Browse Prior Art Database

Method for Security Policy Deployment on Heterogeneous Network and End-Point Devices Using an Integrated Data Model and Capability Knowledge

IP.com Disclosure Number: IPCOM000012552D
Publication Date: 2003-May-14
Document File: 5 page(s) / 160K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a consistent and extensible method for security policy representations for network infrastructure and computing resources. Benefits include greater extensibility and algorithmic mapping and fewer lapses in security.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 35% of the total text.

Method for Security Policy Deployment on Heterogeneous Network and End-Point Devices Using an Integrated Data Model and Capability Knowledge

Disclosed is a consistent and extensible method for security policy representations for network infrastructure and computing resources. Benefits include greater extensibility and algorithmic mapping and fewer lapses in security.

Background

Uniform security policy enforcement is a must to avoid lapses in security for an enterprise network. In today’s enterprise networks, the following limitations exist that prevent implementing a uniform security mechanism covering the enterprise networks and computing resources:

 

  • Lack of methods to implement consistent policies across firewalls, network intrusion detection systems (NIDSs), and other security devices, leading to ineffective or inefficient actions to prevent and/or response to attacks.
  • Lack of security policy specification that details the consistent behavior, not only of the network devices, but also the computing devices in its realm.
  • Disparate organizations controlling the computing and networking resources.
  • A tedious process for understanding various proprietary mechanisms, languages, and mappings for network control and configuration.

The above limitations typically results in network intrusion attacks that could have been prevented or promptly contained if a uniform security policy was enforced. For a uniform security policy, a data model should be used for the policy language to encompass the infrastructure security devices like firewalls, VPN gateways, and NIDSs, with computing resources like servers and clients in the domain on which a consistent security policy is to be enforced. This allows administrators to solve security flaws in an atomic fashion, since most security flaws can be detected and contained at the network level and at the host level, until appropriate patches are distributed by the software vendors on both resources.

General Description

The disclosed method includes, a consistent and extensible data model for security policy representation for network infrastructure and computing resources and associated concepts like mapping and translation. The data model is able to specify heterogeneous devices in terms of their capabilities. The device capabilities are expressed in several smaller data models specific to the device. This approach allows the overall data model to be extensible, since newer devices can be added by extending the base capability data model (a model similar to object oriented design)

. There are two major functions in this approach: mapping and translating. A mapping function is defined as an algorithmic function that minimally returns a Boolean value (true or false) that can be used to decide if the policy can theoretically be deployed on the device or not. The mapping function can also give as additional output, the areas in which incompatibilities were found with the policy. A translator is defined as an algori...