Journal of Network and Systems Management

, Volume 15, Issue 2, pp 241–266 | Cite as

Implementation of a Formal Security Policy Refinement Process in WBEM Architecture

  • Romain Laborde
  • Michel Kamel
  • François Barrère
  • Abdelmalek Benzekri


Security mechanisms enforcement consists in configuring devices with the aim that they cooperate and guarantee the defined security goals. In the network context, this task is complex due to the number, the nature, and the interdependencies of the devices to consider.

In previous papers, we have proposed a formal framework that focuses on network security information management refinement. The framework includes three abstraction levels: the network security objectives, the network security tactics, and the network security device configurations. The information models of each abstraction level (consistency, correctness and feasibility) are formally specified and analyzed.

In this paper we present the integration of this formal refinement process in the WBEM initiative in order to provide a management infrastructure that guarantees the validity of the deployed security configurations.


Security policy network security security management WBEM (web-based enterprise management) 



We would like to thank the LANOMS 2005 committee that selected our article for submitting its extended version to JNSM.


  1. 1.
    ISO, OSI Reference Model-Security Architecture, ISO 7498-2, 1988.Google Scholar
  2. 2.
    R. Laborde, B. Nasser, F. Grasset, F. Barrère, and A. Benzekri, Network Security Management: A Formal Evaluation Tool based on RBAC Policies. IFIP NetCon'2004, Springer ISBN 0-387-23197-8, pp. 69–80.Google Scholar
  3. 3.
    P. Samarati and S. De Capitani di Vimercati, Access Control: Policies, Models and Mechanisms, Foundations of Security Analysis and Design, LNCS 2171, 2001.Google Scholar
  4. 4.
    Y. Bartal, A. Mayer, K. Nissim, and A. Wool, Firmato: A Novel Firewall Management Toolkit. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, May 1999.Google Scholar
  5. 5.
    Ehab Al-Shaer and Hazem Hamed, Discovery of Policy Anomalies in Distributed Firewalls. In: IEEE INFOCOMM'04, 2004.Google Scholar
  6. 6.
    Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu, IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: Policy'2001 Workshop, 2001.Google Scholar
  7. 7.
    J. D. Guttman and A. M. Herzog, Rigorous Automated Network Security Management, International Journal of Information Security, Vol. 4, No. 3, 2004.Google Scholar
  8. 8.
    M. Sloman, Policy Driven Management for Distributed Systems, Journal of Network and Systems Management, Vol 2, No. 4, 1994.Google Scholar
  9. 9.
    A. Westerinen, J. Schnizlein, J. Strassner, M. Scherling, B. Quinn, S. Herzog, A. Huynh, M. Carlson, J. Perry, and S. Waldbusser, Terminology for Policy-Based Management, RFC 3198, 2001.Google Scholar
  10. 10.
    J. Moffet and M. S. Sloman, Policy Hierarchies for Distributed Systems Management, IEEE JSAC 11 - Special Issue on Network Management, 1993.Google Scholar
  11. 11.
    Arosha K. Bandara, Emil C Lupu, Jonathan Moffet, and Alessandra Russo, A Goal-Based Approach to Policy Refinement, In: Policy 2004, 5th International Workshop Policies for Distributed Systems and Networks, 2004.Google Scholar
  12. 12.
    A. Van Lamsweerde, Goal-Oriented Requirements Engineering: A Roundtrip from Research to Practice, RE'04, 2004.Google Scholar
  13. 13.
    A. Dardenne, A. Van Lamsweerde, and S. Fickas, A Goal Directed Requirements Acquisition, Science of Computer Programming, Vol. 20, 1993.Google Scholar
  14. 14.
    I. Lück, C. Schäfer, and H. Krumm, Model-Based Tool-Assistance for Packet-Filter Design. In: Policy 2001, LNCS 1995, Springer-Verlag, pp. 120–136, 2001.Google Scholar
  15. 15.
    I. Lück, S. Vögel, and H. Krumm, Model-Based Configuration of VPNs. In R. Stadtler, M. Ulema (eds.), Proc. 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, IEEE, pp. 589–602, 2002.Google Scholar
  16. 16.
    R. Laborde, B. Nasser, F. Grasset, F. Barrère, and A. Benzékri, A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies. In: Electronic Notes in Theoretical Computer Science – Proceedings of WISP'04, Vol. 121, Elsevier, 2005.Google Scholar
  17. 17.
    R. Laborde, F. Barrère, and A. Benzékri, A Security Management Information Model Derivation Framework: From Goals to Configurations. In: 3rd International Workshop on Formal Aspects in Security and Trust (FAST2005), LNCS 3866, 2005.Google Scholar
  18. 18.
    ANSI, Role-Based Access Control, ANSI/INCITS 359-2004, February 2004.Google Scholar
  19. 19.
    URL: Scholar
  20. 20.
    URL: Scholar
  21. 21.
    URL: Scholar
  22. 22.
    M. Sibilla, A. Barros DeSales, T. Desprats, D. Marquié, Y. Steff, F. Jocteur-Monrozier, and A. Rivière, CAMELEON: A CIM Modelware Platform for Distributed Integrated Management. In: The Annual DMTF Developers Conference, 2002.Google Scholar
  23. 23.
    F. Barrère, A. Benzekri, F. Grasset, R. Laborde, and B. Nasser, SPIDERNet : The Security Policy Derivation for Networks tool. In: 3rd IEEE Latin America Network Operations and Management Symposium (LANOMS), 2003.Google Scholar
  24. 24.
    P. Congdon, B. Lane, Station and Media Access Control Connectivity Discovery, IEEE Standard draft 802.1AB, 2004.Google Scholar
  25. 25.
    URL: chapter09186a00800ca66d.htmlGoogle Scholar
  26. 26.
    M. Sibilla, A. Barros DeSales, Y. Raynaud, and F.Jocteur-Monrozier. An Active CIM_Dependency Pattern for a Consistence Service Monitoring. In: IEEE/IFIP Network Operations and Management Symposium (NOMS), 2004.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  • Romain Laborde
    • 1
    • 2
  • Michel Kamel
    • 1
  • François Barrère
    • 1
  • Abdelmalek Benzekri
    • 1
  1. 1.Université Paul Sabatier - IRIT/SIERAToulouse Cedex04France
  2. 2.Computing Laboratory, University of KentCanterburyUK

Personalised recommendations