Analysis of Network Security Policy – Based Management

Document Sample
Analysis of Network Security Policy – Based Management Powered By Docstoc
					                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                         Vol. 11, No. 3, March 2013

                        Analysis of Network Security Policy – Based Management

                                                                                                     Muhammad Nadzir Marsono
Aliyu Mohammed                                 Sulaiman Mohd Nor                                     Universiti Teknologi Malaysia
Universiti Teknologi Malaysia                  Universiti Teknologi Malaysia                         Faculty of Electrical Engineering
Faculty of Electrical Engineering               Faculty of Electrical Engineering

Abstract— Network security and management policy in                          This paper proposes an infrastructural enterprise for
information        communication is the desire to maintain the            information security policy enforcement assessment model.
integrity, validity and consistency of a system or network, its           The security domain partition and security domain policy
data and its immediate environmental infrastructure .Well                 establishment tries to analyze the characteristics of the
established and secured infrastructure would help in no means             network attributes and consider the network security policy
making the network safe from all kinds of intrusion .Protecting           enforcement capability to enable for effective handling of the
all these resources is another very important concept that is             growing number of threats and exploits.
needed of any computer system. Harnessing, accessing and                     The remainder of the paper is organized as follows. Section
configuring relevant security policies are very important roles           2 introduces basic security model design pattern and security
to be played in safeguarding the complex network                          policy control management. Section 3 considers security
infrastructure. The paper therefore analysis some of the                  policy implementation, enforcement and assessment. Section 4
desired policies and assessment guidelines that should be                 concludes the paper.
followed by network administrators for effective and strong                   .
network management, security facilities and data optimization
Key words: Network Security; Management Policy; Intrusion;                  11. NETWORK SECURITY POLICY MANAGEMENT
Domain Infrastructure .                                                    The concept of technicality and managerial approach in any
                                                                          system design are complementary measures that are quite
                                                                          necessary in considering any form of security management.
The research focus nowadays is on network security policy –               The factor of insecurity is a necessary reflect on the
based management as against the previous undertakings that                organizational management and staffing. This becomes a
are more on the equipments. The focus also tries to look at the           serious question that needs to be handled in computer network
new trend of malware detection, control and containment                   security characteristics. Thus managers require paying special
through network access control, and effective policy                      attention to all kinds of security issues. It is a novel idea for an
enforcement. The aim is to bring about policy improvement                 organization to have a well planned and cohesive policy
that will help refine the network requirement for proper                  framework to enable a constructive structural enterprise based
control and so as to appropriately provide protection for the             on a hierarchical security structure [8].
information security and its application targets.                             With a well placed security structure, the effective running
   The desire for security policy and enforcement is to                   and operation of the agency could be achieved. The
maintain integrity, validity and consistency [1]. At present              responsibilities of the entire structure is to be able to articulate
most of the studies in the field tend to focus towards the                the following activities ; monitor the entire network operation
realization of effective business information system which                and safety information; auditing at all levels of the network
emphasizes the integrity description of the users, process and            and conventional analysis of performance information;
its implementation [ 2 ].It has been put forward by a number              maintenance of safety equipment; security strategy planning,
of security and                                                           formulation and implementation; handling network security
integrity principles such as good factor transformation,                  incidents and so on. Although, the security regulation of an
authorized implementation as being the right basis for the                enterprise information system is in two categories:
establishment of security policy [3]. The validity conception              (i) The information security management in the Laws,
of security policy and enforcement is to meet the needs of                regulation, enforcement view point, the rules is normally
system security as presented by [4, 5],                                   worked out by the secrecy Bureau and the Ministry of Public
this is an information security assessment process which                  security. (ii) The enterprise’s own system and computer
generally comes through the abstraction model of information              network system; all tends to complement each other with the
security. It identifies the impact of the assets of the user, and         network security mechanisms.
analyses their vulnerability, threat and risk factor. The given           A. Enterprise Security Mechanisms
consistency of security policy requirements in the policy rules
definition and implementation is to try and avoid possible                  The enterprise security mechanism is strongly based on the
areas of conflict, as they reflect the executable and compatible          concept of (P2DR) Policy, Protection, Detection, and
features.                                                                 Response which is widely recognized by professionals and

