Research On Policy Framework And Some Of Its Key Technologies For Network Security Management

Policy-based network security management improves the scalability and flexibility of the managed system by policy mechanisms. It is considered the most promising approach to solve security problems of large-scale distributed systems. The IETF (Internet Engineering Task Force) policy framework has been widely studied and applied, but there exists some deficiencies when it is applied to network security management. So the research on policy framework and its technologies for network security management has an important theoretical and practical significance.A Policy Framework for Network Security Management (NSMPF) is proposed based on the analysis of IETF policy framework and requirements of network security. The framework makes improvements by introducing a policy decision reference point, a policy analysis tool and a policy function validation module. The function of each module in the framework is presented, and the workflow of the framework is provided. Based on NSMPF framework, the network security architecture is established. In order to support security policy and management policy, a policy description method based on XML (extensible Markup Language) specification language is presented.Policy decision reference point in NSMPF uses GA-ARB (Genetic Algorithm for Anomaly Rule Base) algorithm to generate an anomaly rule base which gives a reference to the policy decision point. GA-ARB algorithm is based on the standard genetic algorithm. It adopts some expert rule set as the initial population and selects the 22 properties of a network connection which can best reflect the characteristics of the anomaly to code for chromosome. It uses the number that the individual matches the anomaly connections and normal connections in the population to generate fitness function. It takes optimum maintaining strategy and identified individual protection strategy in the production process of the offspring. These strategies ensure that the optimal solution is not lost. The convergence and the performance of the given GA-ARB algorithm are analyzed.Policy analysis tool in NSMPF uses policy algebra to describe the authorization, delegation, obligation and refrain policy in Ponder. The relationships between corresponding components of policies that may exist are discussed, including completely disjoint, exactly matching, inclusively matching, partially matching and correlated. Based on the classification, the possible conflicts are pointed out and the corresponding resolutions are provided. The main method used for conflict resolution is to set priorities. In addition to several common priorities setting principles, some new principles, such as the new creation or modified, the new loaded and the included policies have priorities, are introduced into conflict resolution. Furthermore, algebraic method is used to resolve certain types of conflicts.The policy function validation mechanism in NSMPF is presented based on the analysis of policy hierarchical structure and policy refinement procedure. The newly added security policy is converted into low-level policies which can be performed on network devices automatically. The simulation test data is generated according to these low-level policies. Address space segmentation technology is used to plan the test data generation procedure, which not only ensures that all decision paths can be tested, but also avoids the deficiencies of exhaustive testing and random testing.Through the research on policy framework and some of its key technologies for network security management, some fruits that have theoretic values and application values are achieved. These fruits also have a positive significance to ensure the service quality of policy system and to enhance the security of the managed network.