerations are computational cost of policy validation and the power of the enforcement primitives. The central component is a policy engine populated by models of network elements and services that validates policies and computes new configuration settings for network elements when they are violated. We instantiate our policy enforcement tool using a monitoring and instrumentation layer that reports network changes as they occur and implements configuration changes computed by the policy engine.read more
Citations
More filters
Proceedings Article
MulVAL: a logic-based network security analyzer
TL;DR: MulVAL is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network and can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language.
Patent
Network security system having a device profiler communicatively coupled to a traffic monitor
TL;DR: In this article, several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives, and a centralized correlation server, at a centrally accessible location in the network, stores determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures.
Security in wireless ad hoc networks
TL;DR: This book discusses Ad Hoc Networks, the Architecture for Intrusion Detection in MANET, and Application of Policy Management to Security Management, which addresses the challenges faced by ad-hoc networks in the rapidly changing environment.
Patent
Interoperability of vulnerability and intrusion detection systems
TL;DR: In this paper, the authors present a set of rules that represent various entities or processes on the network and use them in performing their respective analyses that are query-based and that are easy to construct.
Patent
Method and system for detecting a vulnerability in a network
TL;DR: A system and method in accordance with the invention reliably and non-intrusively identifies various conditions of a network as mentioned in this paper, in particular, an operating system, including version and patch level, and a service of a remote host on the network.
References
More filters
The KeyNote Trust-Management System Version 2
TL;DR: This memo describes version 2 of the KeyNote trust-management system, which specifies the syntax and semantics of KeyNote `assertions', describes `action attribute' processing, and outlines the application architecture into which a KeyNote implementation can be fit.
Proceedings ArticleDOI
Enforceable security policies
TL;DR: A precise characterization is given for the class of security policies that can be enforced using mechanisms that work by monitoring system execution, and a class of automata is introduced for specifying those security policies.
Proceedings ArticleDOI
Fang: a firewall analysis engine
TL;DR: The software allows the administrator to easily discover and test the global firewall policy (either a deployed policy or a planned one) and operates on a more understandable level of abstraction, and it deals with all the firewalls at once.
Proceedings ArticleDOI
Firmato: a novel firewall management toolkit
TL;DR: Firmato, a firewall management toolkit, is presented with the following distinguishing properties and components: an entity relationship model containing, in a unified form, global knowledge of the security policy and of the network topology; a model definition language, which is used as an interface to define an instance of the entities relationship model.
Proceedings ArticleDOI
Filtering postures: local enforcement for global policies
TL;DR: A simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing is introduced, and an algorithm that, given the network topology, will compute a set of filters for the individual routers are introduced, guaranteed to enforce the policy correctly.