Framework for the Policy-Based Security Management of a Computer Network

摘要

We introduce a framework for managing security of a large dynamic network. The framework is based on a manager agent concept. The central manager stores security policies and monitors network topology and states in real time. An agent installed in a managed node reports the security related state to the manager and executes management commands received from the manager. When the manager finds a change in network topology or state, it checks if the network state after the change conforms to security policies. If any deviation is found, the manager plans/executes management commands to return the network into the state conforming to policies. In this paper we describe the framework for the network security management and the security policy specification language.