Gerenciamento Baseado em Modelos da Configuração de Sistemas de Segurança em Redes de Larga Escala
Abstract
The security mechanisms employed in today’s networked environments are increasingly complex and their configuration management has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining and monitoring a huge number of mechanisms, most of which have complicated and heterogeneous configuration syntaxes. A consequence of this is that configuration errors are a frequent cause of security vulnerabilities. This work offers a management process for the configuration of network security systems that is built upon the model-based management approach. We present a modelling technique that uniformly handles different types of mechanisms and a supporting graphical editor for the design of the system. The editor incorporates focus and context concepts in order to improve the visualization and the navigation of large models.
References
Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A. (2004). Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems, 22(4):381-420.
Card, S. K., Mackinlay, J. D., and Shneiderman, B., editors (1999). Readings in Information Visualization: Using Vision to Think. Series in Interactive Technologies. Morgan Kaufmann Publishers, San Francisco, CA.
Damianou, N., Dulay, N., Lupu, E., Sloman, M., and Tonouchi, T. (2002). Tools for domain-based policy management of distributed systems. In IEEE/IFIP Network Operations and Management Symposium (NOMS2002), pages 213-218, Florence, Italy.
Furnas, G. W. (1986). Generalized fisheye views. In Proceedings of ACM CHI'86 Conference on Human Factors in Computing Systems, Visualizing Complex Information Spaces, pages 16-23.
Köth, O. and Minas, M. (2002). Structure, abstraction, and direct manipulation in diagram editors. In Diagrammatic Representation and Inference, Second International Conference (Diagrams 2002), volume 2317 of Lecture Notes in Computer Science, Callaway Gardens, GA, USA. Springer.
Lymberopoulos, L., Lupu, E., and Sloman, M. (2004). Ponder policy implementation and validation in a CIM and differentiated services framework. In IFIP/IEEE Network Operations and Management Symposium (NOMS 2004), Seoul, Korea.
Lück, I., Vögel, S., and Krumm, H. (2002). Model-based configuration of VPNs. In Proc. 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, pages 589-602, Florence, Italy. IEEE.
Moffett, J. D. and Sloman, M. S. (1993). Policy hierarchies for distributed system management. IEEE JSAC Special Issue on Network Management, 11(9).
Musial, B. and Jacobs, T. (2003). Application of focus + context to UML. In Australian Symposium on Information Visualisation, (invis.au'03), volume 24 of Conferences in Research and Practice in Information Technology, pages 75-80, Adelaide, Australia. ACS.
Oppenheimer, D., Ganapathi, A., and Patterson, D. (2003). Why do internet services fail, and what can be done about it. In 4th USENIX Symposium on Internet Technologies and Systems (USITS'03).
Porto de Albuquerque, J., Krumm, H., and de Geus, P. L. (2005a). On scalability and modularisation in the modelling of security systems. In 10th European Symposium on Research in Computer Security (ESORICS 05), volume 3679 of LNCS, pages 287-304, Heidelberg, Germany. Springer Verlag.
Porto de Albuquerque, J., Krumm, H., and de Geus, P. L. (2005b). Policy modeling and refinement for network security systems. In Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, pages 24-33, Stockholm, Sweden.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2):38-47.
Sarkar, M. and Brown, M. H. (1992). Graphical fisheye views of graphs. In Proceedings of ACM CHI'92 Conference on Human Factors in Computing Systems, Visualizing Objects, Graphs, and Video, pages 83-91.
Zwicky, E. D., Cooper, S., and Chapman, D. B. (2000). Building Internet Firewalls. O'Reilly and Associates, Sebastopol, CA, 2nd edition.