                                                                                                       ISSN 1947-5500
                                                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                   Vol. 11, No. 3, March 2013

entrepreneur [17]. In the overall context the model is aimed at
controlling the system infrastructure under the guidance of the                                   Attack signature policy          Snort signature or other    Alert packet, drop
comprehensive use of protective equipment. Using detection                                                                         monitors

and access control tools enables for understanding and
accessing the state of the security system. This includes state                                   Packet filtering policy           Source IP, Destination     Permit, Deny
of condition at the end- point. There is a correlation from the                                                                         IPSource port,
                                                                                                                                   Destination portProtocol,
management point of view to understand the health condition                                                                        TCP, flags, ICMP type,
                                                                                                                                          CMP code
of the end-point when they are connected to the enterprise. In
this regards their access and the possible threat that they could
exhibit is being looked into by the management [17, 19] as                                        Rate Limit Policy                 Source IP, Destination     Transmit, Drop
                                                                                                                                        IPSource port,
indicated on the Table 1 below.                                                                                                    Destination port,Protocol

                      Table 1. Access control at End- point.
                                                                                                  Routing Control Policy           Destination IP              Drop

                                                                                                  Alert Control Policy              Source IP, Destination     Filtering, Sampling
          Access Management                        Threat Management
                                                                                                                                        IP,Source port,
                                                                                                                                   Destination portProtocol,
                                                                                                                                   attack ID, Time Interval
   Authentication       Access Rights              End point      Behavior Monitoring

                                                                                                  The detection of known attacks such as the signature policy is
      Certificate /     Virtual LAN            Health Checks      Flow Analysis
                                                                                                  referred to from given Snort or any other monitor rules of any
                                                                                                  current version in use. The detection policy is such that it
                                                                                                  drops packets and / or sends an alert to the server after which
   IEEE 802..1 x        Access    control      Antivirus Status     NBAD(Network-
                        list                                        Based Anomaly
                                                                                                  the attack signature policy is compared to a pattern of packets
                                                                      Detection                   with policy rules [9], the packets filtering policy which
                                                                                                  decides to either permit or deny packets that are incoming
   MAC – based          Firewall Policy        Anti spyware       IPS/ IDS                        from a firewall or router in accordance with the value of the
                                                                                                  packets header fields. Thus the rate limit policy prescribes
                                                                                                  control against excessive traffic in a router or a traffic control
   Web- Auth.           Application            No Trojans         Log management        /
                        Software                                  SEM(Security                    device; this is held as to increase the network performance.
                                                                  Enforcement                         The characteristic of routing control policy is such that it
                                                                                                  forwards a packet to a router’s bit bucket for manipulating bad
                                                                                                  traffic. In other words, the routing control policy routes
                                                         Checks                                   unwanted packets to null. The routing control policy works
                                               software                                           only on destination addresses, since it is really part of the
                                               applications                                       forwarding logic. Lastly, the alert control policy controls
                                                                                                  transmission of alerts from security devices. This policy
The more unique functions of P2DR are adding the time factor                                      allows a policy enhancement point (PEP) to send the sample
such as the time of Intrusion, response time to include                                           of alerts to the filter alerts. Thus, this indicates the brief
prevention and enforcement, so that it becomes an ideal                                           rundown of the network security policy classification of the
security framework [10].                                                                          model.

B. Network Security Policy Information                                                                            Network Security Policy Model Analysis and
                                                                                                                      Implementation [12, 13] includes:-
   Network security policy information is a model with a set of                                                  1. Analysis: (i) Management requirements business
commands and rules that are used for control mechanisms                                                              model, Organization                    structure,
relevant to the network security management policy                                                                   IT management
implementation. The model has five (5) detailed policy rules                                                          (ii) Technical requirements-
which are explicit and effective. This is indicated in the Table                                                     existing/planned environment, Security issues.
2 shown below.                                                                                                              2.    Implementation procedures-
                                                                                                                        (i) Castle defense system- critical
Table 2. Classification of Policies                                                                                  information, physical protection,
                                                                                                                     operational system hardening, information
                                                                                                                     access, external access
                                                                                                                                 (ii) Defense planning- threat
Policy Name                                 Condition                  Action
                                                                                                                               Assessment, risk assessment, user

                                                                                                                                  ISSN 1947-5500
                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                         Vol. 11, No. 3, March 2013

                      awareness, monitoring procedure,                    the policy on idiographic equipment, and transferring it into
                       attack reaction, plans recovery                    SNMP message, COPS message or CLI command and sending
                    programs, organization system watch.                  it to the object in the corresponding domains such as router,
                                                                          firewall, scanner etc.

