As an increasing number of formerly isolated networks connect to the world-wide Internet, an increasing number of system and network administrators must be conscious of site security considerations. In the face of new and varied Internet-based attacks on inter-connected systems the security systems which protect against these attacks are ever evolving and becoming more complex. Given all of the duties and responsibilities assigned to the typical administrator, most administrators are not able to keep up with this ever-increasing complexity. Adminisrators know what they want to achieve in terms of security, but they often have trouble achieving it. An administrator must have an effective and flexible means of describing a high level security policy which meets his or her security objectives. The work proposed under this Phase 1 SBIR is directed towards developing a design for a mechanism which translates an administrator's view of how IPSEC mechanisms ought to be employed into a low level security policy which is used by the security policy engine. The security policy engine evaluates the security policy for the benefit of IPSEC and related network security components (including the ISAKMP engine), providing an appropriate security determination according to the parameters supplied by IPSEC components. Commercial applications:Secure Computing Corporation's firewall products provide a myriad of configuration parameters which may be specified. Any simplification of the administrator's interface, especially of the work described in this proposal, will make the firewall easier to use and less prone to mis-configuration. Assuming a successful completion of this SBIR, Secure Computing Corporation intends to incorporate the developed technology into its line of firewall and other Internet security products.
