The Internet is an integral part of business communications, however it was based on open standards without due regard to security issues consequently security threats are not only persistent but also increasing. The Computer Security Institute (CSI) 2007 reported a doubling of average annual loss by US companies. There are three primary network security threats: policy, technology, and configuration. This chapter is primarily concerned with the configuration and management of network devices. There are a number of different network management tools currently available, however typically it is problematic to concurrently display configuration data from devices and protocols whilst maintaining a navigational context. This chapter demonstrates how the State Model Diagram method is not only a universal model-driven network tool but also useful for the configuration and management of complex security protocols and devices.
TopNetwork Device Configuration And Management
Configuring devices, even for routine end users applications such as Internet Explorer, may be problematic (Furnell, 2007) (Furnell, 2005). This problem is exacerbated for dedicated devices such as firewalls which are not only complex devices within themselves but also difficult to configure. Configuring a firewall is considered to be of paramount importance (Rubin, 1997). A firewall employs directional; rule based stateful packet analysis for inbound and outbound packets. According to Bartal,
This is a crucial task … The bottom line, however, is that the security of the whole intranet depends upon the exact content of the rule-base, with no level of abstraction available. Since the syntax and semantics of the rules and their ordering depend upon the firewall product/vendor, this is akin to the dark ages of software, where programs were written in assembly language so that the programmer had to know all the idiosyncrasies of the target processor. (Bartal, Mayer, Nissim, & Wool, 2004)
Firewall configuration is via either a text based Command Line Interface (CLI) or a Graphical User Interface (GUI). The syntactic and semantic complexities of the Cisco PIX firewall CLI have, to some extent, been progressively addressed. Check Point can be configured using either the GUI or the INSPECT language. The INSPECT language is a powerful but complex low level-language. The Check Point GUI is designed to address the problems associated with configuring directional, rule-based filtering. However, according to Wool direction-based filtering remains problematic,
Most firewall vendors (exemplified by Cisco and Lucent) seem to be unaware of the usability issues related to direction-based filtering. These vendors simply expose the raw and confusing direction based filtering functionality to the firewall administrator. A notable exception is Check Point. In order to avoid the usability problem, Check Point chooses to keep its management interface simple, and hide the direction-based filtering functionality in such a way that most users are essentially unable to use it. (Wool, 2004)
In effect the human factor is a significant aspect of security. According to Shultz security is primarily a people issue and hence a usability problem, ‘People, for example, are almost invariably involved in installing, configuring and maintaining technology, something that leaves ample opportunity for human error that can result in exposures that can allow those who are intent on evildoing to bypass or defeat this technology.’ (Shultz, 2005)
Based on a heuristic evaluation method Nielson developed criteria for a successful human interface (Nielsen & Molich, 1990), (Nielsen). These criteria may be used to evaluate security related interfaces (Furnell, 2007). To address issues specific to interfaces for security purposes Johnston proposed criteria for a security Human Computer Interface (HCI-S) (Johnston, Eloff, & Labuschagne, 2003). HCI-S criteria are defined as: convey features; visibility of system status; learnability; aesthetic and minimalist design; errors; satisfaction and trust. Despite advances in GUI development, administrators continue to use the CLI (Takayama, 2006).