  In the context of information security, the domain will help
the research and application of system security. Simply
speaking, security domain is a collection of entities and
resources as a subset of the environment. They share a security
policy set .Therefore the security domain is a cross-system and
cross-platform collection which is based on the object oriented
information security, information sharing and security
demand, and the security policy can be for many safety-related
needs and norms. [6]

C.   Domain System Analysis
   The standard architecture based on policy management has
been put forward by the IETF, it is to be use to control the
access policy. The core aspect of the structure is the policy
enforcement point (PEP) and policy decision point (PDP)                   Fig. 1. Policy – Based Network Model
which mainly take account of the circumstances operating the
network management to the router on the basis of RSVP                     111. RESOURCES MANAGEMENT
protocol. The situation is such that it does not involve the
adjustment function of the quality of service technology within              In classification according to the domain, the target of the
the system. It also does not necessarily reflect the problem of           security policy is the role. The role is the property that
detecting and solving conflict involving the policy.                      distributes to the target resources, and has the abilities of
Meanwhile, most of the network management functions are                   abstract function expression. This means that the resources
tailored towards avoiding issues that tends to contribute to a            must support the function of role from semantic aspect. After
waste of time and network resource when policies are                      the startup of the policy service, it can choose the role for the
frequently accessed [14,6]. A model which addresses the                   service, that is, choose the resources from the security
traditional security systems that include access control and              equipment to provide service based on the matching of
framework is conceived in fig.1. It is designed to achieve the            domain, role and function.
defining factor of management policy, transmission, sharing
capability and optimized implementation procedure, with the               A.     Risk Assessment
Policy Repository (PR) and management tool (PMT) in place.                   The critical component of the implementation of any
   The use of GUI (graphical user interface) by administration            information security framework is the performance of an
helps to define clearly the policy rules and the handling of the          appropriately-scoped risk assessment. Ideally this should be an
role – function domain issues. The role function domain                   iterative process involving input from several functions within
manages the roles of the human and other resources. The                   the organization; often such a risk assessment, if performed at
advantage is that it makes clear role expression position in the          all, falls into the responsibility of the IT function, but in order
domain structure. These brings about an improved                          to address all issues surrounding the organization the working
expansibility in the system through the well spread sub-                  group should include representatives of several functions.
domains. When objects transfer from one domain to another,                These include: IT, who know what information is stored and
its policies will be replaced automatically by the policies of            in what format; business lines, as the data owners, who can
the new domain environment. Thus, there is the no need for                define which data is required for daily transactions and can
modification of the policies and managing the relationship                define the sensitivity and confidentiality of each dataset and
between the policies and object manually.                                 application; and legal and compliance, which can provide
   Generally, the function of the policy repository accessing             technical input into the regulatory and compliance frameworks
control differs from that of the policy control system. This is           within which the organization operates and explain external
as a result of the fact that the later belongs to the operational         requirements over restricting access to systems and data [15].
characteristics of COPS, SNMP and others, while the former                  The risk assessment should be regularly updated in order to
is a LDAP format based. The abstraction layer provides the                address changes in the technical, regulatory and operating
required interface between policy and the domain service                  environments of the organization. A frequent failing in the
application, thus any request made in the policy handling point           compliance process is that reasonable conclusions have been
will be channeled to the corresponding policy according to the            drawn at a particular moment in time but that the area has not
state of each of the preceding elements in the domain. The                subsequently been readdressed and changes in the internal
whole process is summarized as the embodiment of applying

