Policy Units and Categories: Networking Models for Simplifying Security Policy Management

Abstract

This paper proposes new models for simplifying policy management in enterprise networks. The application of these models to five operational networks has demonstrated their capacity for abstractly modeling network policy structures and their potential for simplifying network management tasks, which would result in reduced opportunity for human error in network management. This is useful because human error is currently a significant cause of data breaches in enterprise networks, so a reduction in human errors would be greatly beneficial to network security. Specifically, we have created two new models for abstracting policies. The policy unit model divides a network into sections, called policy units, by grouping hosts together according to similarities in the existing policy rules that are applied them. This model allows policies to be viewed and analyzed at a higher level of abstraction, which would increase the efficiency of policy management (e.g., rule changes can be applied to an entire policy unit at once). The category model groups policy units together, giving the potential for even greater efficiency. Analysis of the application of these models to five enterprise networks exposed new insight in policy management in production networks, and showed that policy management in large networks could be greatly simplified through the use of these models. This indicates the potential benefit of integrating our models in future network management systems.