Knapsack problems: algorithms and computer implementations
Knapsack problems: algorithms and computer implementations
Modeling and Verification of IPSec and VPN Security Policies
ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
A scalable approach to attack graph generation
Proceedings of the 13th ACM conference on Computer and communications security
Optimal security hardening using multi-objective optimization on attack tree models of networks
Proceedings of the 14th ACM conference on Computer and communications security
Configuration management at massive scale: system design and experience
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Declarative Infrastructure Configuration Synthesis and Debugging
Journal of Network and Systems Management
Sat-solving approaches to context-aware enterprise network security management
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Attack graph based evaluation of network security
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Automated management of network access control from design to enforcement
Proceedings of the 15th ACM symposium on Access control models and technologies
On synthesizing distributed firewall configurations considering risk, usability and cost constraints
Proceedings of the 7th International Conference on Network and Services Management
Hi-index | 0.00 |
The objective of this work is to create usable security architecture that will minimize network risk while considering usability and budget. We propose and formulate a novel framework for automatic creation of network security architecture including configuration rules and device placements in order to minimize risk while satisfying the business requirements, service usability and budget constraints. Our framework also automates the creation of external and internal Demilitarized Zones (DMZ) to improve security by increasing isolation. We formalize this as an optimization problem and show that it is NP-hard. We then provide heuristic approximation algorithms. The implemented systems, called SecBuilder, were evaluated under different network sizes, topologies and security requirements. Our evaluation study shows that the results obtained by SecBuilder are close to the theoretical lower bound and the performance is scalable with the network size.