New paper: Rigorous Automated Network Security Management

| | TrackBacks (1)

Steve Lodin of Roche Diagnostics North America was kind enough to tell me about a newly published paper in the Feb 2005 issue of the International Journal of Information Security entitled "Rigorous Automated Network Security Management", by Joshua D. Guttman and Amy L. Herzog of The MITRE Corporation.

The paper's abstract:

Achieving a security goal in a networked system requires the cooperation of a variety of devices, each device potentially requiring a different configuration. Many information security problems may be solved with appropriate models of these devices and their interactions, and giving a systematic way to handle the complexity of real situations.

We present an approach, rigorous automated network security management, which front-loads formal modeling and analysis before problemsolving, thereby providing easy-to-run tools with rigorously justified results. With this approach, we model the network and a class of practically important security goals. The models derived suggest algorithms which, given system configuration information, determine the security goals satisfied by the system. The modeling provides rigorous justification for the algorithms, which may then be implemented as ordinary computer programs requiring no formal methods training to operate.

We have applied this approach to several problems. In this paper we describe two: distributed packet filtering and the use of IP security (IPsec) gateways. We also describe how to piece together the two separate solutions to these problems, jointly enforcing packet filtering as well as IPsec authentication and confidentiality on a single network.

1 TrackBacks

Listed below are links to blogs that reference this entry: New paper: Rigorous Automated Network Security Management.

TrackBack URL for this entry:

Small world! from jra's thoughts on March 11, 2005 11:13 AM

A coworker of mine from when I was at Tellme has started a new blog to show and tell what he's learning and thinking about network configuration management. In his most recent posting it turns out he's found a paper... Read More


About this Entry Archives

This page contains a single entry by Brent Chapman published on March 10, 2005 6:04 PM.

Infrastructures.ORG was the previous entry in this blog.

Everybody wants to be a hero is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Mailing List

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by Movable Type 4.12