Firewall Wizards mailing list archives
Re: Security policy language
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 24 Jan 2007 10:30:35 -0500
Marco Cremonini wrote:
The problem is: We would like to implement/adopt a high-level specification language for the definition of a security policy, something that should let to specify the policy at organizational level. Such a policy should then be translated into specific fw rules.
Here's one question -- can you actually completely describe a sensible policy in terms of just firewall rules?? My guess is that to establish a fully worked policy you'll need to include user-level specifications, authentication states, log actions to take, encryption levels, and potentially even application-level controls. A typical statement that a fully worked policy might need to implement could look like: "Allow any users in group FOO to access data from table BAR on host BLECH once they have authenticated over an encrypted link."
I'm puzzled because it's not a new problem, but I can't find good references. Several standards, especially in the XML-Web Services area, have been proposed by W3C, OASIS etc., to define security policies, but to me they seem quite useless in our case since I can't see how and why Web Services should be integrated in this context.
I think that may be your problem. What happens is that trying to fully specify a policy description language becomes a huge plate of spaghetti. Eventually your policy description language becomes, urrrr, C. So many people who approach the problem try to approach it for a simple application: firewall rules or XML or whatever. Even that is hard. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security policy language Marco Cremonini (Jan 24)
- Re: Security policy language Marcus J. Ranum (Jan 24)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Avishai Wool (Jan 25)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Dave Piscitello (Jan 24)
- Re: Security policy language R. DuFresne (Jan 25)
- Re: Security policy language Stephen P. Berry (Jan 24)
- Re: Security policy language Matthew Hannigan (Jan 24)
- <Possible follow-ups>
- Re: Security policy language Jean-Denis Gorin (Jan 25)
- Re: Security policy language Marcus J. Ranum (Jan 24)