On Scalability and Modularisation in the Modelling of Network Security Systems

  • João Porto de Albuquerque
  • Heiko Krumm
  • Paulo Lício de Geus
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


As the use of computers and data communication technologies spreads, network security systems are becoming increasingly complex, due to the incorporation of a variety of mechanisms necessary to fulfil the protection requirements of the upcoming scenarios. The integrated design and management of different security technologies and mechanisms are thus of great interest. Especially in large-scale environments, the employment of security services and the design of their configurations shall be supported by a structured technique which separates the consideration of the system as a whole from the detailed design of subsystems. To accomplish this goal, this paper presents a scalable approach for the modelling of large security systems, relying on the concepts of policy-based management and model-based management.


Intrusion Detection System Abstraction Level Structural Connection Authorisation Policy Service Permission 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley, Reading (2003)Google Scholar
  2. 2.
    Zwicky, E.D., Cooper, S., Chapman, D.B.: Building Internet Firewalls, 2nd edn. O’Reilly and Associates, Sebastopol (2000)Google Scholar
  3. 3.
    Moffett, J.D., Sloman, M.S.: Policy hierarchies for distributed system management. IEEE JSAC Special Issue on Network Management 11 (1993)Google Scholar
  4. 4.
    Sloman, M.: Policy driven management for distributed systems. Journal of Network and Systems Management 2, 333–360 (1994)CrossRefGoogle Scholar
  5. 5.
    Lück, I., Schönbach, M., Mester, A., Krumm, H.: Derivation of backup service management applications from service and system models. In: Stadler, R., Stiller, B. (eds.) DSOM 1999. LNCS, vol. 1700, pp. 243–255. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  6. 6.
    Lück, I., Schäfer, C., Krumm, H.: Model-based tool-assistance for packet-filter design. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 120–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Lück, I., Vögel, S., Krumm, H.: Model-based configuration of VPNs. In: Stadtler, R., Ulema, M. (eds.) Proc. 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, Florence, Italy, pp. 589–602. IEEE, Los Alamitos (2002)Google Scholar
  8. 8.
    Geist, G.: Model-based management of security services: Integrated enforcement of policies in company networks. Master’s thesis, University of Dortmund, Germany, in German (2003)Google Scholar
  9. 9.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29, 38–47 (1996)Google Scholar
  10. 10.
    Porto de Albuquerque, J., de Geus, P.L.: A framework for network security system design. WSEAS Transactions on Systems 2, 139–144 (2003)Google Scholar
  11. 11.
    Sloman, M., Lupu, E.C.: Security and management policy specification. IEEE Network, Special Issue on Policy-Based Networking 16, 10–19 (2002)Google Scholar
  12. 12.
    Wies, R.: Using a classification of management policies for policy specification and policy transformation. In: Sethi, A.S., Raynaud, Y., Fure-Vincent, F. (eds.) Integrated Network Management IV, Santa Barbara, vol. 4, pp. 44–56. Chapman & Hall (1995)Google Scholar
  13. 13.
    Porto de Albuquerque, J., Krumm, H., de Geus, P.L.: Policy modeling and refinement for network security systems. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, pp. 24–33 (2005)Google Scholar
  14. 14.
    Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems 22, 381–420 (2004)CrossRefGoogle Scholar
  15. 15.
    Mont, M., Baldwin, A., Goh, C.: POWER prototype: Towards integrated policy-based management. In: Hong, J., Weihmayer, R. (eds.) Proc. IEEE/IFIP Network Operations and Management Symposium (NOMS 2000), Hawaii, USA, pp. 789–802 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • João Porto de Albuquerque
    • 1
    • 2
  • Heiko Krumm
    • 2
  • Paulo Lício de Geus
    • 1
  1. 1.Institute of ComputingState University of CampinasCampinas/SPBrazil
  2. 2.FB InformatikUniversity of DortmundDortmundGermany

Personalised recommendations