Security policy definitions for devices are typically locally specified and updated by administrators. Such a manual approach for defining security policies is not only tedious but also error prone.