Advertisement

Policy-Based Proactive Monitoring of Security Policy Performance

  • Vitaly Bogdanov
  • Igor Kotenko
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1)

Abstract

One of topical tasks of policy-based security management is checking that the security policy stated in organization corresponds to its implementation in the computer network. The paper considers the suggested approach to proactive monitoring of security policy performance and security mechanisms functioning. This approach is based on the different strategies of automatic imitation of possible users’ actions in the computer network, including exhaustive search, express-analysis and generating the optimized test sequences. It is applicable to different security policies (authentication, authorization, filtering, communication channel protection, etc.). The paper describes stages, generalized algorithms and main peculiarities of the suggested approach and formal methods used to fulfill the test sequence optimization. We consider the generalized architecture of the proactive monitoring system “Proactive security scanner” (PSC) developed, its implementation and an example of policy testing.

Key words

Security policy monitoring test sequence optimization 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Argenenko, A.Y., Chugaev, B.N.: Optimal binary questionnaires. Moscow, Energoatomizdat (in Russian) (1989)Google Scholar
  2. 2.
    Agrawal, D., Giles, J., Lee, K.-W., et al.: Policy-Based Validation of SAN Configuration. In: Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  3. 3.
    Barman S.: Writing Information Security Policies. Sams (2001)Google Scholar
  4. 4.
    Beigi, M.S., Calo, S., Verma, D.: Policy Transformation Techniques in Policy-Based Systems Management. In: Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  5. 5.
    Beizer, B.: Software testing techniques. International Thomson Computer Press (1990)Google Scholar
  6. 6.
    Canavan, S.: An Information Security Policy Development Guide for Large Companies. SANS Institute (2004). http://www.sans.org/rr/whitepapers/policyissues/1331.php
  7. 7.
    Carney, M., Loe, B.: A Comparison of Methods for Implementing Adaptive Security Policies. In: 7th USENIX Security Symposium (1998)Google Scholar
  8. 8.
    Common Information Model (CIM) Standards (2007), http://www.dmtf.org/standards/cim
  9. 9.
    El-Atawy, A., Ibrahim, K., Hamed, H., Al-Shaer, E.: Policy Segmentation for Intelligent Firewall Testing. In: The 1st Workshop on Secure Network Protocols (2005)Google Scholar
  10. 10.
    Foster, J.C., Price, M., McClure, S.: Sockets, Shellcode, Porting & Coding: Reverse Engineering Exploits and Tool Coding For Security Professionals. Syngress Publishing (2005)Google Scholar
  11. 11.
    Gama, P., Ferreira, P.: Obligation Policies: An Enforcement Platform. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  12. 12.
    Ghosh, A.K., O’Connor, T., McGraw, G.: An Automated Approach for Identifying Potential Vulnerabilities in Software. In: 1998 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  13. 13.
    Hoglund, G., McGraw, G.: Exploiting Software. Addison-Wesley, Boston (2004)Google Scholar
  14. 14.
    IODEF/IDMEF Solutions (2004), http://www.ecsirt.net/service/products.html
  15. 15.
    Kee, C.K.: Security Policy Roadmap — Process for Creating Security Policies. SANS Institute (2001), http://www.sans.org/rr/whitepapers/policyissues/494.php
  16. 16.
    Klevinsky, T.J., Laliberte, S., Gupta, A., Hack, I.T.: Security through Penetration Testing. Addison Wesley, Boston (2002)Google Scholar
  17. 17.
    Marriott, D., Sloman, M.: Management Policy Service for Distributed Systems. In: Third IEEE International Workshop on Services in Distributed and Networked Environments, IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  18. 18.
    Peltier, T.R., Peltier, J., Blackley, J.A.: Managing a Network Vulnerability Assessment. Auerbach Publications (2003)Google Scholar
  19. 19.
    Positif Project (2007), http://www.positif.org.
  20. 20.
    Rogers, R., Miles, G., Fuller, E., et al.: Security Assessment: Case Studies for Implementing the NSA IAM. Rockland: Syngress (2004)Google Scholar
  21. 21.
    Russell, D., Gangemi, G.T.: Computer Security Basics. O’Reilly & Associates (1991)Google Scholar
  22. 22.
    Sademies, A.: Process Approach to Information Security Metrics in Finnish Industry and State Institutions, Espoo: VTT Technical Research Centre of Finland (2004)Google Scholar
  23. 23.
    Sailer, R., Acharya, A., Beigi, M., Jennings, R., Verma, D.: IPSECvalidate A Tool to Validate IPSEC Configurations. In: 15th Conference on Systems Administration (2001)Google Scholar
  24. 24.
    Strembeck, M.: Embedding Policy Rules for Software-Based Systems in a Requirements Context. In: IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  25. 25.
    Wack, J., Tracy, M., Souppaya, M.: Guideline on Network Security Testing. NIST Special Publications pp. 800–842. Gaithersburg (2003)Google Scholar
  26. 26.
    Wheeler, K.: Distributed Firewall Policy Validation. CSE 598Z (Distributed Systems) Final Project (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Vitaly Bogdanov
    • 1
  • Igor Kotenko
    • 1
  1. 1.Computer Security Research GroupSt. Petersburg Institute for Informatics and AutomationSt.-PetersburgRussia

Personalised recommendations