Network security policy refinement process: Expression and analysis

Abstract

Today, users need to access their granted services from anywhere and at any time. Network security management must evolve to satisfy these requirements. The policy based network management approach proposes to separate the rules that govern the system from the functionalities provided by it. Nevertheless, the policy rules should be consistent, correct against the objectives and enforceable onto the devices. This problem becomes complex considering the dependencies of the rules - each rule on a device can impact another rule on another device - and each device needs specific configuration according to the technologies implemented. This article presents a formal framework for the refinement of network security management information. It includes three abstraction levels: the network security objectives, the network security tactics and the network security devices configurations. The information models of each abstraction level are formally specified and analysed (consistency, correctness and feasibility). A WBEM implementation of the formal refinement framework proves its feasibility in management architectures. © 2006 - IOS Press and the authors. All rights reserved.