1. Security and Protection of Information Pavel Štros, stros@datasys.cz

2. Security of management – the status security management security products X security of management management products lack of documentation inadequately discussed

3. Why to focus on security of EMS ? ambition of system and network management = completely mastered IT environment

4. MultiLevel Security Policy information (object) sensitivity level user clearance level A subject is a user or a process running on behalf of a user. Bell & LaPadula mandatory security policy model No Read Up No Write Down

5. Security policy design tasks to define information granularity to provide semantics for the association between a sensitivity level and a construct to analyze effects of a classification of a construct on classifications of other constructs

6. Event management - aids reduction in alarm events reported to a management station quick isolation and possible correction of fault detection of various composite events or event patterns that are a set of interrelated events

7. Simplified architecture of EMS authentication, authorization, auditing... raw event info is sent to EMS event message formatting rule base processing RDBMS format definitions definitions of rules authentication, authorization, auditing... operators admins

8. EMS terminology Event message central unit of information form of attributes, which are ”name=value” pairs Rules are used to correlate and analyze events rule definition, rule base rule engine performs all the proccessing of events processed event data are stored in a database

9. Assumptions Event class determine the attributes that may constitute the event message event class hierarchy Rule processing even is formatted according to most specific matching class rules are evaluated based on their order within the rule base rule is only triggered when its sensitivity level dominates the sensitivity level of the event and the event under analysis has satisfied all of the conditions; only event attributes ”visible” at the rule’s sensitivity level may be evaluated in conditions

10. Information granularity - results Multi-level Event approach every attribute is assigned with a sensitivity level Protected construct:  Event class  Event class attribute  Inheritance link  Event instance  Event instance attribute  Event instance attribute value  Rule definition Construct „Event instance link“ does not need to be protected.

11. Security semantics and cross-efect analyzis Results: 12 basic rules no need to introduce polyinstantiation higher sensitivity level rules must be evaluated first constraints applicable to deletion and modification of parent event classes should be subject to further research

12. Valid class hierarchy example root event (U) date_occured (U) message (U) firewall event (U) date_occured (U) hostname (U) message (U) connection request (C) date_occured (C) hostname (C) message (C) connection request accepted (C) date_occured (C) hostname (C) firewall_rule (S) message (C) connection request dropped (U) date_occured (U) hostname (U) firewall_rule (S) message (U) (C) (U) firewall config (S) date_occured (S) hostname (S) message (S) (S)