1. Field of the Invention
The present invention relates to an behavior model generator system, an behavior model generating method, and an behavior model generating program for generating an behavior model which represents the operation of a network access controller from a security policy.
2. Description of the Related Art
A variety of techniques have been proposed for generating information for setting an network access controller from a security policy, for example, in JP-2003-140890-A, JP-2000-253066-A, and JP-2000-244495-A. Here, the network access controller refers to, for example, a device for performing network access control, such as packet filtering, and examples of the network access controller include, for example, a firewall, a router, a server device, and the like. The configuration in turn refers to information for defining the operation of a network access controller. The network access controller executes network access control such as packet filtering in accordance with setting contents described as the configuration. The configuration is described in a format appropriate to a particular network access controller.
An electronic device configuration generating method described in JP-2003-140890-A converts a high-level security policy (product level policy at a first level) described in a natural language to a general-purpose intermediate language (interface language). Then, the intermediate language is converted to a low-level security policy (product level policy at a second level) which is configuration described in a device-specific language by a script generating means provided for each particular device. The electronic device configuration generating method described in JP-2003-140890-A is implemented on the assumption that the conversion from the high-level security policy to the intermediate language, and the conversion from the intermediate language to the low-level security policy are made by converting the respective vocabularies to other vocabularies in one-to-one correspondence.
A method and apparatus for managing a firewall described in JP-2000-253066-A generate an entity relation model which represents a security policy for a communication network in a model definition language. Then, the entity relation model is translated into a firewall configuration file, which include device-specific configuration, by a model compiler.
A network management system described in JP-2000-244495-A lists up applications utilized by each user group (referred to as “Zone” in JP-2000-244495-A) which utilizes a network to automatically generate information for setting a firewall and a router.
There is also an ISMS (Information Security Management System) compatibility evaluation regime. This regime shows a systematized management scheme related to the security. A first step of the management scheme is to determine a basic policy for information security. The basic policy is the security policy which is a declarative policy related to the security described in a natural language. Since there is an increasingly strong tendency to practice a security management in accordance with the policy of the ISMS compatibility evaluation regime, the security policies often exist in those enterprises which wrestle with the security management.
The method described in JP-2003-140890-A converts a high-level security policy described in a natural language to a general-purpose intermediate language in a one-to-one correspondence, and further converts the intermediate language to a low-level security policy in a one-to-one correspondence. In this event, if the high-level security policy described in a natural language is not described according to an essential intention of a security policy creator, errors possibly included in the security policy will be reflected as they are to the low-level security policy (configuration ). In addition, since the configuration is described in a format specific to each device, it is quite difficult for an operator (for example, a system manager) to read the described configuration. It is therefore difficult to find descriptions which deviate from the intention of the security policy creator in the configuration, and also difficult to confirm whether or not the configuration is in line with the intention of the security policy creator. Stated another way, the method described in JP-2003-140890-A has a problem of “difficulties in confirming the intention of the security policy creator.”
Also, if there are a plurality of creators who have participated in the creation of a high-level security policy, the creators may differ from one another in design guideline for the security policy. As a result, the method described in JP-2003-140890-A can cause semantic discrepancies, inconsistent description formats and the like in a low-level security policy (configuration) generated from a high-level security policy (security policy described in a natural language), leading to difficulties in subsequent maintenance operations. In other words, the method described in JP-2003-140890-A has another problem of “difficulties in maintaining the consistency.”
A high-level security policy in a natural language is described in a format readily understandable by humans or in an order readily understandable by humans. When this high-level security policy is converted as it is to a low-level security policy (configuration), the configuration can cause a lower operation efficiency of an associated device. Thus, the method described in JP-2003-140890-A further has a problem of “difficulties in improving the efficiency of an associated device.”
The method and apparatus for managing a firewall described in JP-2000-253066-A generate configuration (firewall configuration file) from an entity relation model generated in a model definition language. Such an entity relation model and firewall configuration file also experience “difficulties in confirming the intention of a security policy creator.”
The configuration may include a setting which dictates prohibition of a certain operation if conditions are not satisfied for a variety of rules that have been previously determined for defining the conditions under which the operation is permitted. On the other hand, some users may wish to describe configuration which includes a setting that dictates permission of a certain operation if conditions are not satisfied for a variety of rules that have been previously determined for defining the conditions under which the operation is prohibited. However, since JP-2000-253066-A fixes an algorithm for generating a configuration file, configuration must be described in one of two description formats. In other words, JP-2000-253066-A lacks for flexibility in format for describing the configuration.
Likewise, the network management system described in JP-2000-244495-A also fixes an algorithm for generating configuration, so that a resulting format for describing the configuration is uniform and therefore lacks for flexibility as is the case with JP-2000-253066-A.
Also, since there is an increasingly strong tendency to practice the security management in accordance with the policy of the ISMS compatibility evaluation regime, enterprises tend to first lay down a security policy. It is therefore preferable to generate configuration for each device based on the security policy. However, the network management system described in JP-2000-244495-A does not generate configuration from a security policy but generates configuration from listed applications.
It is an object of the present invention to provide an behavior model generator system and method which are capable of solving the problems of “difficulties in confirming the intention of a security policy creator” and “difficulties in maintaining the consistency” when configuration is generated for a network access controller from a security policy.
It is another object of the present invention to provide an behavior model generator system and method which are capable of solving the problem of “difficulties in improving the efficiency” and capable of describing configuration in a flexible format.
An behavior model generator system according to the present invention is characterized by including policy storing means for storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data, topology storing means for storing topology information which describes information on a device connected to a communication network to which a network access controller is connected for performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting, and behavior model generating means for generating an behavior model based on the security policy stored in the policy storing means, where the behavior model includes data representative of the operation of the network access controller for each device described in the topology information.
According to the foregoing configuration, the generated behavior model facilitates the confirmation of the intention of a security policy creator. In other words, the behavior model generator system can solve the problem of “difficulties in confirming the intention of a security policy creator.” Further, even if the design guidelines for a security policy differ from one creator to another, the present invention can prevent maintenance operations from being difficult because the intention of each security policy creator is readily confirmed. In other words, the present invention can also solve the problem of “difficulties in maintaining the consistency.”
