Towards semantic web-based management of security services

Policy-based management of distributed system has become a commonly accepted approach for such systems. However, there are a number of open technical issues that might put large-scale deployment of policy-based management techniques at risk. They include automated policy translation (i.e., refinement from abstract business goals to final configurations); development of integrated policy architectures for network, service and application management, and dynamic service creation; and methods for policy conflict detection and resolution. Regarding this last issue, there exist some relevant efforts in the security area, but they are still in the design phase and it is not clear how flexible and powerful they will become when they deal with different kinds of security-related policies and scenarios. This article provides the main ideas behind the semantically enriched specification of security policies and describes an automated process for doing conflict detection on these policies.     

Concepts, Activities and Issues of Policy-based Communications Management

Policy-based management is an approach that has been considered for some years within the distributed systems management research community. The concepts have recently been adopted by standards bodies including the International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), Desktop Management Taskforce (DMTF) and Object Management Group (OMG) and are starting to appear in marketing literature for Internet protocol (IP) network management products. The meaning of the term is not well-defined nor consistently used, but common aspects of policy include that it changes a system' behaviour, that it is defined after system deployment, and that it does not require a full software development life cycle. Technical problems remain which need to be solved before the full ambitions of policy-based management can be achieved. Initial products are likely to address only a sub-set of the full potential and to exist in niche domains.     

Building an Application-Aware IPsec Policy System

As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to virtual private networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet key exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure application-specific policies in practice. In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec security policy database (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.     

Simplifying network administration using policy-based management

The management of network infrastructure in an enterprise is a complex and. daunting affair. In an era of increasing technical cornplexity, it is becoming difficult to find trained personnel who can manage the new features introduced into the various servers, routers, and switches. Policy-based network management provides a means by which the administration process can be simplified and largely automated. In this article we look at a general policy-based architecture that can be used to simplify several new technologies emerging in the context of IP networks. We explain how network administration can be simplified by defining two levels of policies, a business level and a technology level. We discuss how business-level policies are validated and transformed into technology-level policies, and present some algorithms that can be used to check for policy conflicts and unreachable policies. We then show how to apply this architecture to two areas: managing performance service level agreements, and supporting enterprise extranets using IPSec communication     

Firewalls — Evolve or Die

Businesses have traditionally relied on perimeter firewalls to enforce their security policy. However, perimeter controls do not provide a comprehensive solution to secure a private network connected to the Internet. This paper describes how the dynamic business environment and techniques, such as protocol tunnelling, have leveraged the use of IP networks. The use of these protocols and techniques means that perimeter firewalls alone no longer provide sufficient security. IPsec network security is reviewed and it is shown how its security services can be used to provide greater protection for the network by securing connections end to end. The paper also describes tools for firewall and VPN policy management that address the problem of managing the overall security policy with network implementations comprising multiple vendors' products. Finally, the paper proposes a vision of how future secure virtual networks will be established over existing infrastructures.     

认知无线电政策推理引擎发展概述

基于政策的频谱管理模式能够对认知无线电进行灵活、细化的频谱管理。政策推理引擎是实现该频谱管理模式的关键。本文概括了频谱管理政策的描述方法,总结了近年来政策推理引擎领域的研究进展,并介绍了基于二叉决策图的政策推理引擎的设计原理。     

基于信任管理系统的可信路由器的设计与实现(英文)

This paper presents a scheme to perform QoS management and assure network security by using the trusted-router based on the Trust Management System.In this trusted-router,every IP packet is forwarded and queued by its trust value,which is the quantification of the network's expectation for this packet's and its owner's behavior in the network.We outline the algorithms to calculate the trust value of the trusted-router and the IP packet.We also introduce the trust-based QoS management algorithm and the deplo...     

On demand network-wide VPN deployment in GPRS

Mobile Internet requires enhanced security services available to all mobile subscribers in a dynamic fashion. A network-wide virtual private network deployment scenario over the General Packet Radio Service is proposed and analyzed from a security viewpoint. The proposed security scheme improves the level of protection that is currently supported in GPRS and facilitates the realization of mobile Internet. It secures data transmission over the entire network route from a mobile user to a remote server by utilizing the default GPRS ciphering over the radio interface, and by deploying an IP VPN over the GPRS core, as well as on the public Internet. Thus, on-demand VPN services are made available for all GPRS network subscribers and roaming users. The VPN functionality, which is based on the IPsec framework, is outsourced to the network infrastructure to eliminate the potential computational overhead on the mobile device. The VPN initialization and key agreement procedures are based on an Internet Key Exchange protocol proxy scheme, which enables the mobile station to initiate VPN establishment, while shifting the complex key negotiation to the network infrastructure. The deployed VPN operates transparently to the mobile subscribers' movement. The required enhancements for security service provision can be integrated in the existing network infrastructure; therefore, the propose security scheme can be employed as an add-on feature to the GPRS standard.     

