Abstract
One of topical tasks of policy-based security management is checking that the security policy stated in organization corresponds to its implementation in the computer network. The paper considers the suggested approach to proactive monitoring of security policy performance and security mechanisms functioning. This approach is based on the different strategies of automatic imitation of possible users’ actions in the computer network, including exhaustive search, express-analysis and generating the optimized test sequences. It is applicable to different security policies (authentication, authorization, filtering, communication channel protection, etc.). The paper describes stages, generalized algorithms and main peculiarities of the suggested approach and formal methods used to fulfill the test sequence optimization. We consider the generalized architecture of the proactive monitoring system “Proactive security scanner” (PSC) developed, its implementation and an example of policy testing.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Argenenko, A.Y., Chugaev, B.N.: Optimal binary questionnaires. Moscow, Energoatomizdat (in Russian) (1989)
Agrawal, D., Giles, J., Lee, K.-W., et al.: Policy-Based Validation of SAN Configuration. In: Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2004)
Barman S.: Writing Information Security Policies. Sams (2001)
Beigi, M.S., Calo, S., Verma, D.: Policy Transformation Techniques in Policy-Based Systems Management. In: Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2004)
Beizer, B.: Software testing techniques. International Thomson Computer Press (1990)
Canavan, S.: An Information Security Policy Development Guide for Large Companies. SANS Institute (2004). http://www.sans.org/rr/whitepapers/policyissues/1331.php
Carney, M., Loe, B.: A Comparison of Methods for Implementing Adaptive Security Policies. In: 7th USENIX Security Symposium (1998)
Common Information Model (CIM) Standards (2007), http://www.dmtf.org/standards/cim
El-Atawy, A., Ibrahim, K., Hamed, H., Al-Shaer, E.: Policy Segmentation for Intelligent Firewall Testing. In: The 1st Workshop on Secure Network Protocols (2005)
Foster, J.C., Price, M., McClure, S.: Sockets, Shellcode, Porting & Coding: Reverse Engineering Exploits and Tool Coding For Security Professionals. Syngress Publishing (2005)
Gama, P., Ferreira, P.: Obligation Policies: An Enforcement Platform. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2005)
Ghosh, A.K., O’Connor, T., McGraw, G.: An Automated Approach for Identifying Potential Vulnerabilities in Software. In: 1998 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1998)
Hoglund, G., McGraw, G.: Exploiting Software. Addison-Wesley, Boston (2004)
IODEF/IDMEF Solutions (2004), http://www.ecsirt.net/service/products.html
Kee, C.K.: Security Policy Roadmap — Process for Creating Security Policies. SANS Institute (2001), http://www.sans.org/rr/whitepapers/policyissues/494.php
Klevinsky, T.J., Laliberte, S., Gupta, A., Hack, I.T.: Security through Penetration Testing. Addison Wesley, Boston (2002)
Marriott, D., Sloman, M.: Management Policy Service for Distributed Systems. In: Third IEEE International Workshop on Services in Distributed and Networked Environments, IEEE Computer Society Press, Los Alamitos (1996)
Peltier, T.R., Peltier, J., Blackley, J.A.: Managing a Network Vulnerability Assessment. Auerbach Publications (2003)
Positif Project (2007), http://www.positif.org.
Rogers, R., Miles, G., Fuller, E., et al.: Security Assessment: Case Studies for Implementing the NSA IAM. Rockland: Syngress (2004)
Russell, D., Gangemi, G.T.: Computer Security Basics. O’Reilly & Associates (1991)
Sademies, A.: Process Approach to Information Security Metrics in Finnish Industry and State Institutions, Espoo: VTT Technical Research Centre of Finland (2004)
Sailer, R., Acharya, A., Beigi, M., Jennings, R., Verma, D.: IPSECvalidate A Tool to Validate IPSEC Configurations. In: 15th Conference on Systems Administration (2001)
Strembeck, M.: Embedding Policy Rules for Software-Based Systems in a Requirements Context. In: IEEE International Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2005)
Wack, J., Tracy, M., Souppaya, M.: Guideline on Network Security Testing. NIST Special Publications pp. 800–842. Gaithersburg (2003)
Wheeler, K.: Distributed Firewall Policy Validation. CSE 598Z (Distributed Systems) Final Project (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bogdanov, V., Kotenko, I. (2007). Policy-Based Proactive Monitoring of Security Policy Performance. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds) Computer Network Security. MMM-ACNS 2007. Communications in Computer and Information Science, vol 1. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73986-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-73986-9_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73985-2
Online ISBN: 978-3-540-73986-9
eBook Packages: Computer ScienceComputer Science (R0)