The behavior model generator system may further include policy input means for entering a security policy, wherein the policy storing means may store a security policy entered through the policy input means.
The behavior model generator system may further include policy normalizing means operable when the security policy does not include a description related to a predefined item for executing normalization for adding a description related to the item to the security policy, wherein the behavior model generating means may be configured to generate an behavior model based on the normalized security policy. According to the foregoing configuration, since the policy normalizing means executes the normalization, an behavior model can be generated from an entered security policy which even includes missing items and/or omitted items.
The behavior model generator system may further include conversion rule storing means for storing a conversion rule for use in converting the behavior model to configuration for defining the operation of the network access controller, described in a format dependent on the type of the network access controller, and configuration generating means for converting the behavior model to the configuration in accordance with the conversion rule. According to the foregoing configuration, the configuration can be generated.
The behavior model generator system may further include modification principle input means for entering a modification principle for an behavior model generated by the behavior model generating means, and modifying means for modifying the behavior model in accordance with the modification principle. According to the foregoing configuration, the behavior model can be modified in accordance with a policy desired by the user.
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means displays a user interface on the information output means for displaying a plurality of candidate modification principles to prompt a user to select a modification principle.
The modifying means may be responsive to a modification principle entered through the modification principle input means to modify an behavior model to delete duplicate information in information included in the behavior model when the modification principle defines that verbosity is not permitted for the behavior model. According to the foregoing configuration, from an behavior model which has been modified in accordance with a policy which defines that redundancy is not permitted for an behavior model, the behavior model generator system can generate configuration in accordance with the same policy.
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means may be configured to display a user interface on the information output means for showing a modification principle which defines that verbosity is not permitted for an behavior model and a modification principle which defines that verbosity is permitted for an behavior model to prompt the user to select one of the modification principles.
The topology storing means may store topology information including information on a software application installed in each device, and the modifying means may be responsive to a modification principle entered through the modification principle input means for modifying an behavior model to delete information other than information related to the software application installed in a device corresponding to the behavior model from information included in the behavior model based on the topology information, when the modification principle defines that strictness is required for the behavior model. According to the foregoing configuration, from an behavior model modified in accordance with a policy which defines that strictness is required for an behavior model, the behavior model generator system can generate configuration in accordance with the same policy.
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means may be configured to display a user interface on the information output means for showing a modification principle which defines that strictness is required for an behavior model, and a modification principle which defines that strictness is not required for an behavior model to prompt the user to select one of the modification principles.
The behavior model generating means may generate, in accordance with the security policy stored in the policy storing means, an behavior model in a first description format which describes that data is permitted to transmit when a transmission permission condition is satisfied and describes that data is prohibited from transmitting when the transmission permission condition is not satisfied, and an behavior model in a second description format which describes that data is prohibited from transmitting when a transmission prohibition condition is satisfied and describes that data is permitted to transmit when the transmission prohibition condition is not satisfied, and the modifying means may be responsive to a modification principle entered through the modification principle input means for modifying the behavior model in the first description format to convert the same to an behavior model in the second description format when the modification principle defines a modification to an behavior model in the second description format, and is responsive to a modification principle entered through the modification principle input means for modifying the behavior model in the second description format to an behavior model in the first description format when the modification principle defines a modification to an behavior model in the first description format. According to the foregoing configuration, the description format of the behavior model can be changed to a description format desired by the user.
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means may be configured to display a user interface on the information output means for showing a modification principle which defines a modification to an behavior model in the second description format, a modification principle which defines a modification to an behavior model in the first description format, and a modification principle which defines that no modification is made to an behavior model to prompt the user to select one of the modification principles.
The modifying means may be responsive to a modification principle entered through the modification principle input means for modifying an behavior model to a form which enables a higher operation of the network access controller when the modification principle defines that the efficiency is required for the operation of a device. According to the foregoing configuration, the configuration can be generated from an behavior model which has been modified in accordance with a policy which defines that the efficiency is required, and the network access controller can be operated at higher speeds with the aid of the configuration. In other words, the behavior model generator system can solve the problem of “difficulties in improving the efficiency.”
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means may be configured to display a user interface on the information output means for displaying a modification principle which defines that the efficiency is required for the operation of a device, and a modification principle which defines that the efficiency is not required for the operation of a device to prompt the user to select one of the modification principles.
The modifying means may be configured to display on the information output means a user interface which displays an behavior model generated by the behavior model generating means as a single diagram. According to the foregoing configuration, the generated behavior model can be presented in a readily understandable way.
The modifying means may be configured to modify an behavior model displayed as a diagram on the user interface in accordance with a modification principle entered through the modification principle input means.
The modifying means may be responsive to a modification principle entered through the modification principle input means and applied to each behavior model which has not been modified, for modifying each behavior model which has not been modified in accordance with the modification principle.
The behavior model generator system may further include information output means for displaying an image, wherein the modifying means may be configured to display a modified behavior model on the information output means as a diagram. According to the foregoing configuration, the generated behavior model can be presented in a readily understandable way.
The behavior model generator system may further include information output means for displaying an image, wherein the behavior model generating means may be configured to display a generated behavior model on the information output means as a diagram.
An behavior model generating method according to the present invention is characterized by including the steps of policy storing means storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data, topology storing means storing topology information which describes information on a device connected to a communication network to which a network access controller is connected for performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting, and behavior model generating means generating an behavior model based on the security policy stored in the policy storing means, where the behavior model includes data representative of the operation of the network access controller for each device described in the topology information.
A security policy may be entered through policy input means, and the security policy may be stored in policy storing means.
Topology information may be entered through topology information input means, and the topology information may be stored in topology storing means.
The policy normalizing means may execute normalization when the security policy does not include a description related to a predefined item for adding a description related to the item to the security policy, and an behavior model generating means may generate an behavior model based on the normalized security policy.
An behavior model generating program according to the present invention, when run on a computer comprising policy storing means for storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data, and topology storing means for storing topology information which describes information on a device connected to a communication network to which a network access controller is connected for performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting, is characterized by causing the computer to execute processing for generating an behavior model based on the security policy stored in the policy storing means, where the behavior model includes data representative of the operation of the network access controller for each device described in the topology information.