Taxonomy of conflicts in network security policies

Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.     

AAA architecture for mobile IPv6 based on WLAN

Mobility support for Internet devices is quite important for consumer electronics. The number of the hand‐held devices is growing quickly. However, there are not enough IP addresses for the number of the rapidly growing devices in the All‐IP generation. Internet Protocol version 6 (IPv6) was therefore adopted to solve these problems. Our purposed structure is based on IEEE 802.11. However, IEEE 802.11 has a serious security drawback. Further, from the Internet Service Providers' point of view, accounting is a potential problem. A mechanism combining Mobile IPv6 and AAA based on IEEE 802.11 to overcome these problems is essential. Both Internet Protocol version 4 (IPv4) and IPv6 support IP security (IPsec) when data packets are exchanged across the IP network. IPsec operates at the IP layer. It can support system authentication and authorization, However, it lacks a system accounting function. Therefore ISPs cannot establish correct billing for their services. This is the reason why we chose to combine the wireless network and AAA functions. In this paper, the AAA mechanism is used to protect security, with the architecture having authentication, authorization, and accounting functions. We will discuss the benefits of AAA and state the reason why we choose to combine AAA with the mobility architecture. Copyright © 2004 John Wiley & Sons, Ltd.     

Network mobility and protocol interoperability in ad hoc networks

The integration of various network-level functions, including routing, management, and security, is critical to the efficient operation of a mobile ad hoc network. In this article we focus on network mobility (rather than node mobility), implying the movement of entire subnetworks with respect to one another, while individual users initially associated with one such subnetwork may also move to other domains. One example is a battlefield network that includes ships, aircraft, and ground troops. In this "network of networks", subnets (e.g. shipboard networks) may be interconnected via a terrestrial mobile wireless network (e.g., between moving ships). We discuss the design and implementation of a new ad hoc routing protocol, a suite of solutions for policy-based network management, and approaches for key management and deployment of IPsec in a MANET. These solutions, in turn, are integrated with real-time middleware, a secure radio link, and a topology monitoring tool. We briefly describe each component of the solution, and focus on the challenges and approaches to integrating these components into a cohesive system to support network mobility. We evaluate the effectiveness of the system through experiments conducted in a wireless ad hoc testbed.     

一种基于策略的网络管理方法

基于策略的网络管理技术是近年迅猛发展的网管技术之一,它可减少管理的开销,使网络管理简化和自动化。文章简要介绍基于策略网络管理的一般概念和基本原理,主要讨论如何利用策略管理工具简化网络管理。     

A policy-based quality of service management system for IP DiffServnetworks

Policy-based management can guide the behavior of a network or distributed system through high-level declarative directives that are dynamically introduced, checked for consistency, refined, and evaluated, resulting typically in a series of low-level actions. We actually view policies as a means of extending the functionality of management systems dynamically, in conjunction with preexisting hard-wired management logic. We first discuss the policy management aspects of architecture for managing quality of service in IP DiffServ networks as presented by Trimintzios et al. (see IEEE Commun. Mag., Special Issue in IP Operations and Management, vol.39, no.5, p.80-88, 2001), and focus on the functionality of the dimensioning and resource management aspects. We then present an analysis of the policies that can influence the dimensioning behavior as well as the inconsistencies that may be caused by the introduction of such policies. Finally, we describe the design and implementation of the generic policy consumer component and present the current implementation status     

Network policy languages: a survey and a new approach

A survey of current network policy languages is presented. Next, a summary of the techniques for detecting policy conflicts is given. Finally, a new language, path-based policy language, which offers improvements to these is introduced. Previous network policy languages vary from the very specific, using packet filters at the bit level, to the more abstract where concepts are represented, with implementation details left up to individual network devices. As background information a policy framework model and policy-based routing protocols are discussed. The PPL's path-based approach for representing network policies is advantageous in that quality of service and security policies can be associated with an explicit path through the network. This assignment of policies to network flows aids in new initiatives such as integrated services. The more stringent requirement of supporting path-based policies can easily be relaxed with the use of wild card characters to also support differentiated services and best-effort service, which is provided by the Internet today     

