Position Statement submitted by Gregorio Martinez 1. Institution: University of Murcia (UMU), Spain 2. Department: Information and Communications Engineering 3. Research Group: Intelligent Systems 4. Contact people: Antonio F. Gomez Skarmeta Felix J. Garcia Clemente Gregorio Martinez Perez 5. Background: The UMU Intelligent Systems research group (ANTS, http://ants.dif.um.es/) is working on network and service management from early 2000; initially they started working on policy-based management applied to different networking scenarios; in this sense, the Euro6IX (European IPv6 Internet Exchanges backbone, http://www.euro6ix.org/) IST FP5 project was serving as a very first contact point where the PBNM paradigm was playing a key role for the management of security and routing networking services in IPv4/IPv6 networks. Later the SEINIT IST FP6 project was evolving this paradigm towards the provision of scalable management of security services in inter-domain scenarios. Two are the main EU IST FP6 projects who serve now as background for the research on management of security services done by our group; the first one is POSITIF (Policy based Security Tools and Framework, http://www.positif.org/) who proposes the design and implementation (as contribution to the open-source community) of a framework for managing security policies. The second one is DESEREC (Dependable Security by Enhanced Reconfigurability, http://www.deserec.org/) whose main focus is to manage critical information systems with the intention of increasing their level of dependability. 6. Current and future research lines: current work is focused on different lines; some of them are now outlined: [Semantic-aware Security Policy Language] The work in this line is aiming at providing one step towards the objective of detecting conflicts in the specification of the security policies to be applied to a target system or network. The context for such research is the deployment of a semantically-rich checking component able to detect any inconsistency that may exist in a set of policy rules when applying them in a target system. The current approach is based on using OWL to allow the expression of elements and relationships in a distributed system. This offers two possibilities: validating the coherence and integrity of the model and also querying the model about instances which satisfy some properties of interest. On the other hand, SWRL allows specifying policies in the form of conventional if-then rules. This is an important shift in the paradigm as it opens the door to the automatic detection and fix of conflicting rules. [Conflict analysis] Current work in this line goes in the direction of defining a formal framework for automatic conflict resolution. We are using the powerful metaphor of intelligent agents to model the problem. As we understand it, a distributed system is managed through a distributed set of policies. We model the problem as a multi-agent system in which agents have its own and non-shared knowledge base. In this situation, conflicts may arise when, for example, an agent decides to grant some privilege to a user and a group of other agents deny the same privilege. In this case, conflicts should be solved through negotiation by means of argumentation. In this context, argumentation means trying to persuade the rest of agents that your reasoning process is more plausible that the other's reasoning process and, in consequence, reach an agreement about, in our example, privileges granted on the user. [Design of a Web Service-oriented management framework] This work is focused on the definition of WS-based mechanisms enabling the dynamic management of security blocks; this framework is addressing those functionalities required to check, transform, distribute, enforce and monitor the security configurations that should be applied to the target systems. Asynchronous notification of relevant events (e.g., security breaches, attacks, etc.) in such kind of architecture is also being researched. [Management of IDS/IPS systems] Current state of the art on IPS/IDS does not provide a common understanding on the knowledge being use in the detection and prevention processes; this research line is focused on defining the building blocks of IDS/IPS systems as independent services sharing a common information base. This work is also currently addressing how an attack can be modelled and managed as part of distributed hybrid IDS/IPS systems. [Self-management of security services] This research line is attempting to analyse the need of self-management in the context of security services and proposing design paradigms based on the different theories already existing or the new ones to come. There is also an intention to relate these designs with current existing protocols and communication architectures. [Management of Critical Information Systems] This research line is focused on defining mechanisms to respond efficiently to different kind of incidents which can occur on a critical system (attack from the outside, intrinsic failures and malicious internal use); this response will be based on a three-tiered response to exceptions and incidents. 7. Scenarios: several are the scenarios where this research work is being applied; examples of them are: [Grid computing] Globus Toolkit 4 (GT4) provides effective resource management for the grid-computing environment; it includes security services, but lacks security policy management services. In this sense, our research is intending to serve as complement to the GT4 system, providing a wide range of security management capabilities that usually rely on platform-specific enforcement mechanisms. [Distributed Firewalls] Our research in this area is mainly intended to make use of the concept of distributed firewalls, where firewall policies are centrally defined by an administrator (or a set of them) and enforced at each individual network endpoint, not only in a central location. This research is part of a bigger effort on distributed security management for IP networks where authors are analysing the current network-centric security model being used in Internet, identifying its limitations and proposing a new host-centric model (based on the concept of distributed firewall) to solve some of the current issues. 8. Selected papers: a few selected recent publications are: * Gregorio Martínez Pérez, Gabriel López Millán, Félix J. García Clemente, Antonio F. Gómez Skarmeta, "Dynamic and Secure Management of VPNs in IPv6 Multi-Domain Scenarios", Elsevier Journal of Computer Communications, to appear in October 2006. * Gregorio Martínez Pérez, Antonio F. Gómez Skarmeta, Steve Zeber (1), Joe Spagnolo (2), Tim Symchych (3), "Dynamic Policy-Based Network Management for a Secure Coalition Environment", IEEE Communications Magazine, to appear in November 2006. This work is published in collaboration with (1) Defence R&D Canada, (2) NRNS Incorporated Canada and (3) Communications Research Centre (CRC) Canada.