A Model for Static Conflict Analysis of Management Policies

Management of today's distributed systems is becoming increasingly complex. There is an obvious requirement for a flexible mechanism to help manage such systems. Rule-based management is one such mechanism. However, in order for rule-based management to become widely usable a method is required by which conflicts between management policies (defined as rules) can be identified and resolved. This paper creates a set theoretic model for rules as a trituple of the relationship between the subject, action and target of a policy. It also identifies two classes of policy set — 'syntactically easy policy set' (SEPS) and 'syntactically non-easy policy set' (SNEPS). SEPSs are policies which are sets of all the Cartesian products of its subjects, actions and targets, whereas SNEPSs are only a subset of that Cartesian product. Conflict analysis of SEPSs has been handled in other papers; this paper addresses conflict analysis of SNEPSs. A method for resolving conflict is suggested. The paper also raises some issues that arise when considering a database of policies.     

Policy-based IPsec management

Security is vital to the success of e-commerce and many new valued-added IP services. As a consequence, IPsec is an especially important security mechanism in that it provides cryptographic-based protection mechanisms for IP packets. Moreover, in order for IPsec to work properly, security policies that describe how different IP packets are protected must be provisioned on all network elements that offer IPsec protection. Since IPsec policies are quite complex, manually configuring them on individual network elements is inefficient and therefore infeasible for large-scale IPsec deployment. Policy-based IPsec management strives to solve this problem: Policy-based management employs a policy server to manage a network as a whole; it translates business goals or policies into network resource configurations and automates these configurations across multiple different network elements. Policy-based IPsec management significantly simplifies the task of defining, deploying, and maintaining security policies across a network, thereby significantly simplifying large-scale IPsec deployment. This article describes the motivations, key concepts, and recent IETF developments for policy-based IPsec management. It then applies the key concepts to an example a IPsec VPN service provisioning and further describes an example of an IPsec policy server as well as experience gained from implementing such a server. Challenges facing policy-based IPsec management are also discussed.     

A multi-layered policy generation and management engine for semantic policy mapping in clouds

The long awaited cloud computing concept is a reality now due to the transformation of computer generations. However, security challenges have become the biggest obstacles for the advancement of this emerging technology. A well-established policy framework is defined in this paper to generate security policies which are compliant to requirements and capabilities. Moreover, a federated policy management schema is introduced based on the policy definition framework and a multi-level policy application to create and manage virtual clusters with identical or common security levels. The proposed model consists in the design of a well-established ontology according to security mechanisms, a procedure which classifies nodes with common policies into virtual clusters, a policy engine to enhance the process of mapping requests to a specific node as well as an associated cluster and matchmaker engine to eliminate inessential mapping processes. The suggested model has been evaluated according to performance and security parameters to prove the efficiency and reliability of this multi-layered engine in cloud computing environments during policy definition, application and mapping procedures.     

Knowledge-Based Policy Conflict Analysis in Mobile Social Networks

Mobile social networks give online social networking sites the capabilities to extend their services to mobile device users. Smart phones and tablets allow users to interact with each other when they are moving. Policy-based management simplifies the management of interaction functionalities by establishing policies to control various activities involved in these functionalities. To detect and resolve potential dynamic conflicts between the rules and configurations from different administrative domains, a knowledge-based policy analysis framework is proposed in this paper. It incorporates relationships between different elements in policy rules into temporal logic using a knowledge extension, which makes dynamic policy conflict analysis more accurate. A prototype system for mobile social networks is implemented to illustrate the capability of this framework.     

Simplifying network administration using policy-based management

The management of network infrastructure in an enterprise is a complex and. daunting affair. In an era of increasing technical cornplexity, it is becoming difficult to find trained personnel who can manage the new features introduced into the various servers, routers, and switches. Policy-based network management provides a means by which the administration process can be simplified and largely automated. In this article we look at a general policy-based architecture that can be used to simplify several new technologies emerging in the context of IP networks. We explain how network administration can be simplified by defining two levels of policies, a business level and a technology level. We discuss how business-level policies are validated and transformed into technology-level policies, and present some algorithms that can be used to check for policy conflicts and unreachable policies. We then show how to apply this architecture to two areas: managing performance service level agreements, and supporting enterprise extranets using IPSec communication     