According to the present invention, the behavior model generator system includes the behavior model generating means for generating an behavior model based on a security policy entered through the policy input means, where the behavior model includes data representative of the operation of the network access controller for each device described in the topology information. The behavior model thus generated facilitates the confirmation of the intention of a security policy creator. In other words, the present invention can solve the problem of “difficulties in confirming the intention of a security policy creator.” Further, even if the design guidelines for a security policy differ from one creator to another, the present invention can prevent maintenance operations from being difficult because the intention of each security policy creator is readily confirmed. In other words, the present invention can also solve the problem of “difficulties in maintaining the consistency.”
The above and other objects, features and advantages of the present invention will become apparent from the following description with reference to the accompanying drawings which illustrate examples of the present invention.
Now, the best mode for practicing the present invention will be described in detail with reference to the accompanying drawings. In the following description, a “policy element” refers to a minimum unit of instructions related to network access control. The instructions related to the network access control include an instruction which permits communicated data (packets) to transmit when conditions are satisfied for permitting the transmission of the data, and an instruction which prohibits communicated data from transmitting when conditions are satisfied for prohibiting the transmission of the data. A “security policy” refers to a set of instructions for the network access control which include zero or more policy elements. A security policy having zero policy element is intended to define nothing for the security policy.
The “security policy” and “policy element” are described, for example, in a natural language or in a format close to a natural format. However, the “security policy” and “policy element” are not necessarily described in a natural language or in a format close to a natural format, but may be described, for example, in XML (extensible Markup Language). The following description will be made giving an example in which the “security policy” and “policy element” are described in a natural language.
Behavior model generator 100 may be a computer which runs in accordance with a program.
Policy input means 200 receives a security policy described in a natural language, applied by an operator (system manager or the like). Topology information input means 210 receives topology information applied by the operator. The topology information refers to information indicative of the configuration of a communication network including a network access controller (not shown in
The network access controller operates to permit communicated data to transmit or prohibit the communicated data from transmitting.
Policy input means 200, topology information input means 210, and modification principle input means 220 may be any device with which information can be entered. Information is entered in a manner not particularly limited. For example, policy input means 200, topology information input means 210, and modification principle input means 220 may comprise a network interface which receives information through a communication network. Alternatively, policy input means 200, topology information input means 210, and modification principle input means 220 may comprise a driver device (CD-ROM driver or the like) which reads information from a storage medium (for example, CD-ROM or the like) and writes information into a storage medium. Further alternatively, policy input means 200, topology information input means 210, and modification principle input means 220 may comprise a microphone which receives audio information. Also, while
Information output means 300 delivers configuration for the network access controller (not shown in
Behavior model generator 100 comprises policy storing means 101, topology storing means 102, behavior model storing means 103, modified behavior model storing means 104, conversion rule storing means 150, policy normalizing means 110, behavior model generating means 120, modifying means 130, and configuration generating means 140. Policy storing means 101 is a storage device for storing a security policy entered through policy input means 200. Topology storing means 102 is a storage device for storing topology information entered through topology information input means 210. Behavior model storing means 103 is a storage device for storing a generated behavior model, and modified behavior model storing means 104 is a storage device for storing an behavior model after a modification has been made to an behavior model stored in behavior model storing means 103. A format for the configuration for a network access controller differs from one type to another of the network access controller. Specifically, the configuration defines the operation of a particular network access controller, and is described in a format depending on the type of the network access controller. Conversion rule storing means 150 is a storage device for storing a conversion rule for converting a modified behavior model to configuration described in a format depending on the type of a particular network access controller. While
Policy normalizing means 110 determines whether or not predetermined items are all included in policy elements in a security policy stored in policy storing means 101, and gives a predefined value for any item which is not included in the policy elements. As a result, the predetermined items are all included in each of the policy elements in the security policy. The addition of a predefined value for a predetermined item not included in a policy element to include all the predetermined items in the policy elements is hereinafter called the “normalization.” The normalization of each policy element included in a security policy is expressed by a sentence “a security policy is normalized.” Behavior model generating means 120 generates an behavior model based on a normalized security policy, and stores the generated operation mode in behavior model storing means 103. Modifying means 130 modifies the behavior model in accordance with a modification principle entered through modification principle input means 220, and stores the modified behavior model in modified behavior model storing means 104. Configuration generating means 140 converts the modified behavior model to configuration specific to the network access controller in accordance with the conversion rule stored in conversion rule storing means 150.
Policy normalizing means 110, behavior model creating means 120, modifying means 130, and configuration generating means 140 may be implemented, for example, by a CPU which performs appropriate processing in accordance with a program. Policy normalizing means 110, behavior model generating means 120, modifying means 130, and configuration generating means 140 may be implemented by a single CPU. Also, the program is previously stored in a storage device (which may be the same as any of the storing means illustrated in
Next, description will be made on the operation of the behavior model generator system according to this embodiment.
First, behavior model generator 100 receives a security policy described in a natural language or in a format close to a natural language through policy input means 200 (step S1). In this event, policy storing means 101 stores the received security policy. The storage of the received security policy in policy storing means 101 may be performed, for example, by the CPU (not shown) of behavior model generator 100.
Behavior model generator 100 also receives topology information through topology information input means 210 (step S2). In this event, topology storing means 102 stores the received topology information. The storage of the received topology information in topology storing means 102 may be performed, for example, by the CPU (not shown) of behavior model generator 100. These steps S1, S2 may be executed in a reverse order.
Next, policy normalizing means 110 normalizes the security policy stored in policy storing means 101 (step 3). Specifically, policy normalizing means 101 gives a predefined value for any predetermined item not included in the security policy, so that the security policy includes all predetermined items.
Next, behavior model generating means 120 generates an behavior model using the policy normalized by policy normalizing means 110 and the topology information stored in topology storing means 102 (step S4). Specifically, behavior model generating means 120 generates data representative of the operation of a network access controller in accordance with the entered security policy. Behavior model generating means 120 stores the generated behavior model in behavior model storing means 103. This behavior model is represented by a data structure which is independent of a description dependent on the type of a particular network access controller. Stated another way, the “data structure independent of a description dependent on the type of a particular network access controller” is a data structure which does not depend on the type of any network access controller.
