Security Risk Management and Network Access Controls

NAC security mechanisms, for instance firewalls, are routinely prescribed as requirements for compliance to security standards such as PCI-DSS and ISO 27000. However, the effectiveness of a NAC configuration may be hampered by poor understanding and/or management of the overall security configuration, which may in turn, unnecessarily expose the enterprise to known security threats. New threats and/or service requirements often result in firefighting by ad-hoc modification to an already large and complex configuration. This complexity is further compounded by the diverse range of NAC mechanisms used to secure an enterprise; ranging from firewalls and proxies to NAC-style controls within applications themselves. As a consequence, it can be difficult to ensure that the current NAC configuration is effective, that is, it sufficiently mitigates threats while providing necessary access to services. Ensuring ongoing best-practice NAC administration can be costly as it requires up to date expert knowledge in a rapidly changing field.

A knowledge base is being developed that contains detailed prescriptions for threat management. These catalogues of best practice describe how known threats are mitigated control configurations and are continually updated to reflect newly discovered vulnerabilities and revisions to best practice.

Publications

Neville, U. M., & Foley, S. N. (2018). Reasoning About Firewall Policies Through Refinement and Composition. Journal of Computer Security, 26(2), 207–254. Retrieved from https://simonnfoley.github.io/pubs/jcs2018.pdf [link]

Neville, U., & Foley, S. N. (2016). Reasoning About Firewall Policies Through Refinement and Composition. In IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec2016). Retrieved from https://simonnfoley.github.io/pubs/dbsec2016-FW.pdf [link]

Foley, S. N., & Neville, U. (2015). A firewall algebra for OpenStack. In Workshop on security and privacy in the cloud (IEEE CNS). Retrieved from https://simonnfoley.github.io/pubs/spc-2015.pdf [link]

Fitzgerald, W. M., Neville, U., & Foley, S. N. (2013). MASON: Mobile autonomic security for network access controls. J. Inf. Sec. Appl., 18(1), 14–29. https://doi.org/10.1016/j.jisa.2013.08.001 [link]

Fitzgerald, W. M., & Foley, S. N. (2013). Avoiding Inconsistencies in the Security Content Automation Protocol. In 6th IEEE Symposium on Security Analytics and Automation. Retrieved from https://simonnfoley.github.io/pubs/safeconfig2013.pdf [link]

Foley, S. N., & Fitzgerald, W. M. (2012). Decentralized Semantic Threat Graphs. In Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France, July 11-13,2012. Proceedings (pp. 177–192). https://doi.org/10.1007/978-3-642-31540-4_14 [link]

Foley, S. N., & Fitzgerald, W. M. (2011). Management of security policy configuration using a Semantic Threat Graph approach. Journal of Computer Security, 19(3), 567–605. https://doi.org/10.3233/JCS-2011-0421 [link]

Fitzgerald, W. M., & Foley, S. N. (2011). Reasoning about the Security Configuration of SAN Switch Fabrics. In 4th Symposium on Configuration Analytics and Automation, (SafeConfig), Arlington, VA, USA. Retrieved from https://simonnfoley.github.io/pubs/safeconf2011.pdf [link]

Fitzgerald, W. M., & Foley, S. N. (2011). Reasoning about the Security Configuration of SAN Switch Fabrics. In 4th Symposium on Configuration Analytics and Automation, SafeConfig 2011, Arlington, VA, USA, October 31 - November 1, 2011. https://doi.org/10.1109/SafeConfig.2011.6111673 [link]

Foley, S. N., Fitzgerald, W. M., & Adams, W. M. (2011). Federated Autonomic Network Access Control. In 4th Symposium on Configuration Analytics and Automation, SafeConfig 2011, Arlington, VA, USA, October 31 - November 1, 2011. https://doi.org/10.1109/SafeConfig.2011.6111668 [link]

Foley, S. N., & Moss, H. (2010). A risk-metric framework for enterprise risk management. IBM Journal of Research and Development, 54(3), 3. https://doi.org/10.1147/JRD.2010.2043403 [link]

Fitzgerald, W. M., & Foley, S. N. (2010). Management of heterogeneous security access control configuration using an ontology engineering approach. In 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig 2010, Chicago, IL, USA, October 4, 2010 (pp. 27–36). https://doi.org/10.1145/1866898.1866903 [link]

Foley, S. N. (2009). Security Risk Management using Internal Controls. In ACM Workshop on Information Security Governance. Retrieved from https://simonnfoley.github.io/pubs/wisg2009.pdf [link]

Foley, S. N., & Fitzgerald, W. M. (2009). An Approach to Security Policy Configuration Using Semantic Threat Graphs. In Data and Applications Security XXIII, 23rd Annual IFIP WG 11.3 Working Conference, Montreal, Canada, July 12-15, 2009. Proceedings (pp. 33–48). https://doi.org/10.1007/978-3-642-03007-9_3 [link]