Policy hierarchies for distributed systems management

Distributed system management, involves monitoring the activity of a system, making management decisions and performing control actions to modify the behavior of the system. Most of the research on management has concentrated on management mechanisms related to network management or operating systems. However, in order to automate the management of very large distributed systems, it is necessary to be able to represent and manipulate management policy within the system. These objectives are typically set out in the form of general policies which require detailed interpretation by the system managers. The paper explores the refinement of general high-level policies into a number of more specific policies to form a policy hierarchy in which each policy in the hierarchy represents, to its maker, his plans to meet his objectives and, to its subject, the objectives which he must plan to meet. Management action policies are introduced, and the distinction between imperatival and authority policies is made. The relationship of hierarchies of imperatival policies to responsibility, and to authority policies, is discussed. An outline approach to the provision of automated support for the analysis of policy hierarchies is provided, by means of a more formal definition of policy hierarchy refinement relationships in Prolog     

Network policy languages: a survey and a new approach

A survey of current network policy languages is presented. Next, a summary of the techniques for detecting policy conflicts is given. Finally, a new language, path-based policy language, which offers improvements to these is introduced. Previous network policy languages vary from the very specific, using packet filters at the bit level, to the more abstract where concepts are represented, with implementation details left up to individual network devices. As background information a policy framework model and policy-based routing protocols are discussed. The PPL's path-based approach for representing network policies is advantageous in that quality of service and security policies can be associated with an explicit path through the network. This assignment of policies to network flows aids in new initiatives such as integrated services. The more stringent requirement of supporting path-based policies can easily be relaxed with the use of wild card characters to also support differentiated services and best-effort service, which is provided by the Internet today     

Universal privacy‐preserving platform for SecaaS services

With the rapid growth of the Security‐as‐a‐Service market, concerns about privacy in exposing customer security policies to Cloud Service Providers have become critical. To resolve these issues, several solutions have been proposed over the past few years, each for a different kind of security service. However, as the number of security services outsourced into a cloud continues to grow, the need for a unified solution has become significant. This article introduces and presents a universal privacy‐preserving platform for SecaaS services that is based on a hybrid cloud architecture for maintaining the confidentiality of the customer's security policy. It is shown that this platform can be applied to all security services whose security policies can be represented in the form of a decision tree. This includes the vast majority of existing cloud‐based security services. With the small number of computationally‐expensive operations performed in a private cloud, the solution also does not require the implementation of a performant security engine on the customer's premises, allowing full advantage to be taken of private cloud offloading. It is also shown that the platform achieves better performance results than other existing solutions of this type. These findings were confirmed by experimental results.     

Roaming and service management in public wireless networks using an innovative policy management architecture

Nowadays, public wireless local area networks (WLANs), commonly called hotspots, are being largely deployed by WISPs (Wireless Internet Service Providers) as a means of offering ubiquitous Internet access to their customers. Although a substantial number of solutions have been proposed to improve security, mobility and quality of service on the wireless area, access network management which is mandatory remains a very significant concern. This paper describes RSM‐WISP, a new management architecture designed for WISPs to facilitate the implementation and management of the services they offer at the access side of the WLAN, and to manage roaming contracts between WISPs. Our architecture is based upon the policy‐based management principles as introduced by the IETF, combined with more intelligence at the network edge. RSM‐WISP adopts an architecture that is composed of two elements: a WISP management center (MC) that deploys policies and monitors all the WLANs, and a programmable access router (CPE) located in each WLAN. The CPE ensures service enforcement, service differentiation (access to different service levels) and guarantee, user access management, and dynamic WLAN adaptation according to the user's SLA (service level agreement). It also permits automatic service updates according to the user's requirements. Concerning roaming management, this is achieved on the CPE through multiple service provider support capabilities. This approach provides WISPs with a simple, flexible and scalable solution that allows easy service deployment and management at the access. This management architecture has been implemented, tested and validated on the 6WINDGate routers. Copyright © 2005 John Wiley & Sons, Ltd.     

