tailieunhanh - Automatic Management of Network Security Policy

The ultimate long term goal of this project is to create a practical infrastructure that enables the network to become self-configuring so that necessary network-wide reconfiguration is initiated by the change within the system itself, and not by the coordinated actions of teams of human operators. To allow us to achieve tangible results in reasonable time, the present project focuses on some specific issues that we feel are key to success in the larger plan and for which there is a clear path to generalization. The particular problem we consider is the one that systems administrators face on a daily basis: how do we rapidly determine that a given network configuration is compliant with. | Automatic Management of Network Security Policy1 J. Burns A. Cheng P. Gurung S. Rajagopalan P. Rao D. Rosenbluth . Surendran Telcordia Technologies Inc. Abstract This paper describes work in our project funded by DARPA Dynamic Coalitions program to design develop and demonstrate a system for automatically managing security policies in dynamic networks. Specifically we aim to reduce human involvement in network management by building a practical network reconfiguration system so that simple security policies stated as positive and negative invariants are upheld as the network changes. The focus of this project is a practical tool to help systems administrators verifiably enforce simple multi-layer network security policies. Our key design considerations are computational cost of policy validation and the power of the enforcement primitives. The central component is a policy engine populated by models of network elements and services that validates policies and computes new configuration settings for network elements when they are violated. We instantiate our policy enforcement tool using a monitoring and instrumentation layer that reports network changes as they occur and implements configuration changes computed by the policy engine. 1. Introduction Lack of security is one of the primary obstacles in fielding many technologies in both commercial and DoD networks. The piece-meal and ad hoc way in which firewalls and other security elements are typically administered makes it difficult to manage networks in such a D. M. Martin Jr. University of Denver dm@ way that desired security policies are upheld as the network changes. Moreover the scope of management is rapidly exceeding human capabilities because of the acceleration of changes in technology and topology. Network management tools are needed to automate management of networks containing many firewalls in dynamic environments. It is becomming necessary to enable network elements to adapt to change by

TỪ KHÓA LIÊN QUAN