Bands: an inter-domain Internet security policy management system for IPSec/VPN

IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003. Pub Date : 2003-03-24 DOI:10.1109/INM.2003.1194183

Yanyan Yang, Z. Fu, S. F. Wu

{"title":"Bands: an inter-domain Internet security policy management system for IPSec/VPN","authors":"Yanyan Yang, Z. Fu, S. F. Wu","doi":"10.1109/INM.2003.1194183","DOIUrl":null,"url":null,"abstract":"IPSec/VPN is widely deployed for users to remotely access their corporate data. IPSec policies must be correctly set up for VPN to provide anticipated protection. Manual policy setup is unscalable, inefficient and error-prone. Automated policy generation to comply with and enforce high-level security policies is desired but difficult, especially in an inter-domain environment when a VPN traverses multiple domains. This paper presents a distributed framework and protocol, BANDS, for inter-domain policy negotiation and generation. The BANDS architecture consists of two phases: AS (autonomous system) route path discovery and an inter-domain collaborative protocol for policy negotiation among the autonomous systems discovered in the first phase. Each AS conceptually has one security requirement server responsible for the task of inter-domain policy negotiation. Following this two-step process in BANDS, a set of distributed security policies (for the implementation of policy enforcement) is automatically negotiated/generated based on decentralized and predefined security requirements.","PeriodicalId":273743,"journal":{"name":"IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003.","volume":"21 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"20","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INM.2003.1194183","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 20

Abstract

IPSec/VPN is widely deployed for users to remotely access their corporate data. IPSec policies must be correctly set up for VPN to provide anticipated protection. Manual policy setup is unscalable, inefficient and error-prone. Automated policy generation to comply with and enforce high-level security policies is desired but difficult, especially in an inter-domain environment when a VPN traverses multiple domains. This paper presents a distributed framework and protocol, BANDS, for inter-domain policy negotiation and generation. The BANDS architecture consists of two phases: AS (autonomous system) route path discovery and an inter-domain collaborative protocol for policy negotiation among the autonomous systems discovered in the first phase. Each AS conceptually has one security requirement server responsible for the task of inter-domain policy negotiation. Following this two-step process in BANDS, a set of distributed security policies (for the implementation of policy enforcement) is automatically negotiated/generated based on decentralized and predefined security requirements.

查看原文本刊更多论文

频带:针对IPSec/VPN的跨域互联网安全策略管理系统

IPSec/VPN被广泛应用于用户远程访问企业数据。VPN需要正确设置IPSec策略，才能提供预期的保护。手动策略设置不可伸缩、效率低下且容易出错。自动生成策略以遵守和执行高级安全策略是需要的，但这很困难，特别是在VPN遍历多个域的域间环境中。本文提出了一种用于域间策略协商和生成的分布式框架和协议BANDS。band架构包括两个阶段:AS(自治系统)路由路径发现和用于在第一阶段发现的自治系统之间进行策略协商的域间协作协议。每个自治系统在概念上都有一个负责域间策略协商任务的安全需求服务器。遵循band中的这两步流程，将根据分散的和预定义的安全需求自动协商/生成一组分布式安全策略(用于实现策略强制)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003.

自引率

0.00%

发文量