Improving the Configuration Management of Large Network Security Systems

  • João Porto de Albuquerque
  • Holger Isenberg
  • Heiko Krumm
  • Paulo Lício de Geus
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3775)


The security mechanisms employed in today’s networked environments are increasingly complex and their configuration management has an important role for the protection of these environments. Especially in large scale networks, security administrators are faced with the challenge of designing, deploying, maintaining, and monitoring a huge number of mechanisms, most of which have complicated and heterogeneous configuration syntaxes. This work offers an approach for improving the configuration management of network security systems in large-scale environments. We present a configuration process supported by a modelling technique that uniformly handles different mechanisms and by a graphical editor for the system design. The editor incorporates focus and context concepts for improving model visualisation and navigation.


Security Policy Security Mechanism Authorisation Policy Security Administrator Internal Mail 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bartal, Y., Mayer, A.J., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems 22(4) (November 2004)Google Scholar
  2. 2.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M., Tonouchi, T.: Tools for domain-based policy management of distributed systems. In: IEEE/IFIP Network Operations and Management Symposium (NOMS 2002), Florence, Italy (2002)Google Scholar
  3. 3.
    Köth, O., Minas, M.: Structure, abstraction, and direct manipulation in diagram editors. In: Hegarty, M., Meyer, B., Narayanan, N.H. (eds.) Diagrams 2002. LNCS (LNAI), vol. 2317, p. 290. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Lymberopoulos, L., Lupu, E., Sloman, M.: Ponder policy implementation and validation in a CIM and differentiated services framework. In: IFIP/IEEE Network Operations and Management Symposium (NOMS 2004), Seoul, Korea (April 2004)Google Scholar
  5. 5.
    Lück, I., Vögel, S., Krumm, H.: Model-based configuration of VPNs. In: Proc. 8th IEEE/IFIP Network Operations and Management Symposium NOMS 2002, Florence, Italy, pp. 589–602. IEEE, Los Alamitos (2002)Google Scholar
  6. 6.
    Moffett, J.D., Sloman, M.S.: Policy hierarchies for distributed system management. IEEE JSAC Special Issue on Network Management 11(9), 11 (1993)Google Scholar
  7. 7.
    Musial, B., Jacobs, T.: Application of focus + context to UML. In: Australian Symposium on Information Visualisation, Adelaide, Australia. Conferences in Research and Practice in Information Technology, vol. 24. ACS (2003)Google Scholar
  8. 8.
    de Albuquerque, J.P., Krumm, H., de Geus, P.L.: On scalability and modularisation in the modelling of security systems. In: di de Capitani Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 287–304. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    de Albuquerque, J.P., Krumm, H., de Geus, P.L.: Policy modeling and refinement for network security systems. In: POLICY 2005: Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Washington, DC, USA, pp. 24–33. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
  10. 10.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  11. 11.
    Sarkar, M., Brown, M.H.: Graphical fisheye views of graphs. In: Proceedings of ACM CHI 1992 Conference on Human Factors in Computing Systems, Visualizing Objects, Graphs, and Video, pp. 83–91 (1992)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2005

Authors and Affiliations

  • João Porto de Albuquerque
    • 1
    • 2
  • Holger Isenberg
    • 2
  • Heiko Krumm
    • 2
  • Paulo Lício de Geus
    • 1
  1. 1.Institute of ComputingState University of CampinasCampinasBrazil
  2. 2.FB InformatikUniversity of DortmundDortmundGermany

Personalised recommendations