Firewall Wizards mailing list archives
Re: Security Policy methodologies
From: sedayao () orpheus sc intel com (Jeff Sedayao)
Date: Mon, 29 Dec 1997 11:50:24 -0800 (PST)
I'm seeking information on any methodologies for developing Security Policies.
Basically, I'm developing a paper of utilising software engineering techniques to abstract the process and to analyse the result for completness. I need to know if this has been tried and what other methods do people use to create the policy document?
I'll sumarise the results and post them to the list as well as posting the url of the finished paper.
I have done something similar to this for the packet filtering parts of our firewall. I generate cisco packet filtering rules using macro substitution and a Makefile. This allows me to do convenient software engineering like things such reusing components like filter rules sets of related networks on extended access list rules on different routers. I also can have use higher level abstractions to simplify specifying policy. It also allows me to do build consistent filtering policies across many routers distributed through the company. On the analysis end, I had someone create a model for me in Netsys, the cisco configuration analysis tool. Along with that model is included a series of tests that can check for obvious security holes (kind of an access list lint). Generated access lists can be loaded into Netsys and then checked for holes. Of course, you can only verify what you check for, but that is much much better than having nothing. Also, this only checks the routers, not our actual proxies. One could debate that this process is not generating and analyzing a security policy but only the implementation of the security policy, but I'll leave that academic debate up to others. I don't have a paper on this out (got rejected by referees). Other pointers: 1. There was a paper in the USENIX Computing Journal building router configurations in a similar way. Abstract at http://www.usenix.org/publications/computing/9.3.html 2. I had talked to Professor Stephen Fickas at the University of Oregon (http://www.cs.uoregon.edu/people/faculty/fickas.html) about his work in requirements generation. He had some students working on using software engineering techniques to generate requirements for routing and security policies. They were initially working with firewall-1's LISPish specification language. I am not sure if he is still doing work in this area, but you could ask.
Yours,
Bret Watson Technical Incursion Countermeasures Providing the means for your company's self-defense consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9429 8898(UTC+8 hrs) fax: (+61)(08) 9429 8800
-- Jeff Sedayao Intel Corporation sedayao () orpheus sc intel com
Current thread:
- Software and platform for an Enterprise Firewall Paul_Schmiege (Dec 23)
- Re: Software and platform for an Enterprise Firewall Bennett Todd (Dec 24)
- Security Policy methodologies Bret Watson (Dec 29)
- Re: Security Policy methodologies Jeff Sedayao (Dec 29)
- Security Policy methodologies Bret Watson (Dec 29)
- Re: Software and platform for an Enterprise Firewall Rick Smith (Dec 24)
- Re: Software and platform for an Enterprise Firewall Bennett Todd (Dec 24)