摘要 |
PURPOSE: A security policy system in a distributed computing environment and a method thereof are provided to consider flexibility and extensibility so as to be applied to various security techniques and to minimize a drop in the efficiency of a security management system by minimizing delay at a security policy enforcement step. CONSTITUTION: A security policy system is composed of kernel-level modules and application-level modules. The kernel-level modules consists of an SPDB(Security Policy DataBase)(101), an SPDB-API(102), a policy listener(106), and a policy adapter(103). The application-level modules comprises a policy request(107), a selDB(105), a selDB_APT(104), and a PEP(Policy Enforcement Point)(108). The SPDB(101) stores security policy information relevant to packet control for a firewall or a packet filtering module, including policy resources for key associated systems. The SPDB-API(102) loads the SPDB of a file system to the SPDB of a memory and covers input/output for it. The policy listener(106) requests a new policy negotiation or an SA(Security Association) negotiation or returns an EAM(Existence Assurance Message) to the kernel. If a new policy or a new SA is negotiated, the policy adapter(103) extracts relevant policy field values from the selDB(105) and maps the policy index, action, mode and transfer protocol values of the new SA to the selDB(105). The selDB(105) stores the fields used in the kernel, except for the fields used in the application, so that an unnecessary delay can be reduced and the efficiency of a security system can be increased.
|