Application level active network (alan) server management architecture

This paper presents the details of the policy-based security and resource management architecture for Application Level Active Network (alan) servers.alan is an active network architecture which enables deployment of user-customised processes (proxylets), which enhance the existing services or introduce new services to the end-user, on the select group of servers in anip network. The issues of security and resource management in this scenario are of crucial importance so as to efficiently facilitate and control the resource consumption of user-specified processes on the active servers, as well as to protect the server platforms from unauthorised proxylet deployment or malevolent behaviour. The architecture allowing efficient resource and security control is presented in this paper, including detaileduml diagrams capturing the management functionality, as well as a set of concrete management policies for thealan scenario. The examplexml policies are also given, and the deployment of this architecture in real-life trials is described. This development forms a part of a larger management architecture foralan-enabled networks developed in the context of theist projectandroid (Active Network DistRibuted Open Infrastructure Development).     

下一代通信网络中基于策略机制的无线资源管理

下一代无线通信系统是一种异构的网络体系,集成多种无线接入技术（Radio Access Technology,RAT）的同时提供多种窄带和宽带多媒体业务。这样的网络环境需要先进的RRM方法来处理复杂多变的无线信道、网络资源的动态配置及保障不同特征业务的服务质量（QoS）,给无线资源管理（Radio Resource Management,RRM）带来了巨大的技术挑战。本文通过引入对网络进行策略控制的思想,提出了一种基于策略机制的通用方法,致力于解决下一代异构（heterogeneous）网络中的无线资源管理。文中着重讨论了基于策略机制的网络接入控制、切换,以及基于策略机制的QoS管理,给出了各功能模块的工作原理和通信过程的分析与设计。     

Policy-based management of content distribution networks

We present a policy-based architecture for the control and management of content distribution networks that form an overlay of caching proxies over an underlying physical network. The architecture extends the policy framework used for controlling network quality of service (QoS) and security to content distribution networks. The fundamental advantage of a policy-based framework is that it allows a machine-independent scheme for managing multiple devices from a single point of control. In this article we describe this architecture and demonstrate how it enables dynamic updates to content distribution policies. Furthermore, we analyze the impact of such dynamic distribution on the cost of content serving     

IP VPN—基于IP网络的虚拟专用网

ＩＰ ＶＰＮ能为用户在ＩＰ网络之上构筑一个安全可靠、方便快捷的企业专用网络，并为企业节省资金。本文从ＩＰ ＶＰＮ的概念、分类、组建ＩＰ ＶＰＮ的隧道技术，以及在ＶＰＮ上传送的数据的安全性保证等几个方面介绍了ＩＰ ＶＰＮ技术。     

Dynamic Policy-Based Network Management for a Secure Coalition Environment

This article reports the latest results of an R&D effort to develop a prototype implementation of a dynamic policy-based network management (PBNM) system that can be used to configure and manage a secure network for a coalition environment across an unsecured wide area network. The prototype, based on a distributed architecture, includes capabilities for policy creation and management, dynamic policy negotiation, and dynamic policy provisioning. The policy negotiation facilitates the rapid deployment of a coalition network while the dynamic policy provisioning automates the configuration and management of network services including firewalls, virtual private network connections, routing, quality of service (QoS), and domain name services. Such a PBNM system enhances an organization's ability to react to network incidents identified by a network situational awareness assessment. Although the focus of the current research is a military coalition environment, the system can be used in any distributed enterprise or collaborative environment     

基于策略的光因特网管理技术研究

随着网络技术的快速发展,在未来网络中,基于IP应用的传输将占据优势地位。与此同时,波分复用设备已很成熟,能提供很大的网络容量(太比特网络传输),满足信息量不断增长的需要。文中描述了用于光因特网(IPoverWDM)的基于管理体系策略。目前,基于网络管理的策略问题已成为研究热点,国际工程任务组一直在这一领域进行深入研究,为网络的IP管理提供一种方法。基于策略管理的目标就是应用集成管理系统,便于系统管理、网络管理、管理应用之间的协作。