The Dynamic And Centralized Policy Management Of Large-scale Network Security Appliances

Nowadays, centralized management pattern is the developing trend in the field of security management in contrast to the dispersed management pattern that is limited within the disadvantage of inconsistent policy, poor extensibility, hard maintenance and low management efficiency. Centralized management pattern is to distribute policy data from the policy management center to different devices. This strategy can enhance the capability of managing network security devices.For the complexity and variety of security devices, the security management is facing some challenges. For example, there is lack of effective method and mature technique standard in the aspect of processing heterogeneous policy consistently and policy collaboration mechanism. At the same time, the single policy control pattern can't acknowledge the policy requests issued by huge number of devices frequently which will result in the low-level efficiency of PDP' Policy distribution.By the comprehensive analysis on traditional network management pattern, this paper presents a dynamic centralized policy management scheme in the field of huge number of network devices management based on PBNM framework. In this scheme, the technique of Mixed Policy Loading and Adaptive Policy Increment Process are used for the first time which solve some core issues as follows:The centralized management of large number of security policy that adopts the technique of SSO, JMX based policy server and centralized security policy storage mechanism, which realize the consistent, integrative, end-to-end network security.The automated policy distribution that adopts the customization policy encapsulation protocol based on UDP and service manner of the "push" and "pull" which insures that the security policy can be applied onto the different devices in time without artificial interference.Mixed policy management that uses the same memory layout to auto-manage the flow of different policy dynamically, and support the rapid policy development and deployment for new security device from the easy-used device SDK.The policy incremental distribution can choose the best policy distribution strategy automatically based on the difference of policy content between the device and server by the policy increment engine.This scheme enables the huge number of heterogeneous policy management and optimizes the running processes and promotes efficiency of policy management significantly.