Establishing Regis Network Security Policy

This project proposes to establish a security policy for the computer lab Local Area Network (LAN) at the Colorado Springs Campus (CSC) for the Network Lab Practicum (NLP) by completing a network analysis to determine requirements. Utilizing the current network configuration, a risk assessment will be performed to identify vulnerabilities and threats to the information system. Once the risk analysis is completed, a network security plan will be developed to protect system resources. The security policy will include, at a minimum, access policies, password management, firewall policy, policy on use of active code and the Internet, standards and interoperability policies, a VPN policy, and enforcement standards. The System Development Life Cycle (SDLC) approach will be used as the project methodology. Key deliverables will include a configuration management baseline, security policy and procedures, wiring diagram, firewall, anti virus protection and lessons learned. The project will culminate with a presentation to the academic board. Class utilization of the LAN will determine the success of the project. In the final phase of the project, the LAN will be turned over to the CSC NLP for administration, classroom support and future project opportunities. Keywords: security policy, risk assessment, lessons learned, local area network, system development life cycle, password, firewall, antivirus, configuration management

Policy and Security Configuration Management Systems in Cross-Organisational Settings

A context of use analysis is an important step in every software engineering project. Comprising the identification of the key system users as well as an analysis of the system environment and the activities supported, this engineering step is crucial for the successful development of information systems. Clarity with respect to the users’ demand for system support and their participation in the activities supported by the system is considered particularly important for systems which are critical for organizational continuity and which are used across organizational boundaries. Systems supporting policy and security configuration management in networks of IT service providers, their customers and auditors meet both of these criteria. Within the scope of this article, the context of use of such a system supporting policy and security configuration management is investigated by means of a user-oriented approach. The focus lies on a specific setting being investigated within the scope of an on-going research project. The investigation which was based on a series of qualitative interviews as well as desk research resulted in a comprehensive description of the participation of a set of key system users in activities related to policy and security configuration management as well as their demand for system support. Also the key users and the activities to be supported are discussed within the scope of this article

User-oriented Network Security Policy Specification

The configuration and management of security controls and applications is complex and not well understood by the majority of end-users (i.e. it typically requires specific skills). The security policy language simplifies this task and reduces the number of errors and anomalies. This paper proposes the specification of the two mechanisms for defining user’s security policies, namely High-level Security Policy Language (HSPL) and Medium-level Security Policy Language (MSPL). HSPL is suitable for expressing the protection requirements of typical non-technical users, while MSPL is a lower-levelabstraction useful for expressing specific configurations of security controls in a generic format (as such it is more appealing for technical users)

A model for the analysis of security policies in service function chains

Two emerging architectural paradigms, i.e., Software Defined Networking (SDN) and Network Function Virtualization (NFV), enable the deployment and management of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that packets have to traverse in the route from source to destination. While this appealing solution offers significant advantages in terms of flexibility, it also introduces new challenges such as the correct configuration and ordering of SFs in the chain to satisfy overall security requirements. This paper presents a formal model conceived to enable the verification of correct policy enforcements in SFCs. Software tools based on the model can then be designed to cope with unwanted network behaviors (e.g., security flaws) deriving from incorrect interactions of SFs in the same SFC

Adding Support for Automatic Enforcement of Security Policies in NFV Networks

This paper introduces an approach towards automatic enforcement of security policies in fv networks and dynamic adaptation to network changes. The approach relies on a refinement model that allows the dynamic transformation of high-level security requirements into configuration settings for the Network Security Functions (NSFs), and optimization models that allow the optimal selection of the NSFs to use. These models are built on a formalization of the NSF capabilities, which serves to unequivocally describe what NSFs are able to do for security policy enforcement purposes. The approach proposed is the first step towards a security policy aware NFV management, orchestration, and resource allocation system - a paradigm shift for the management of virtualized networks - and it requires minor changes to the current NFV architecture. We prove that our approach is feasible, as it has been implemented by extending the OpenMANO framework and validated on several network scenarios. Furthermore, we prove with performance tests that policy refinement scales well enough to support current and future virtualized networks