Also, behavior model generating means 120 preferably displays the generated behavior model on information output means 300. In this event, behavior model generating means 120 may display the behavior model in the form of a diagram which schematically represents the operation of the network access controller.
Next, modifying means 130 references the behavior model stored in behavior model storing means 103 to modify the behavior model (step S5). The modified behavior model is represented in the same data structure as the behavior model before the modification. Therefore, the modified behavior model does not either depend on the type of any network access controller. Configuration is generated for the network access controller based on the modified behavior model (step S6, later described).
Also, at step S5, modifying means 130 receives a modification principle for the behavior model through modification principle input means 220. Modifying means 130 modifies the behavior model in accordance with this modification principle. For example, modifying means 130 receives the modification principle for the behavior model, for example, definitions for the following four types of principles. First, modifying means 130 receives a definition as to whether or not verbosity of the behavior model is permitted. Second, modifying means 130 receives a definition as to whether or not strictness is required for the behavior model. Third, modifying means 130 receives a definition related to a default operation in the behavior model. The definition related to a default operation includes “default is permitted,” “default is prohibited,” and “default follows the security policy.” Fourth, modifying means 130 receives a definition as to whether emphasis is placed on the operation efficiency (efficiency) of the network access controller which is provided with the configuration generated from the behavior model.
Upon receipt of a principle which defines that “verbosity is not permitted,” modifying means 130 deletes data such that data contained in the behavior model does not include duplicate data representative of the same operation. Upon receipt of a principle which defines that “verbosity is permitted,” modifying means 130 does not delete duplicate data, if any, representative of the same operation.
Upon receipt of a principle which defines that “strictness is required,” modifying means 130 deletes unnecessary data from the behavior model. Specifically, modifying means 130 determines software applications installed in the network access controller with reference to the topology information. Then, modifying means 130 deletes data representative of operations not related to the software applications from the behavior model. Upon receipt of a principle which defines that “strictness is not required,” modifying means 130 does not delete unnecessary data, if any.
Next described is a modification principle related to default. There are the following two description formats for the behavior model. A first description format describes one or a plurality of data showing that a packet is permitted to transmit when conditions are established for permitting the packet to transmit, and describes that the packet is prohibited from transmitting when the conditions are not established. A second description format describes one or a plurality of data showing that a packet is prohibited from transmitting when conditions are established for prohibiting the packet from transmitting, and describes that the packet is permitted to transmit when the conditions are not established. The default refers to data included in the behavior model which indicates whether or not an operation is permitted or prohibited when any condition is not established. Upon receipt of a principle which defines that “default is prohibited,” modifying means 130 modifies the behavior model such that the behavior model is described in the first description format. Upon receipt of a principle which defines that “default is permitted,” modifying means 130 modifies the behavior model such that the behavior model is described in the second description format. Also, upon receipt of a principle which defines that “default follows the security policy,” modifying means 130 does not modify the description format of the behavior model.
Upon receipt of a principle which defines that “emphasis is placed on efficiency,” modifying means 1300 modifies the behavior model so as to increase the operation efficiency of the network access controller which is provided with configuration generated from the behavior model. For example, assume that a certain network access controller determines whether or not a packet is permitted to transmit at higher speeds (i.e., increase the efficiency of the operation) as the configuration is represented by less descriptions. In this event, modifying means 130 modifies the behavior model to reduce the amount of data included in the behavior model in accordance with the modification principle which defines that “emphasis is placed on efficiency.” upon receipt of a principle which defines that “emphasis is not placed on efficiency,” modifying means 130 does not make such a modification.
Once modifying means 130 has modified the behavior model in accordance with each of received modification principles, the modified behavior model is stored in the modified behavior model storing means 140. In some cases, a received modification principle may indicate that no modification is made to the behavior model. In this event, modifying means 130 stores the same behavior model as that stored in behavior model storing means 103 in modified behavior model storing means 140.
Also, behavior model generating means 120 preferably displays the modified behavior model on information output means 300. In this event, behavior model generating means 120 may display the behavior model in the form of a diagram which schematically represents the operation of the network access controller. The following description will be made on the assumption that the behavior model before a modification is displayed at step S4, and the modified behavior model is displayed at step S5.
Next, configuration generating means 140 generates configuration by converting the modified behavior model stored in modified behavior model storing means 104 (step S6). In this event, configuration generating means 140 converts the behavior model in accordance with the conversion rule stored in conversion rule storing means 150. The configuration generated at step S6 is described in a format which depends on the type of a particular network access controller. Also, configuration generating means 140 displays the generated configuration on information output means 300.
The operator such as a system manager or the like may set the operation of the network access controller using the configuration generated at step S6. As a result, the network access controller operates in accordance with the security policy entered through policy input means 200.
Next, the operation of the behavior model generator will be described in greater detail with reference to specific examples of a variety of information applied thereto.
The policy element on the 02 line exemplified in
Likewise, the policy elements on the 03 to 05 lines exemplified in
While the security policy exemplified in
At step S1, behavior model generator 100 receives a security policy as exemplified in
In the communication network illustrated in
Assume that SVR01 is assigned a network address “192.168.1.2”; SVR02 is assigned a network address “192.168.1.3”; and SVR03 is assigned a network address “192.168.1.4.” Also, in the example illustrated in
The topology information exemplified in
While the topology information exemplified in
At step S2, behavior model generator 100 receives topology information as exemplified in
Next described is the normalization at step S3. A policy element which defines the operation of a network access controller needs at least seven items of information. For defining the operation of a network access controller, each policy element needs the following seven items of information: whether the policy element specifies a “default” operation; where is a “source address”; which number a “source port” has; where is a “destination address”; which number a “destination port” has; which “protocol” is employed; and “action” (whether or not a packet is permitted to transmit). However, when a security policy is described in a natural language, it is often the case that portions which can be omitted are not described. For example, in the example shown in
Policy normalizing means 110 determines whether or not a word “default” exists in the decomposed morphemes (step S14). If the word “default” is found in the morphemes (Y at step S15), policy normalizing means 110 compares the policy element morphemically analyzed at step S13 with a default template (step S15). A “template” refers to a sentence representative of a policy element which includes indefinite items. The “default template” refers to a sentence which represents a policy element that specifies a default, and has an indefinite item corresponding to the action. In this example, assume that the default template is a sentence which states that “$action is made by default.” Behavior model generator 100 has stored a variety of templates in a storage device. While the foregoing template-based operation is described in this embodiment, behavior model generator 100 may have previously stored a plurality of types of default templates, and compare a policy element with the plurality of default templates at step S15.
