The Research and Implementation of Object-based Comprehensive Security Policy Configuration Technology
|School||National University of Defense Science and Technology|
|Keywords||Object Access control strategy Intrusion detection strategy Policy configuration Formal description|
Today,the scale of network has been expanding and network technology has been developing rapidly, the network security situation is increasingly grim.Various viruses technologies and hacking attack techniques emerge in an endless stream, network security technologies and products are paid more and more attention. A single security protection and detection product can not meet security needs of the complex network environment, therefore, the market needs multifunctional security protective equipment with a set of protection, detection, response functions. The device integrates a variety of security technologies needed to support multiple security policies. Between internal and external networks it will be able to implement access control, intrusion detection, security audit, traffic monitoring and other functions, which is a comprehensive, effective security protection measure.By analyzing the current policy configuration technology of typical security equipment, it’s found that the concept of object plays a key role in the policy configuration. To improve the efficiency of management configuration, this paper presents a object-based comprehensive security policy configuration technology. The technology further strengthens the application of object-oriented approach. According to various characteristics of security policy, the paper sums up the basic objects that comprehensive security policy configuration needed, and defines the high-level object relative to the basic object. In order to describe comprehensive security policies more stringent and reducing ambiguity, help administrators understanding security policies more convenient and managing configuration easier, a policy description language named SPSDL is used and expanded for its formal description.On the basis of theory, a comprehensive security policy configuration module is designed and implemented in Management Configuration Software of a comprehensive security protection equipment. The module uses Visual C + + programming, which adopts some key technologies, such as adaptive window, policy configuration and policy delivery with CETSLayout layout, ADO database access, structure list and socket communication principle, solving a series of questions of the comprehensive security policy configuration and application to equipment.Through setting up experiment environment and testing system shows that security policy configuration module of the software is fully function, using convenient, running stability, proving object-based comprehensive security policy configuration technology that its effectivity and utility.