Abstract
Security mechanisms enforcement consists in configuring devices with the aim that they cooperate and guarantee the defined security goals. In the network context, this task is complex due to the number, the nature, and the interdependencies of the devices to consider.
In previous papers, we have proposed a formal framework that focuses on network security information management refinement. The framework includes three abstraction levels: the network security objectives, the network security tactics, and the network security device configurations. The information models of each abstraction level (consistency, correctness and feasibility) are formally specified and analyzed.
In this paper we present the integration of this formal refinement process in the WBEM initiative in order to provide a management infrastructure that guarantees the validity of the deployed security configurations.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
REFERENCES
ISO, OSI Reference Model-Security Architecture, ISO 7498-2, 1988.
R. Laborde, B. Nasser, F. Grasset, F. Barrère, and A. Benzekri, Network Security Management: A Formal Evaluation Tool based on RBAC Policies. IFIP NetCon'2004, Springer ISBN 0-387-23197-8, pp. 69–80.
P. Samarati and S. De Capitani di Vimercati, Access Control: Policies, Models and Mechanisms, Foundations of Security Analysis and Design, LNCS 2171, 2001.
Y. Bartal, A. Mayer, K. Nissim, and A. Wool, Firmato: A Novel Firewall Management Toolkit. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, May 1999.
Ehab Al-Shaer and Hazem Hamed, Discovery of Policy Anomalies in Distributed Firewalls. In: IEEE INFOCOMM'04, 2004.
Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine, and C. Xu, IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: Policy'2001 Workshop, 2001.
J. D. Guttman and A. M. Herzog, Rigorous Automated Network Security Management, International Journal of Information Security, Vol. 4, No. 3, 2004.
M. Sloman, Policy Driven Management for Distributed Systems, Journal of Network and Systems Management, Vol 2, No. 4, 1994.
A. Westerinen, J. Schnizlein, J. Strassner, M. Scherling, B. Quinn, S. Herzog, A. Huynh, M. Carlson, J. Perry, and S. Waldbusser, Terminology for Policy-Based Management, RFC 3198, 2001.
J. Moffet and M. S. Sloman, Policy Hierarchies for Distributed Systems Management, IEEE JSAC 11 - Special Issue on Network Management, 1993.
Arosha K. Bandara, Emil C Lupu, Jonathan Moffet, and Alessandra Russo, A Goal-Based Approach to Policy Refinement, In: Policy 2004, 5th International Workshop Policies for Distributed Systems and Networks, 2004.
A. Van Lamsweerde, Goal-Oriented Requirements Engineering: A Roundtrip from Research to Practice, RE'04, 2004.
A. Dardenne, A. Van Lamsweerde, and S. Fickas, A Goal Directed Requirements Acquisition, Science of Computer Programming, Vol. 20, 1993.
I. Lück, C. Schäfer, and H. Krumm, Model-Based Tool-Assistance for Packet-Filter Design. In: Policy 2001, LNCS 1995, Springer-Verlag, pp. 120–136, 2001.
I. Lück, S. Vögel, and H. Krumm, Model-Based Configuration of VPNs. In R. Stadtler, M. Ulema (eds.), Proc. 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, IEEE, pp. 589–602, 2002.
R. Laborde, B. Nasser, F. Grasset, F. Barrère, and A. Benzékri, A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies. In: Electronic Notes in Theoretical Computer Science – Proceedings of WISP'04, Vol. 121, Elsevier, 2005.
R. Laborde, F. Barrère, and A. Benzékri, A Security Management Information Model Derivation Framework: From Goals to Configurations. In: 3rd International Workshop on Formal Aspects in Security and Trust (FAST2005), LNCS 3866, 2005.
ANSI, Role-Based Access Control, ANSI/INCITS 359-2004, February 2004.
URL: http://www.dmtf.org/standards/cim
URL: http://www.dmtf.org/standards/wbem/
URL: http://wbemservices.sourceforge.net/
M. Sibilla, A. Barros DeSales, T. Desprats, D. Marquié, Y. Steff, F. Jocteur-Monrozier, and A. Rivière, CAMELEON: A CIM Modelware Platform for Distributed Integrated Management. In: The Annual DMTF Developers Conference, 2002.
F. Barrère, A. Benzekri, F. Grasset, R. Laborde, and B. Nasser, SPIDERNet : The Security Policy Derivation for Networks tool. In: 3rd IEEE Latin America Network Operations and Management Symposium (LANOMS), 2003.
P. Congdon, B. Lane, Station and Media Access Control Connectivity Discovery, IEEE Standard draft 802.1AB, 2004.
URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_ chapter09186a00800ca66d.html
M. Sibilla, A. Barros DeSales, Y. Raynaud, and F.Jocteur-Monrozier. An Active CIM_Dependency Pattern for a Consistence Service Monitoring. In: IEEE/IFIP Network Operations and Management Symposium (NOMS), 2004.
ACKNOWLEDGMENTS
We would like to thank the LANOMS 2005 committee that selected our article for submitting its extended version to JNSM.
Author information
Authors and Affiliations
Corresponding author
Additional information
Romain Laborde has been Maître de Conférence at University Paul Sabatier—IUT `A', Toulouse, France since September 2006. He is a member of IRIT. He received the Ph.D. degree in computer science from University Paul Sabatier in 2005. Then, he was Research Associate in the Information Systems Security Group in the Computer Science Department, University of Kent at Canterbury, UK. His research has developed a link between formal methods and network security management information. He is also interested in privilege management, access control for virtual organisations and ITIL processes.
Michel Kamel is a Ph.D. student in computer science at University Paul Sabatier, Toulouse. His research activities, conducted at IRIT, focus on the management of Virtual Organizations: validation and deployment of security policies. Currently, he is participating to the European project VIVACE; his work consists of the contribution to the deployment of a secure shared IT infrastructure used for the foundation of a secure Virtual Organization.
François Barrère is an Associate Professor at the University Paul Sabatier, Toulouse. He received the Ph.D. degree in computer science from University Paul Sabatier, in 1987. He is a member of IRIT. His research interest includes local area network protocols and design, network information security management, and digital rights management while building extended enterprises and virtual organizations. For the past eight years he has been involved in different major European aeronautic research projects, where he participates to build secure network infrastructures.
Abdelmalek Benzekri has been Professor at University Paul Sabatier—IUT A since 1999 where he has been director of a masters degree on Information Systems Architecture. His research activities, conducted at the Institut de Recherche en Informatique de Toulouse, focus on systems and networks management and specifically on information security management. His last works address trans-organizational access control policies for virtual organization formations. The results are assessed in the context of the aeronautical supply chain towards European research projects such as ENHANCE, CASH, IMAGE and VIVACE.
Rights and permissions
About this article
Cite this article
Laborde, R., Kamel, M., Barrère, F. et al. Implementation of a Formal Security Policy Refinement Process in WBEM Architecture. J Netw Syst Manage 15, 241–266 (2007). https://doi.org/10.1007/s10922-007-9063-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-007-9063-z