This embodiment is described in connection with an example in which a symbol “$” is used to indicate an indefinite variable portion in a template, but the symbol indicative of an indefinite variable portion need not be “$.”
In the exemplified default template, the “$action” is a variable, indicating that the action is indefinite. At step 13, assume that policy normalizing means 110 morphemically analyzes a policy element on the 01 line shown in
At step S14, if the word “default” is not found in the morphemes (N at step S14), the policy element morphemically analyzed at step S13 is compared with the template (step S16). At step S16 the default template is replaced by a template which is applied to policy elements other than the policy element which specifies a default. In this example, assume that a template used herein describes that “$protocol performs $action from $source port at $source address to $destination port at $destination address.” Assume also that, at step S13, policy normalizing means 110 has morphemically analyzed the policy element on the 02 line in
When the result of the morphemic analysis on the policy element on the 02 line shown in
Subsequent to step S16, policy normalizing means 110 gives the predefined values to the items for which corresponding values are not found in the morphemes to normalize the policy element (step S17). In the exemplary policy element on the 02 line in
After normalizing the policy element at step S17, policy normalizing means 110 deletes the policy element selected at step S12 from the security policy (step S18). Then, policy normalizing means 110 repeats the processing at step S11 onward. Also, when policy normalizing means 110 determines that there is no remaining policy element (N at step S11) and terminates the normalization, policy normalizing means 110 sends the normalized security policy to behavior model generating means 120.
The policy element on the 02 line shown in
Another example will be shown for the normalization of a security policy. A security policy shown in
While the foregoing embodiment has been described in connection with the normalization of policy elements using the result of morphemic analysis and template, the normalization of policy elements is not limited to this method. Policy normalizing means 110 may be configured to normalize policy elements by a plurality of types of methods of normalizing policy elements. In this event, even if a security policy is described in a variety of Japanese notations, the security policy can be normalized. Stated another way, the policy normalizing means 110 can support security policies in a variety of different notations.
Next described is the generation of an behavior model at step S4. As previously described, the behavior model comprises a set of data representing the operation of a network access controller, or a schematic diagram representing the operation of the network access controller based on that data. One behavior model is associated with each network device. For example, behavior models of firewall 500 shown in
When a destination port number in a transmitted packet does not match “port number” shown in
Behavior model generating means 120 determines whether or not any hardware component irrelevant to an behavior model remains in the topology information stored in topology storing means 102 (step S31). Specifically, within hardware components shown in the topology information, behavior model generating means 120 determines whether or not the topology information still includes any hardware component for which no behavior model has been generated after a selection of hardware components which are involved in the operation of the network access controller. If there is no such hardware component left in the topology information, behavior model generating means 120 terminates the behavior model generation.
Conversely, if the topology information still includes hardware components which have not been selected (Y at step S31), behavior model generating means 120 selects one from the remaining hardware components (step S32). For example, assume that behavior model generating means 120 generates an behavior model using the topology information shown in
Next, behavior model generating means 120 enumerates policy elements associated with the device selected at step S32 (step S33). The policy elements associated with the selected device are those which include the network address of the selected device in the destination address. Assume that the device selected at step S32 has a network address “193.168.1.2.” Also, “any” is set in the destination address of each of the policy elements in the entered security policy (in this example, the security policy shown in
The enumeration of policy elements, used herein, involves, for example, extracting the policy elements from the security policy in order, arranging the policy elements in the order in which they have been extracted, and temporarily storing a sequence of the ordered policy elements in a storage area.
Suppose that the security policy shown in
At step S32, behavior model generating means 120 determines from the 01 line in order whether or not the policy element is associated with the selected hardware component, and enumerates the policy elements if it is associated with the selected hardware component (extracts the policy element for temporary storage in a storage area). When behavior model generating means 120 extracts another policy element associated with the selected hardware component, this policy element is temporarily stored in the storage area next to the previously enumerated policy element. In this way, behavior model generating means 120 orders the respective policy elements associated with the selected hardware component. However, there is only one policy element which specifies a default operation (the 01 line in the example shown in
Next to step S33, behavior model generating means 120 generates a new behavior model, and initializes the behavior model using the policy element which specifies a default operation within the policy elements enumerated at step S33 (step S34). Behavior model generating means 120 generates data shown in
The new behavior model shown in
The behavior model shown in
After the initialization of an behavior model, behavior model generating means 120 deletes the policy element used for the initialization (policy element which specifies a default operation) from the enumerated policy elements. At step S33, the policy element which specifies a default operation may not be included in the policy elements enumerated at step S33, but may be temporarily stored separately from the enumerated policy elements. In any case, after step S34 has been executed, the policy element which specifies a default operation is not included in the enumerated policy elements.
Next to step S33, behavior model generating means 120 determines whether or not the enumerated policy elements still remain (step S35). When the enumerated policy elements have been all deleted and therefore do not remain (N at step S35), behavior model generating means 120 repeats the processing at step S31 onward.
When any of the enumerated policy elements still remains (Y at step S35), behavior model generating means 120 adds the contents represented by the last policy element of the enumerated policy elements to the behavior model (step S36). In this example, behavior model generating means 120 enumerates the policy elements in the security policy shown in
After step S36, behavior model generating means 120 deletes the policy element, the contents of which have been added to the behavior model at step S36 (step S37). Specifically, behavior model generating means 120 deletes the last policy element of the enumerated policy elements. Subsequently, behavior model generating means 120 repeats the processing at step S35 onward. As the processing at steps S35 to S37 is repeated, the policy elements on the 04 line, 03 line, 02 line are placed one by one at the last policy element, and their contents are added to the behavior model.
