Deriving Authority from Security Policy

Status

This project is part of the Authentication, Authorisation and Accounting (AAA) Programme and is funded by the JISC.

Policy Based Management

In recent years, there has been a great deal of interest in the research community in the development of various forms of policy-based management. The common theme in this work is the expression of the required behaviour as a set of rules or policies in as abstract a form as possible, and in such a way that dynamic changes to the policies can be made without disrupting the running of the infrastructure. Suitable tools are used to translate from the policies to the low level constraints and decisions that are needed within the infrastructure to put them into effect.

Application to Security

In providing security, there is a need to consider both network and middleware control mechanisms together in order to take account of the interaction of role or identity based measures with countermeasures to denial of service attacks. Denial of service needs to be countered as early in the communication process as possible, and with the minimum cost in resource terms. Authentication, on the other hand, needs to be substantially end-to-end in scope. Currently, they are generally seen as supported by independent mechanisms, and the firewall configuration is generally quite static because of the costs of configuration design and deployment. A policy-based approach allows configuration management to be more automated, and thus would allow shorter-term knowledge of service use derived from authentication to be exploited in a more agile, and so more effective, firewall configuration process.

Deliverables

The final report is available here. Please send any questions or comments to P.F.Linington@kent.ac.uk.