A formal approach to practical network security management

When a system administrator configures a network so it is secure, he understands very well the users, data, and most importantly the intent---what he is trying to do. However, he has a limited understanding of the mechanisms by which components interact and the details of each component. He could easily misconfigure the network so a hacker could steal confidential data. In addition to this complexity, about one hundred new security vulnerabilities are found each week, which makes it even more difficult to manage the security of a network installation---because of the large number of program vulnerabilities and challenging time constraints. Even professional administrators find this a difficult (impossible) task. How does one enable the system administrator to securely configure the network with a limited understanding of its components, program bugs and their interactions? The solution is a security analysis framework that modularises information flow between the system administrator, security expert and the bug expert. The administrator specifies what he is trying to do, the security expert specifies component behaviour, the bug expert specifies known bugs. We developed a rule based framework---Multihost, Multistage, Vulnerability Analysis (MulVAL)---to perform end-to-end, automatic analysis of multi-host, multi-stage attacks on a large network where hosts run different operating systems. The MulVAL framework has been demonstrated to be modular, flexible, scalable and efficient. We used the framework to find serious configuration vulnerabilities in software from several major vendors for the Windows XP platform.