As the procedure returns to step S31 after executing the processing at steps S32 to S37 for each of the hardware components described in the topology information, behavior model generating means 120 determines that there is no hardware component which has not been selected as involved in the operation of the network access controller, and terminates the behavior model generation. As a result, the behavior model as shown in
The foregoing embodiment has been described in connection with a security policy in which the individual policy elements specify TCP for the protocol by way of example. Even when the policy element specifies UDP, the behavior model is consistent in the data structure itself, and can be represented in a schematic diagram form similar to that illustrated in
Next described are modification principles entered through modification principle input means 220.
Words displayed on the input screen for prompting the operator to enter modification principles are not limited to the words shown in
Modifying means 130 receives modification principles through modification principle input means 220.
Modification principle input means 220 may be an input device such as a keyboard, a mouse or the like, through which the operator may enter the modification principles shown in
Subsequently, modifying means 130 determines with reference to the modification principles entered through modification principle input means 220 whether or not a modification principle related to verbosity permits verbosity (step S53). When the modification principle “does not permit verbosity” (N at step S53), modifying means 130 modifies the selected behavior model in accordance with this policy (step S54). Modifying means 130 goes to step S55 after the modification of the behavior model based on the principle which defines that “verbosity is not permitted.” On the other hand, when the modification principle “permits verbosity,” modifying means 130 goes to step S55 next to step S53.
At step S55, modifying means 130 determines, with reference to the modification principles entered through modification principle input means 220, whether or not a modification principle related to strictness requires strictness. When the modification principle defines that strictness is required” (N at step S55), modifying means 130 modifies the selected behavior model in accordance with that principle (step S56). Modifying means 130 goes to step S57 after the modification of the behavior model based on the modification principle which defines that “strictness is required.” On the other hand, in response to the modification principle which defines that “strictness is not required,” modifying means 130 goes to step S57 next to step S55.
At step S57, modifying means 130 determines with reference to the modification principles entered through modification principle input means 220 whether or not a modification principle related to the default permits (Accept) the default, prohibits (Drop) the default, or follows the specification for the default in the security policy. When the modification principle defines that “the default is permitted” or “the default is prohibited” (N at step S57), modifying means 130 modifies the selected behavior model in accordance with the principle (step S58). After the modification at step S58, modifying means 130 goes to step S59. On the other hand, when the modification principle “follows the specification for the default in the security policy,” modifying means 130 goes to step S59 next to step S57.
At step S59, modifying means 130 determines with reference to the modification principles entered through modification principle input means 220, whether or not a modification principle related to efficiency places emphasis on the efficiency. When the modification principle defines that “emphasis is placed on the efficiency” (N at step S59), modifying means 130 modifies the selected behavior model in accordance with the principle (step S60). Modifying means 130 goes to step S61 after the modification of the behavior model based on the modification principle which defines that “emphasis is placed on the efficiency.” Conversely, when the modification principle defines that “emphasis is not placed on the efficiency,” modifying means 130 goes to step S61 next to step S59.
Modifying means 130 does not modify the data structure itself of the behavior model in the modifications at steps S54, S56, S58, S60.
At step S61, modifying means 130 stores the modified behavior model in modified behavior model storing means 140 (step S61). However, when modifying means 130 executes steps S53, S55, S57, S59, S61 in order without going to steps S54, S56, S58, S60, modifying means 130 does not at all modify the behavior model selected at step S52. In this event, modifying means 130 stores the operation mode not modified in modified behavior model storing means 104 as it is. For example, when the modification principles as shown in
Next to step S61, modifying means 130 deletes the behavior model selected at step S52 from behavior model storing means 103 (step S62). After step S62, modifying means 130 repeats the processing at step S51 onward. Upon termination of the behavior model modification, modifying means 130 displays the respective modified behavior models on information output means 300. In this event, the behavior models are displayed in a schematic diagram form as illustrated in
In the behavior model generation (step S4), an behavior model is generated for each hardware component (network device). In the flow chart illustrated in
In this embodiment, the modified behavior models are stored in modified behavior model storing means 104. Rather than such a storing operation, a modified behavior model may be written over the behavior model selected at step S52, and the modified behavior model may be stored in behavior model storing means 103. In the latter scenario, the behavior model may be overwritten at step S61 without the need for the processing at step S62. Also, at step S51, modifying means 130 may determine whether or not behavior model storing means 103 stores an behavior model which is not overwritten by a modified behavior model.
When determining that a connotative area exists in an operation mode (Y at step S71), modifying means 130 deletes the connotative area (step S72). In the example shown in
After step S72, modifying means 130 repeats the processing at step S130 onward. Then, when all connotative areas have been deleted from the behavior model, modifying means 130 determines at step S71 that no connotative area exists (N at step S71), followed by termination of the procedure.
In the modification related to strictness, modifying means 130 retrieves topology information from topology storing means 102 (step S81). At step S81, modifying means 130 may retrieve information on software applications installed in a network device identified from an behavior model selected at step S52 from the topology information. For example, assume that an behavior model selected at step S52 is the behavior model shown in
Next, modifying means 130 identifies a service port number associated with each software application based on the information on the software applications retrieved at step S81, and converts the information on each software application to a service port number (step S82). The service port number refers to a port number used by a software application which provides a network service to accept a service request. For example, since Apach is a software application used by a WWW server, Apache is assigned a service port number 80. Ftp is assigned service port numbers 20 and 21. Ssh is assigned a service port number 22. Behavior model generator 100 has previously stored a correspondence relationship between software applications and service port numbers, such that modifying means 130 may reference the correspondence relationship to identify a service port number corresponding to information on a software application retrieved at step S81. In the foregoing example, modifying means 130 may identify service port numbers 80, 20, 21, 22 corresponding to “Apache,” “ftp,” and “ssh,” and convert the information on the respective software applications to these service port numbers 80, 20, 21, 22.
Subsequently, modifying means 130 determines whether or not there are one or more service port numbers converted at step S82 (step S83). Modifying means 130 goes to step S84 when there are one or more service port numbers, and goes to step S87 when there is no service port number. When service port numbers 20, 21, 22, 80 are derived at step S82 in the foregoing example, there are four service port numbers, causing modifying means 130 to go to step S84.
At step S84, modifying means 130 selects one service port number from the one or more service port numbers. For example, when there are service port numbers 20, 21, 22, 80 available, modifying means 130 selects an arbitrary one from these numbers. This example will be described below on the assumption that service port number 20 is selected.
