الفهرس 
IntroductionOnly 14 pages are availabe for public view
 |  | from | 185 |  |  |
| | | from | 185 | | |
Abstract
Today’s corporate networks are complex connections of resources that are often difficult to be managed effectively. One of the major modules of network management is network security. Typically, the corporate network consists of many individual network security components such as firewall, active directory, intrusion detection system ...etc. Each network security component has its own high security policy. The high level security policy has to be enforced through low level mechanisms. Enforcement of high level security policy is a very difficult task for different reasons. First, the high level security policy is typically translated manually into low level security mechanisms by security administrator results in the incorrectness of this translation. Second, the translated low level mechanisms may be enforced into many security components. On the other hand, the high level security actually is modeled for each network security component individually. This implies the incoherence of network security policy modeling for various network security components. To overcome these difficulties, this thesis proposes a solution to automate the process of translation of high level security policy into low level security mechanisms for several vendors of various network security components. The framework of our solution is described in terms of three phases; in the first phase all network assets are categorized according to their roles in the network security and relations between them are identified to constitute the network security model. For that reason, we introduce the Extended Organization Based Access Control model (EOrBAC) which is based on Organization Based Access Control model (OrBAC). Through the second phase, the high level security policy is mapped into the network security model. The second phase could be considered as a translation of the high level security policy into an intermediate model level. Finally, the intermediate model level is translated automatically into low level security mechanisms. We propose a detailed hierarchical design of our framework. The detailed hierarchical design consists of five main stages. The first stage is considered as the network repository of assets that correspond to various network security components. Through the second stage, the high level security policy is introduced, modeled via EOrBAC model. Through the third stage, the modeled security policy is passed to a policy engine for validation and verification purpose. By the fourth stage, the validated modeled security policy is compiled and translated into generic form. Finally, the generic form is parsed through a vendor-specific compiler to generate the configuration scripts to be enforced into vendor specific network security component. To illustrate the applicability of our framework, we applied our framework concepts to two different network security components through two different case studies. Finally, we developed an EOrBAC based network security management toolkit to realize our solution.