Generating Policies for Defense in Depth

Citation: Paul Rubel, Michael Ihde, Steven Harp, Charles Payne. Generating Policies for Defense in Depth.
Proceedings of the 21st Annual Computer Security Applications Conference, Tucson, Arizona, December 5-9, 2005, pp. 505-514.

Formats: PDF

Abstract Coordinating multiple overlapping defense mechanisms, at differing levels of abstraction, is fraught with the potential for misconguration. This paper presents the process we used to minimize these risks and the lessons learned as we developed and validated security policies for a system that withstood sustained red team attack. Our process began with application level policy templates, which were instantiated with system-specific values. These application policy templates were used to directly generate host-level rewall rules and policy visualizations. They also provided useful guidance during the manual construction of process-level security policies for SELinux and CSA. Following policy generation, the policies were enforced on the system and subsequently validated with both application- and network-level testing tools. [an error occurred while processing this directive]