Next, modifying means 130 determines whether or not “Accept” is specified for the service port number selected at step S84 in the behavior model selected at step S52. When “Accept” is specified, this service port number is stored as a port number not subjected to a change (step S85). As will be later described, in the modification related to strictness, part of port numbers for which “Accept” is specified is changed from “Accept” to “Drop.” The port number not subjected to a change refers to a port number, the action of which is not changed to “Drop.” Also, when “Accept” is not specified for a selected service port number, modifying means 130 goes to step S86 without storing this service port number as a port number not subjected to a change.
In this example, the behavior model shown in
As will be later described, modifying means 130 may display the behavior model stored together with the port number not subjected to a change on information output means 300. In this event, “51” is marked at the location corresponding to the port number not subjected to a change in the display as shown in
After step S85, modifying means 130 deletes the service port number selected at step S84 (step S86). In this example, since service port number 20 has been selected from four service port numbers 20, 21, 22, 80, modifying means 130 deletes service port number 20. As a result, service port numbers 21, 22, 80 remain.
After step S86, modifying means 130 returns to step S83 to repeat the processing at steps S83-S86. As a result, the remaining service port numbers 21, 22, 80 are selected one by one, and deleted after they have been stored as port numbers not subjected to a change. When modifying means 130 returns to step S83 after all the port numbers have been deleted, there is not any service port number, causing modifying means 130 to go to step S87.
At step S87, modifying means 130 changes the area of port numbers for which “Accept” is specified, other than the port numbers not subjected to a change, to “Drop.” Then, modifying means 130 deletes the stored port numbers not subjected to a change. When modifying means 130 executes the processing at step S87 for the behavior model shown in
The modification related to default at step S58 is executed in response to the entry of a modification principle which defines that “default is permitted” or “default is prohibited.” Modifying means 130 determines whether the default action specified in the modification principle is the same as the default action in the behavior model (step S101). When they are the same (Y at step S101), modifying means 130 terminates the modification related to the default. When they are not the same (N at step S101), modifying means 130 goes to step S102. The default action in the behavior model shown in
At step S102, modifying means 130 changes the default action in the behavior model to the reverse action (step S102). Specifically, when the default action in the behavior model is “Drop,” this action is changed to “Accept,” and vice versa. In the behavior model shown in
Next, modifying means 130 specifies an action reverse to the default action for an area of port numbers not described in the behavior model (step S103). For example, in the behavior model shown in
Next, modifying means 130 deletes areas of port numbers, for which the same action as the default action of the behavior model is specified, and their action from the behavior model (step S104). For example, in the behavior model shown in
In the foregoing embodiment, the behavior model shown in
In the modification related to efficiency, modifying means 130 determines whether or not the behavior model contains areas (ranges of port numbers) which are assigned the same action and given sequential port numbers (step S111). In the example shown in
Also, even with partially overlapping port numbers, if the smallest port number of a certain area to the largest port number of a different area is continuous, the plurality of areas in between fall under the areas across which port numbers are continuous. For example, assume that one area is given port numbers 20-25, while another area is given port numbers 24-30. In this scenario, port numbers 24, 25 overlap in the two areas. In this event, the port numbers are continuous from the smallest port number 20 in one area to the largest port number 30 in the other area. Accordingly, such two areas also fall under the areas which are given sequential port numbers.
Modifying means 130 terminates the procedure if the behavior model does not contain areas across which port numbers are continuous (N at step S111). On the other hand, when the behavior model contains areas in which the action is the same and port numbers are continuous, modifying means goes to step S112. At step S112, modifying means 130 combines the plurality of areas for which the same action is specified and which are given continuous port numbers, into one area (step S112). In the example shown in
Modifying means 130 repeats the processing at step S111 onward after step S112. At step S111, if the behavior model no longer contains areas in which the same action is specified and port numbers are continuous, modifying means 130 terminates the procedure.
While the foregoing example has shown a combination of two areas (the area of “port numbers 20-23” and the area of “port numbers 24-30”) into a single area, three or more continuous areas may be combined into a single area at one time. Assume, for example, that there are an area of port numbers 1-3, an area of port numbers 4-6, and an area of port numbers 7-9. Assume also that the same action is specified for the three areas. In this event, modifying means 130 may combine the three areas into an area having “port numbers 1-9” at one time.
Configuration is generated from the modified behavior model. The network access controller exhibits a different efficiency for a packet filtering operation when configuration generated based on the behavior model shown in
However, the efficiency of the operation of the network access controller can be improved by a modification other than the procedure illustrated in
Here, a determination may be made in the following manner as to whether or not modifying means 130 can reduce the number of areas included in an behavior model. Specifically, modifying means 130 may determine that it can reduce the number of areas included in an behavior model when both the action of an area which includes the smallest port number “1” and the action of an area which includes the largest port number “65535” are different from the default action. Describing in connection with the behavior model shown in
In the event of a failure in satisfying the condition defining that both the action of an area including the smallest port number “1” and the action of an area including the largest port number “65535” are different from the default action, the execution of processing similar to that at steps S102-S104 would result in no change or an increase in the number of areas. Also, depending on the algorithm of a packet filtering software application installed in a network access controller, the operation efficiency can be improved in some cases when the access network controller is provided with configuration which is generated from an behavior model in which each port number has a separate area. In such a situation, modifying means 130 may divide an area including a plurality of port numbers into areas each for one of the port numbers at step S60. For example, modifying means 130 may divide an area composed of port numbers 20-23 shown in
In the description of the flow charts illustrating the procedures for the respective modifications (steps S54, S56, S58, S60), an behavior model given as an example has a default for which “Drop” is specified. For modifying an behavior model in which “Accept” is specified for the default, modifying means 130 may execute processing similar to the aforementioned steps S54, S56, S58, S60.
Also, details on the procedure for the modification related to verbosity (step S54), the procedure for the modification related to strictness (step S56), the procedure for the modification related to default (step S58), and the procedure for the modification related to efficiency (step S60) are not limited to those illustrated in
In the flow chart illustrated in
In the foregoing embodiment, modifying means 130 is supplied with modification principles from the input screen (GUI) illustrated in
In the latter scenario, modifying means 130 prompts the operator to enter a modification principle related to strictness, a modification principle related to verbosity, and a modification principle related to efficiency, separately for each behavior model selected at step S52. The following description will be centered on this operation. In this modification procedure, the processing at steps S51, S52 is similar to that previously described.