                                                                                                      ISSN 1947-5500
                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                         Vol. 11, No. 3, March 2013

environment, such as the implementation of new systems as a               [6]J. Ns, et al ,”Research for Information and communication
result of changing business                                               Information Security Control Framework”, Information and
requirements, or in the external environment, such as a                   communication , vol. 29, No. 9 , Sept. 2004.
modification in the data protection legislation in the territory,         [7] Seon-gyoung, Sohn , Jinoh , Jung-Chan Na , “Design of
have not been taken into account                                          Network Security         Policy information Model for Policy-
                                                                          based Network Management”,
B.    Management Constraints.                                             [8] Chenghua Tang et al, “Assessment of Network Policy
   Traditional network management approaches lack the                     Based on Security Capability”, International Conference on
flexibility to configure/reconfigure the network elements                 COMPUTER Science and Software              Engineering, IEEE,
according to network requirements unless it is accomplished               2008
manually. PBNM is promising network management paradigm                   [9] Fuqian Shi, Hongbiao Xu and Haining . Wang, “A
to make administrative tasks easy and less complex. However               Representative Management Model of Network Security in
there are certain constraints implied by the home network                 Enterprise Information”, International Conference on
requirements, i.e lack of Standards- there is no standardized             Information, Innovation and Industrial Engineering, IEEE,
approach for management of heterogeneous home                             2008
networks[16]: lack of Simplified Techniques-techniques and                [10] T.S. Sobh. “Wired and Wireless Intrusion Detection
tools play a great role in network management but                         System: Classification good characteristics and state –of- the-
unfortunately there are not many simple techniques and tools              art? Computer Standards and Interfaces, 28 (6), March, 2006
available for managing home networks: lack of expertise-                  [11] Igor Kotenko , Vitaly Bogdanov , “ Proactive Monitoring
usually lack of technical skills and the level of expertise of            of Security Policy Accomplishment in Computer Networks,
typical Home area Networks (HAN) where users in the                       IEEE International workshop on intelligent data acquisition
domain of network management makes it more complex                        and Advanced Computing System Tech. and Appl.Rome, Italy ,
because traditional approaches require high level skills and              2009
domain      knowledge.     Static    Configurations-     static           [12] SJ Ngobeni and M M Grobler , “ Information Security
configurations of network resources make network                          Policies for      Government Organizations’, the minimum
management static as well, which presents lack of adaptability            Criteria, Council for Scientific and Industrial Research
in the network with the change in network requirements.                   (CSIR), Pretoria, South Africa, 2009
                                                                          [13] Blueprint: Enterprise Security Policy Design, “2003
IV. CONCLUSION.                                                           Resolutions enterprises
                                                                          [14] Gu Yue- Sheng , Zhang Bao –jian, Yu zhou , “ Wireless
   The implementation and optimization of reliable                        Network SecurityPolicy-based on Integrated Vulnerability
information security measures is a subject that can require a             anagement” International Conference on Networking and
great deal of expertise, energy and resources to perform                  Digital Society, IEEE , 2009
properly. No one-size-fits-all framework will be appropriate              [15] David Simms,” Information Security Optimization: From
for all organizations, but by following a set of reasonable               Theory to Practice” 2009. Price water house coopers SA,
standard principles in a structured way, many organizations               Lausanne, Switzerland.
are able to define and meet their basic requirements in this              [16] Annie Ibrahim Rana and Micheal O Foghlu, “New Role
respect.                                                                  of Policy-based Management in Home Area Networks-
                                                                          Concepts, constraints and challenges, TSSG, WIT, Ireland,
V. REFERENCE                                                              2009

[1] Chenghua. T,Shuping,Y ,and Zhongjie. C, “ A Network
Security Policy Model and realization Mechanism”, LNCS
4318, Springer, Beijing, China , 2006.
[2] Kittichote ,R , and Hu, Liang, “ Network Security
Infrastructure Management “ IEEE, 2009.
[3] Sourour , M , Adel , B , and Tarek , Abbes, “ A Security
Policy and Network Cartography based Intrusion Detection
and Prevention Systems “, Journal of Information Assurance
and Security 4,2009.
[4] Jiaxi. Y, Anjia.M and Zhizhong. G, “Vulnerability
Assessment of Cyber       Security in Power Industry “, Power
Systems Conference and Exposition, EEE press, Atlanta, 2006.
[5] W. Mees , “Risk management in coalition networks”,
Information Assurance        and Security , IEEE press
,Manchester, UK , 2007.

                                                                                                     ISSN 1947-5500

Shared By: