Generating Policies for Defense in Depth

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Paul Rubel Articles by Michael Ihde Articles by Steven Harp Articles by Charles Payne

21st Annual Computer Security Applications Conference (ACSAC'05)

Tucson, Arizona

December 05-December 09

ISBN: 0-7695-2461-3

	ASCII Text	x
	Paul Rubel, Michael Ihde, Steven Harp, Charles Payne, "Generating Policies for Defense in Depth," Computer Security Applications Conference, Annual, pp. 505-514, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005.

	BibTex	x
	@article{ 10.1109/CSAC.2005.26, author = {Paul Rubel and Michael Ihde and Steven Harp and Charles Payne}, title = {Generating Policies for Defense in Depth}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2005}, issn = {1063-9527}, pages = {505-514}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.26}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Generating Policies for Defense in Depth SN - 1063-9527 SP505 EP514 A1 - Paul Rubel, A1 - Michael Ihde, A1 - Steven Harp, A1 - Charles Payne, PY - 2005 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

Paul Rubel, BBN Technologies, Cambridge, MA

Michael Ihde, University of Illinois at Urbana-Champaign

Steven Harp, Adventium Labs, Minneapolis, MN

Charles Payne, Adventium Labs, Minneapolis, MN

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.26

Coordinating multiple overlapping defense mechanisms, at differing levels of abstraction, is fraught with the potential for misconfiguration, so there is strong motivation to generate policies for those mechanisms from a single specification in order to avoid that risk. This paper presents our experience and the lessons learned as we developed, validated and coordinated network communication security policies for a defensein- depth enabled system that withstood sustained red team attack. Network communication was mediated by host-based firewalls, process domain mechanisms and application-level security policies enforced by the Java Virtual Machine. We coordinated the policies across the layers using a variety of tools, but we discovered that, at least for defense-in-depth enabled systems, constructing a single specification from which to derive all policies is probably neither practical nor even desirable.

Citation:

Paul Rubel, Michael Ihde, Steven Harp, Charles Payne, "Generating Policies for Defense in Depth," acsac, pp.505-514, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.