Upon selection of one behavior model at step S52, modifying means 130 executes the processing at steps S81-S86 (see
Also, the GUI illustrated in
In the example illustrated in
After modifying the behavior model selected at step S52 in accordance with the principle entered from the GUI illustrated in
The GUI illustrated in
In the example illustrated in
After modifying the behavior model selected at step S52 in accordance with the principles entered from the GUI illustrated in
The GUI illustrated in
In the example illustrated in
In the foregoing description, the GUIs illustrated in
The modification principle related to the default action is preferably determined such that it is collectively applied to all behavior models, rather than specified for one behavior model to another. Specifically, the modification principle related to the default action is preferably specified in the manner as described in connection with
Next described is the generation of configuration (step S6) by configuration generating means 140. Configuration generating means retrieves an behavior model modified by modifying means 130 from modified behavior model storing means 104. Modified behavior model storing means 104 stores zero or more behavior model. Configuration generating means 140 selects one from the retrieved behavior models.
Network access controllers tend to have software applications installed therein for controlling network accesses. Such software applications include, for example, “Firewall-1,” “Netscreen” and the like. Network access controllers may also have packet filtering software applications installed therein, including “ipchains,” “iptables” and the like. Network access controllers may further have network service super-server software applications installed therein, including “inetd,” “xinetd” and the like. “Firewall-1,” “Netscreen,” “ipchains,” “iptables,” “inetd,” and “xinetd” individually listed above are the names of software applications. Configuration generating means 140 generates configuration specific to a variety of network access controllers (or software applications installed in the controllers) from modified behavior models. As previously described, the configuration defines the operation of a particular network access controller.
Configuration generating means 140 invokes a conversion rule for generating configuration described in a format specific to a particular network access controller from conversion rule storing means 150 for generating the configuration. The conversion rule is defined for converting a modified behavior model to configuration specific to a network access controller.
As shown in
In this way, configuration generating means 140 generates configuration by replacing indefinite items in the conversion rule with appropriate data included in the behavior model.
In the foregoing description, the configuration is generated by replacing indefinite items in the conversion rule with associated data included in the behavior model, but configuration generating means 140 may generate the configuration through other processing.
Configuration converting means 140 generates the configuration using a modified behavior model. Therefore, the modification principle of the behavior model is also reflected to the configuration. For example, a variety of principles such as “verbosity is permitted,” “strictness is required,” “default is prohibited,” “emphasis is placed on the efficiency” and the like are reflected to the configuration as well.
Configuration generating means 140 displays the generated configuration on information display means 300. While information output means 300 is a display device in the example described herein, information output means 300 may comprise a printer for printing out the configuration. Alternatively, information output means 300 may comprise a storage medium driver device for writing information into a storage medium, in which case the configuration may be written into a storage medium. Further alternatively, information output means 300 may comprise a network interface through which the configuration may be transmitted to another computer. Also, information output means 300 may comprise an audio output device such as a speaker, in which case the configuration may be audibly output.
Next described are effects produced by the foregoing embodiment. In the present invention, an behavior model is generated from a security policy described in a natural language or the like such that the behavior model is represented by a data structure independent of descriptions which depend on the type of network access controller. Since the behavior model is not described in a format specific to each network access controller, the present invention can solve the problem of “difficulties in confirming the intention of a security policy creator.” Particularly, the intention of the security policy creator can be more clearly presented by displaying the behavior model represented in a schematic diagram form. Further, even if the design guidelines for a security policy differ from one creator to another, the present invention can prevent maintenance operations from being difficult by solving the problem of “difficulties in confirming the intention of a security policy creator.” In other words, the present invention can also solve the problem of “difficulties in maintaining the consistency.”
Also, even if a security policy described in a natural language or the like includes missing items or omitted items, policy normalizing means 110 compensates the security policy for such missing items and omitted items. Therefore, even if an entered security policy includes missing items or omitted items, an behavior model can be generated from this security policy.
Since modifying means 130 modifies an behavior model in accordance with a desired modification principle of an operator, the present invention can derive configuration desired by the operator. For example, an behavior model can be modified in accordance with a modification principle which defines that “emphasis is placed on efficiency.” As a result, when a network access controller is operated in accordance with configuration generated from the modified behavior model, it is possible to determine at higher speeds whether a transmitted packet is permitted to transmit or prohibited from transmitting. Also, for example, a default action of an behavior model can be changed to an action desired by the operator, and as a result, the default action in the configuration can also be changed to the action desired by the operator. In other words, the configuration can be generated in a description format which can be defined in a flexible manner.
Also, by modifying an behavior model in accordance with a principle which defines that “verbosity is permitted” or “verbosity is not permitted,” it is possible to generate configuration in accordance with the principle which defines that “verbosity is permitted” or “verbosity is not permitted.” Similarly, by modifying an behavior model in accordance with a principle which defines that “strictness is required” or “strictness is not required,” it is possible to generate configuration in accordance with the principle which defines that “strictness is required” or “strictness is not required.”
In the foregoing embodiment, the generated configuration may be reconfigured to make the configuration more compact. Making the configuration more compact means, for example, a reduction in the number of lines in the configuration.
The descriptions on the third and fourth lines in
In the example described in connection with
The examples shown in
In addition, the operator may be prompted to determine whether configuration should be reconfigured or not, such that the configuration is reconfigured in response to an entered instruction which requires the reconfiguration (alternatively, behavior models may be modified to reduce the number of lines in configuration, and the configuration may be created from the modified behavior models).
The present invention can be applied, for example, to the generation of an behavior model which represents the operation of a firewall, a router, and a network access controller which has a packet filtering software application installed therein. The present invention can also be applied to a device which generates configuration for defining the operation of a network access controller based on an behavior model.
While preferred embodiments of the present invention have been described Using specific terms, such description is for illustrative purposes only, and it is to be understood that changes and variations may be made without departing from the spirit or scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
2004-180904 | Jun 2004 | JP | national |