Abstract
System administrators frequently use Intrusion Detection and Prevention Systems (IDPS) and host security mechanisms, such as firewalls and mandatory access control, to protect their hosts from remote adversaries. The usual techniques for placing network monitoring and intrusion prevention apparatuses in the network do not account for host flows and fail to defend against vulnerabilities resulting from minor modifications to host configurations. Therefore, despite widespread use of these methods, the task of security remains largely reactive. In this paper, we propose an approach to automate a minimal mediation placement for network and host flows. We use Intrusion Prevention System (IPS) as a replacement for certain host mediations. Due to the large number of flows at the host level, we summarize information flows at the composite network level, using a conservative estimate of the host mediation. Our summary technique reduces the number of relevant network nodes in our example network by 80% and improves mediation placement speed by 87.5%. In this way, we effectively and efficiently compute network-wide defense placement for comprehensive security enforcement.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, J.P.: Computer security technology planning study, vol. II. Technical Report ESD-TR-73-51, Deputy for Command and Management Systems, HQ Electronics Systems Division (AFSC) (October 1972)
Breitbart, Y., Dragan, F., Gobjuka, H.: Effective monitor placement in internet networks. Journal of Networks (2009)
Chen, H., Li, N., Mao, Z.: Analyzing and comparing the protection quality of security enhanced operating systems. In: NDSS (2009)
Chen, X., Kim, Y.-A., Wang, B., Wei, W., Shi, Z.J., Song, Y.: Fault-tolerant monitor placement for out-of-band wireless sensor network monitoring. Ad Hoc Networks 10(1), 62–74 (2012)
Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security; Repelling the Wily Hacker, 2nd edn. Addison-Wesley, Reading (2003)
Clark, D.D., Wilson, D.: A comparison of military and commercial security policies. In: IEEE Symposium on Security and Privacy (1987)
Dahlhaus, E., Johnson, D.S., Papadimitriou, C.H., Seymour, P.D., Yannakakis, M.: The complexity of multiterminal cuts. SIAM J. Comput. 23, 864–894 (1994)
Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–242 (1976)
Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)
Ford, L.R., Fulkerson, D.R.: Flows in Networks. Princeton University Press (1962)
Fritz, D.G., Sargent, R.G.: An overview of hierarchical control flow graph models. In: Proceedings of the 27th Conference on Winter Simulation, WSC 1995, pp. 1347–1355. IEEE Computer Society, Washington, DC (1995)
Hicks, B., Rueda, S., St. Clair, L., Jaeger, T., McDaniel, P.: A logical specification and analysis for SELinux MLS policy. ACM Transaction on Information and System Security 13(3) (2010)
Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Proceedings of Workshop on Advanced Developments in Software and Systems Security (2003)
Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: USENIX Security Symposium (August 2003)
Jaeger, T., Butler, K., King, D.H., Hallyn, S., Latten, J., Zhang, X.: Leveraging IPsec for mandatory access control across systems. In: Proc. 2nd Intl. Conf. on Security and Privacy in Communication Networks (August 2006)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, pp. 49–63. IEEE Computer Society, Washington, DC (2002)
King, D., Jha, S., Jaeger, T., Jha, S., Seshia, S.A.: Towards automated security mediation placement. Technical Report NAS-TR-0100-2008, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA (November 2008)
King, D., Jha, S., Muthukumaran, D., Jaeger, T., Jha, S., Seshia, S.A.: Automating Security Mediation Placement. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 327–344. Springer, Heidelberg (2010)
Massacci, F., Siahaan, I.: Matching Midlet’s security claims with a platform security policy using automata modulo theory. In: Proceedings of NordSec (2007)
McDaniel, P., Prakash, A.: Methods and limitations of security policy reconciliation. ACM Trans. Inf. Syst. Secur. (2006)
Morris, J.: New Secmark-based network controls for SELinux, http://james-morris.livejournal.com/11010.html
MSDN. Mandatory Integrity Control (Windows), http://msdn.microsoft.com/
Muthukumaran, D., Rueda, S., Talele, N., Vijayakumar, H., Jaeger, T., Teutsch, J., Edwards, N.: Transforming commodity security policies to enforce Clark-Wilson integrity. In: ACSAC (2012)
Muthukumaran, D., Jaeger, T., Ganapathy, V.: Leveraging ”choice” to automate authorization hook placement. In: CCS 2012: Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM Press, Raleigh (2012)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. ACM Operating Systems Review 31(5), 129–142 (1997)
Nessus Vulnerability Scanner, http://www.nessus.org/
Noble, J., Biddle, R., Tempero, E., Potanin, A., Clarke, D.: Towards a model of encapsulation. Presented at the ECOOP 2003 IWACO Workshop on Aliasing, Confinement, and Ownership (publications) (2003), http://www.mcs.vuw.ac.nz/comp
Noel, S., Jajodia, S.: Advanced vulnerability analysis and intrusion detection through predictive attack graphs. In: Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series. International Journal of Command and Control (2009)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC (2003)
Novell. AppArmor Linux Application Security, https://www.suse.com/support/security/apparmor/
NetLabel - Explicit labeled networking for Linux, http://www.nsa.gov/research/selinux/
Security-enhanced linux, http://www.nsa.gov/research/selinux/
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: CCS (2006)
Pike, L.: Post-hoc separation policy analysis with graph algorithms. In: Workshop on Foundations of Computer Security (FCS 2009). Affiliated with Logic in Computer Science (LICS) (August 2009)
Sarna-Starosta, B., Stoller, S.D.: Policy analysis for Security-Enhanced Linux. In: WITS (April 2004)
Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Sun Microsystems. Trusted Solaris operating environment - a technical overview, http://www.sun.com
Tang, Y., Daniels, T.E.: On the economic placement of monitors in router level network topologies. In: The Workshop on the Economics of Securing the Information Infrastructure (2006)
Tresys. SETools - Policy analysis tools for SELinux, http://oss.tresys.com/projects/setools
Watson, R.N.M.: TrustedBSD: Adding trusted operating system features to FreeBSD. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 15–28 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Talele, N., Teutsch, J., Jaeger, T., Erbacher, R.F. (2013). Using Security Policies to Automate Placement of Network Intrusion Prevention. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-36563-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36562-1
Online ISBN: 978-3-642-36563-8
eBook Packages: Computer ScienceComputer Science (R0)