Security Assurance Policy Helper (saph)

Yüklə 445 b.
ölçüsü445 b.

Security Assurance Policy Helper (SAPH)

  • 鄭伯炤



  • What is the Problem ?

  • Security Management Life Cycle

  • SAPH (Security Assurance Policy Helper)

    • SLC (Security Language Composer)
    • VAST (Vulnerability Assessment & Security Testing)
  • SAPH and Security Assurance

  • Conclusion

  • Reference

The Reality

Attack Motivations, Phases and Goals

What is the Problem ?

Security Management Cycle Problems

Security Management Cycle Problems

  • Design

    • Defining a good security policy and the topology of network in accordance with the requirements of an enterprise and the goal of the business
  • Monitoring & Audit

    • Performing testing and scanning to appraise risk values on the target network
  • Implementation

    • Including installing, system level testing, education and technical transference, etc
  • Assessment & Testing

    • Check whether the security policy is implemented correctly and investigate any intrusions

SAPH Architecture

SLC: Get The Highest Level of Security

SAPH Components – Security Language Composer

  • GUI : a Graphic User Interface providing user interactions

  • Policy & Topology model: allowing user to define security policies and network topology based on business and service requirements .

  • Security Guardian : an engine evaluates the risk of exposure and the cost of security breaches based on built-in and user-define functions

  • Object Storage : store network objects and security policy definitions

  • Enforcement : an intelligent agent is able to produce configuration profiles based on acceptable risks, security policy settings and network topology.

  • Configuration Profile : a set of configuration parameters and running scripts for network element and security device

Policy & Topology Model

  • Display an idea

  • Communicate to System and other engineer

  • OAB (Object Association Binding)

    • Object
      • Entity、Concept or Group
      • Data & Attribution
    • Association
      • Relation Between Two Object
      • Direction、Condition、Action & Transition
    • Binding

OAB (Object Association Binding)

Security Guardian : Check Policy & Topology and Evaluate the Risk

Risk Relationship

Evaluation Function (Built-In and User-Defined)


SLC: Get The Highest Level of Security

  • Make good security policies to protect your networks and services

    • Accomplishable
    • Enforceable
    • Definable
  • Identify real security needs for service and match business requirements

  • Assessment and risk evaluation

SAPH Architecture

VAST: Assure Information and Networking Security

  • Assessment

  • Penetration

    • System penetration test
    • Security policy certification
  • Auditing

    • Log analysis

SAPH Components - Vulnerabilities Assessment & Security Testing (VAST)

  • Import/Interpreter: a converter to import audit log/syslog from security audit tools and network elements into Black Hat Database or transform attack severity/structure to Evaluator for further analysis.

  • Black Hat Database: real hacker signatures and methods

  • White Hat Database: network architecture and network element (e.g., router and firewall) configuration, security profiles and well know security holes

  • Verifier: an engine use both Black Hat and White Hat Database to forecast/analyze possible vulnerabilities

  • Script Generator: generating script files to exploit vulnerabilities

  • Lighter: an engine launch attacks based on hacker scripts


VAST: Assure Information and Networking Security

  • Assessment

    • Information reconnaissance and network scan
    • Vulnerability assessment and threat Analysis
  • Penetration

    • System penetration test
    • Security policy certification
  • Auditing

    • Log analysis

SAPH and Security Assurance

  • Design assurance

    • Policy & Topology Model : OAB (Object Association Binding)
    • Security Guardian
  • Development assurance

    • VAST
  • Operation assurance

    • Enforcement
    • GUI


Reference (1/2)

  • BCS Review 2001 Setting standards for information security policy

  • B. Fraser, “RFC2196: Site Security Handbook”, IETF, September 1997.


  • E. Carter, Cisco Secure Intrusion Detection System, Cisco Press, 2001

  • G. Stoneburner, A. Goguen, and A. Feringa "Risk Management Guide for Information Technology Systems", Special Publication 800-30, NIST.

  • J. Wack and M. Tracey, “Guideline on Network Security Testing”, Draft Special Publication 800-42, NIST, February 4, 2002

Reference (2/2)

  • Microsoft Security Bulletin MS03-028

  • R. M. Barnhart, “High Assurance Security Mideical Information Systems”, Science Application International Corporation, 2000

  • SANS Institute - Security Policy Project.

  • S. Northcutt, L. Zeltser, S. Winters, K. Kent Frederick, R. W.Ritchey, Inside Network Perimeter Security, New Riders , 2003

  • T. Layton, “Penetration Studies – A Technical Overview” SANS, May 30, 2002

  • Question ?

  • Thank You !

Yüklə 445 b.

Dostları ilə paylaş:

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2022
rəhbərliyinə müraciət

    Ana səhifə