Firewall Wizards mailing list archives
Survey so far - Security Policy methodologies
From: Bret Watson <lists () bwa net>
Date: Sun, 04 Jan 1998 11:45:43
OK I've received several responses so far, most of them from the firewall-wizards list, some from infsec list and others... Most of the responses dealt with some form of 'attack response' other words they dealt with things like setting up firewall rules (aka policies). A few responses dealt with threat trees - not really what I was looking for, but the two papers suggested (legion project - MOAT) were quite good in their own right. And a couple of responses regarding TCB Evaluation. Useful information on using a formal methodology to create a written corporate security policy.: The MOAT technique looks quite useful for threat analysis, I might try and use it for policy design the paper is at http://www.cs.virginia.edu/~dmk8r/MOAT.ps. Apart from that - very little - perhaps this was my fault for not fully specifying what I was looking for so... I am seeking information regarding creating written security policies (and SOPs) using formal methods (aka some form of software engineering methodology) for a paper. The paper seeks to develop a methodology that enables the policy writer to: i) present cause effect relationships in a simplified form for management approval - presently the mounds of text produced is not in a digestible form for senior management - the people who have to provide backing for these policies. ii) to enable a level of 'code' reuse without the problems of simply cut and pasting from such tomes as 'policies made easy' - this is not to put down the roles that these documents have - they are very good, but you should never just take the policy straight from there - local legalities and conditions need to be considered at least. iii) to enable some form of testing on paper that the policy is complete and consistent. That it does not permit contradictions and that it will allow correct responses to events. It would also be nice to enable it to be used in code as this would then allow policies to be implemented directly on the system - RAS from technologic does this (http://www.technologic.com) - I wish to improve on it. Yours, Bret Technical Incursion Countermeasures Providing the means for your company's self-defense consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9429 8898(UTC+8 hrs) fax: (+61)(08) 9429 8800
Current thread:
- Re: Security Policy methodologies, (continued)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Marcus J. Ranum (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Aleph One (Jan 05)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Larry J. Hughes Jr. (Jan 06)
- Re: Security Policy methodologies Rick Smith (Jan 07)
- Re: Security Policy methodologies Ted Doty (Jan 07)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Survey so far - Security Policy methodologies Bret Watson (Jan 04)