中小型WLAN网络安全防范探讨

随着WLAN技术的发展,WLAN在全社会得到了越来越广泛的应用,中小型WLAN的数量越来越多,它们的网络安全问题也变得越来越突出。文中详细探讨了在中小型WLAN中加强AP连接安全、加强WLAN网络准入身份认证、对WLAN网络安全风险进行控制和隔离、开展人工入侵检测、加强人员管理、加强网络安全制度建设等网络安全防范方法,通过综合运用各种网络安全技术及管理手段来保障中小型WLAN的安全,使其安全地为人们提供便捷的通信服务。     

Modeling and deadlock control of automated guided vehicle systems

This paper presents a colored resource-oriented Petri net (CROPN) modeling method to deal with conflict and deadlock arising in automated guided vehicles (AGV) systems. It can handle both bidirectional and unidirectional paths. The former offer additional flexibility, efficiency, and cost saving when compared with the latter. Yet, they exhibit more challenging AGV management problems. Unlike jobs that can enter and leave automated manufacturing systems, AGVs always stay in the system. By modeling nodes with places and lanes with transitions, the proposed method can construct CROPN models for changing AGV routes. A control policy suitable for real-time implementation is presented.     

Distributed policy processing in active‐service based infrastructures

More and more applications in the Internet are requiring an intelligent service infrastructure to provide customized services. In this paper, we present an infrastructure, which can transparently and effectively provide customized active‐services to end users and dynamically adapt to changing customized policies in large distributed heterogeneous environments. The infrastructure consists of two components: the policy agent and middleware box. Particularly, our technologies include: (1) Generic active‐service based infrastructure, where the policy agent can integrate policies requested by applications, and middleware boxes can transparently execute services and (2) Distributed policy processing in the middleware box. We study two policy partitioning schemes to achieve conflict‐free policies for distributed policy processing and guarantee the correctness of the policy execution. We conduct extensive performance evaluations on different schemes proposed. Our experimental results demonstrate that our policy partitioning schemes can effectively generate partition‐capable and conflict‐free policy sets. The evaluation results also show that distributed policy processing can achieve over 70% increase in performance/price ratio with proper assignment of the policy distribution degree compared to a purely centralized approach. Copyright © 2005 John Wiley & Sons, Ltd.     

手机支付安全研究

针对手机支付安全问题,通过介绍手机的现场支付和远场支付业务,分析了手机终端、无线网络、支付平台所面临的安全威胁,提出了解决手机支付安全问题的安全框架。该安全框架通过综合应用密码技术、访问控制、安全协议、安全审计等4种安全技术手段和手机终端安全管理策略、通信传输安全管理策略、支付平台安全管理策略等3种安全管理策略为保障手机支付的安全提供了一种解决方案。     

Automated pseudo-live testing of firewall configuration enforcement

Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.     

一个安全的企业域上的PKI建设方案

ＰＫＩ即“公开密钥体系”，是一种遵循既定标准的密钥管理平台，它能够为所有网络应用提供加密和数字签名等密码服务及所必需的密钥和证书管理体系。为企业域上建立ＰＫＩ提出了具体可行的建设方案，可以为用户生成加密证书和签名证书，并对其安全性进行分析。     

Building an Application-Aware IPsec Policy System

As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to virtual private networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet key exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure application-specific policies in practice. In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec security policy database (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.     

An introduction to policy management

Policy management is an all-encompassing term that describes how the QoS policies applied to a network would be managed. This paper illustrates the complexity of policy management, and goes on to explain how the end result of installing a new network policy only happens after a range of both business and network rules are followed. Business rules check that the requested policy is permitted under the customer’s agreed service package and other non-network variables such as the time of day, while network rules include access control functions that check the network has sufficient free capacity before admitting the new policy. Various examples illustrate the importance of co-ordinating policies across the network and that the most appropriate policy is installed in the first place. Poor policy management may result in a next generation network appearing to offer a worse quality of service than the completely best-effort network it is replacing.     

Policy-based management of content distribution networks

We present a policy-based architecture for the control and management of content distribution networks that form an overlay of caching proxies over an underlying physical network. The architecture extends the policy framework used for controlling network quality of service (QoS) and security to content distribution networks. The fundamental advantage of a policy-based framework is that it allows a machine-independent scheme for managing multiple devices from a single point of control. In this article we describe this architecture and demonstrate how it enables dynamic updates to content distribution policies. Furthermore, we analyze the impact of such dynamic distribution on the cost of content serving