Positif project
Policy-based Security Tools and Framework
Project → Standards → Framework english polish
   Framework
 Overview
   Why Positif
   What you get
   Examples
   News
   Events
   Conferences
 Project
   Workpackages
   Documents
   Deliverables
   Software
   Standards
    → SDL
    → SPL
   Dissemination
   Partners
 Other
   Contact Us
   Newsletter
   Links
   Internal area
Information Society Technologies

 »   A more detailed view of the POSITIF Framework

The following figure provides a more detailed view of the designed POSITIF framework, whose general features can be found at this link. In it, the most relevant functional blocks have been coloured in grey. Regarding arrows, the blue ones refers to communications using SOAP (Simple Object Access Protocol) protocol, while red arrows refer to communications using BEEP (Blocks Extensible Exchange Protocol) protocol. Finally, the elements to be provided externally do not have any colour. 

 

Figure 1 View of the Framework

General Manuals and Guides related to Framework:

Management Area 

This area is in charge of assisting network and security administrators in the process of defining (and managing) the desired security behaviour (defined with the security policy documents) and the target system (defined with the system description documents). It is also intended to provide network and security administrators the possibility of providing configuration information to the framework components and also to recover certain state and monitoring information. 

Manuals and Guides related:

Framework Repository 

This component is in charge of storing the system description, security policies (in different levels of abstraction, from high-level policy specifications to the low-level configurations), monitoring information and framework management parameters, and of providing them to the proper areas of the framework. It is also important to mention that this component is central regarding the design (as most of the other functional components of the framework store and recover information to/from it), so its implementation is based on a distributed and/or replicated set of repositories, thus avoiding from this component to act as a central point of failure. 

Manuals and Guides related:

Checking and Transforming Area 

The first task of this area will be to evaluate if the desired behaviour (i.e., security policy) is semantically coherent and can be correctly implemented on the target system (defined with the system description). If it cannot be implemented (because there is a conflict in the rules or the policy is asking for a security service not supported in the target system, for example) it will be reported to the network and security administrators. 

Manuals and Guides related:

Mapping Area 

This area is mainly intended to produce the particular configurations that will be later deployed in the security blocks by the enforcing area. For doing this a certain number of block security map documents should be provided to the policy framework to allow mapping the generic security parameters specifically defined in the security policy and system description specifications (and latter kept as part of the generic security rulesets documents). This can be the case, for example, of defining how to map a particular set of cryptographic algorithms in a particular implementation (and which may differ in the way the same set is expressed in a different implementation, even from the same producer). 

Enforcing Area 

This area is mainly intended to enforce particular configurations into the target security blocks. To enforce the configurations, some plug-ins may be required; they are defined following a particular interface and implementing a device configuring protocol, such as HTTPS, SNMP, SSH, COPS or COPS-PR; some of them will be provided by the POSITIF project, although it is intended that framework adopters can develop their own plug-ins in the future, based on the example and interfaces provided by the project. 

Security Module Area 

This area is directly related with a set of security modules that can be deployed as part of the POSITIF policy-based architecture. These lightweight and small-footprint modules that can be installed on user devices, will add network protection features and monitoring capabilities to the policy-based framework. 

Manuals and Guides related:

Proactive Monitoring Area 

This area acts as a policy-based monitor for proactive intrusion detection in addition to standard reactive intrusion detection (checking against attack patterns). This proactive approach is based on the security policy formally defined by the network and security administrators and defines an intrusion as "anything that does not comply with that security policy". This area communicates with the framework repository to retrieve the current policies defined in the system or the current configuration applied in one security block, or to store any alert or request for policy change. It also communicates with the threats and vulnerabilities database to get information (e.g., patters) on attacks and vulnerabilities.

Manuals and Guides related:

 

 
href="mailto:webmaster@_nospam_positif.org?Subject=Positif.website">webmaster   •   © POSITIF Project 2004 - 2007