A System For Visual Role-Based Policy Modelling

The definition of security policies in information systems and programming applications is often accomplished through traditional low level languages that are difficult to use. This is a remarkable drawback if we consider that security policies are often specified and maintained by top level enterprise managers who would probably prefer to use simplified, metaphor oriented policy management tools. To support all the different kinds of users we propose a suite of visual languages to specify access and security policies according to the role based access control (RBAC) model. Moreover, a system implementing the proposed visual languages is proposed. The system provides a set of tools to enable a user to visually edit security policies and to successively translate them into (eXtensible Access Control Markup Language) code, which can be managed by a Policy Based Management System supporting such policy language. The system and the visual approach have been assessed by means of usability studies and of several case studies. The one presented in this paper regards the configuration of access policies for a multimedia content management platform providing video streaming services also accessible through mobile devices

Configuration and management of security procedures with dedicated ‘spa-lang’ domain language in security engineering

The security policy should contain all the information necessary to make proper security decisions. The rules and needs for specific security measures and methods should be explained in understandable way. None of the existing security mechanisms can guarantee complete protection against threats. In extreme cases, improperly used security mechanisms can lower the level of protection, giving the impression of security that is actually lacking. To enable simple and automated definition of security procedures for IT system of a company or organization, available not only to qualified IT professionals, e.g. system administrators, but also to the company\u27s management staff, it was decided to create an Intelligent System for Automation and Analysis of Security Procedures (iSPA). The paper presents the proposal of use the developed domain language, named \u27spa-lang\u27 for configuration and management of security procedures in security system engineering based on BPMN (Business Process Model and Notation) standard

PLAN: Joint policy- and network-aware VM management for cloud data centers

Policies play an important role in network configuration and therefore in offering secure and high performance services especially over multi-tenant Cloud Data Center (DC) environments. At the same time, elastic resource provisioning through virtualization often disregards policy requirements, assuming that the policy implementation is handled by the underlying network infrastructure. This can result in policy violations, performance degradation and security vulnerabilities. In this paper, we define PLAN, a PoLicy-Aware and Network-aware VM management scheme to jointly consider DC communication cost reduction through Virtual Machine (VM) migration while meeting network policy requirements. We show that the problem is NP-hard and derive an efficient approximate algorithm to reduce communication cost while adhering to policy constraints. Through extensive evaluation, we show that PLAN can reduce topology-wide communication cost by 38 percent over diverse aggregate traffic and configuration policies

Multi-Agent Based Security Framework for E-Government in Recently technology Developed Countries

E-Government is an environment where government produces services to citizens electronically, this is beside services to other e-Governments, and one crucial factor regarding the reliability of accepting services provided by e-Government is the security factor. This work is targeting Countries in their developing process that need to develop configurable management model, that capable of adapting security technologies to other factors revealed from the society.  The configuration of this management model will be autonomously built up through the association of three domains presented by this proposal: policies, measures and infrastructure. Along this work; ontology will be built up to accommodate these domains and eventually to grant Agent software the ability to perceive the environment and configure the management model for deploying security technologies. Keywords: Socio-Techno, Java Agent, Security policy, eGovernment, JADE, Ontology, knowledge development

DR BACA: dynamic role based access control for Android

Thesis (M.S.)--Boston UniversityAndroid, as an open platform, dominates the booming mobile market. However, its permission mechanism is inflexible and often results in over-privileged applications. This in turn creates severe security issues. Aiming to support the Principle of Least Privilege, we propose a Dynamic Role Based Access Control for Android (DR BACA) model and implement the DR BACA system to address these problems. Our system offers multi-user management on Android mobile devices, comparable to traditional workstations, and provides fine-grained Role Based Access Control (RBAC) to en- hance Android security at both the application and permission level. Moreover, by leveraging context-aware capabilities of mobile devices and Near Field communication (NFC) technology, our solution supports dynamic RBAC that provides more flexible access control while still being able to mitigate some of the most serious security risks on mobile devices. The DR BACA system is highly scalable, suitable for both end- users and large business environments. It simplifies configuration and management of Android devices and can help enterprises to deal with security issues by implementing a uniform security policy. We show that our DR BACA system can be deployed and used with eet:se. With a proper security policy, our evaluation shows that DR BACA can effectively mitigate the security risks posed by both malicious and vulnerable non-malicious applications while incurring only a small overall system overhead