Re: [fw-wiz] Security policy language

Marco Cremonini wrote:
The problem is: We would like to implement/adopt a high-level
specification language for the definition of a security policy,
something that should let to specify the policy at organizational
level. Such a policy should then be translated into specific fw rules.

Here's one question -- can you actually completely describe a
sensible policy in terms of just firewall rules?? My guess is
that to establish a fully worked policy you'll need to include
user-level specifications, authentication states, log actions to
take, encryption levels, and potentially even application-level
controls.

A typical statement that a fully worked policy might need to
implement could look like:
"Allow any users in group FOO to access data from
table BAR on host BLECH once they have authenticated
over an encrypted link."

I'm puzzled because it's not a new problem, but I can't find good
references. Several standards, especially in the XML-Web Services
area, have been proposed by W3C, OASIS etc., to define security
policies, but to me they seem quite useless in our case since I can't
see how and why Web Services should be integrated in this context.

I think that may be your problem. What happens is that trying
to fully specify a policy description language becomes a huge
plate of spaghetti. Eventually your policy description language
becomes, urrrr, C. So many people who approach the problem
try to approach it for a simple application: firewall rules or
XML or whatever. Even that is hard.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [fw-wiz] Security policy language
    ... However, there is something I'm still missing from what has been said: why are we thinking to a single, complete and comprehensive policy language rather than to more languages used to express the same policy by different people? ... I agree with all of you that the definition of a complete security policy language is almost impossible and probably useless. ... The consequence is that no functional constraint can be automatically produced from the enterprise statement for the low-level security policy and there is no way to automatically check whether the actual security configuration complies with the "personal use" defined by the enterprise policy. ...
    (Firewall-Wizards)
  • Re: Restricted Groups????
    ... We have used this policy to pretty good effect. ... Administrator Group, will get removed (for instance..if you don't specify ... Admins group was not specified, and so the Domain Admins was removed from all ...
    (microsoft.public.windows.server.active_directory)
  • Re: XPPro : Restrict the programs a user can run
    ... creating additional "Disallow" rules for those specific programs. ... by the restriction policy from adding or replacing the files ... > I find Software Restriction Policies a great idea, ... you cannot specify this policy for only certain users,>>but for a non-domain machine, the Admin/non-Admin breakdown may be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: update OAB fail
    ... Yes its in the default address policy. ... MVP - Exchange ... Is this clear,don't know wat i can specify more? ... When i update my OAB for the users who working in exchange cached mode then i have no problems. ...
    (microsoft.public.exchange.setup)
  • Re: Recipient Policy on a Group of users??????
    ... group and add the users to that group and then set the recipient policy to ... I have seen other post saying specify a custom attribute for the ... and i do not want to have to open each account and make that change. ... I can't use the normal fields like state, zip, city, etc.... ...
    (microsoft.public.exchange.admin)