Re: [fw-wiz] Security policy language



How about English, or the language(s) native to your organization?

I think there are real dangers in assuming that you can articulate a policy in a metalanguage, force it through a policy UI or script, and produce a policy configuration. Especially as I find myself dragged into more situations where the asset values and risks are high and the sophistication level of the users is low, it's much more important to write security policies and AUPs that the folks who are the root cause of most security problems will read and actually understand.

I've found that "simple pictures are best". Short, active tense sentences that read like commandments are easily translated into a policy configuration, especially if you include conditionals:

"If you are a member of the accounting department, the only server you may access is accounting.example.com. The only services you may access on accounting.example.com are X, Y, and Z. You may not access these services on weekends. You must use your SecureID token and PIN to access these services..."

If you can write it concisely, you can probably configure it precisely.

Marco Cremonini wrote:
Hi all,
I would like to ask you a suggestion for a project we are developing.
The project aims to automate some monitoring functionality with firewall policy management (just iptables, at present).
The problem is: We would like to implement/adopt a high-level specification language for the definition of a security policy, something that should let to specify the policy at organizational level. Such a policy should then be translated into specific fw rules.

I'm puzzled because it's not a new problem, but I can't find good references. Several standards, especially in the XML-Web Services area, have been proposed by W3C, OASIS etc., to define security policies, but to me they seem quite useless in our case since I can't see how and why Web Services should be integrated in this context.

I've found out that Mitre has a language, Oval (http://oval.mitre.org/ index.html), which could be considered, although more focused on vulnerability and assessment.

Otherwise, many have designed ad-hoc languages (I guess, just using GNU Flex&Bison or the like for their definition).

Before going for yet-another-adhoc-language I just want to ask if anybody knows a good standard or reference specification language.

Thank you.
Marco

===================================
Marco Cremonini
cremonini@xxxxxxxxxxxx
Dept. of Information Technology
University of Milan
Via Bramante 65 - 26013 Crema (CR), Italy
===================================



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • [fw-wiz] Security policy language
    ... The project aims to automate some monitoring functionality with ... firewall policy management ... anybody knows a good standard or reference specification language. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Security policy language
    ... specification language for the definition of a security ... policy, something that should let to specify the policy at ... User education is need, ...
    (Firewall-Wizards)
  • Re: Questions for Eisboch
    ... That's a good point - then again, it depends on how you define policy. ... the standards set forth in both the Geneva Convention and the US ... International Conventions proscribe the use of almost all cohersive ... kidnappers through what ever channels they had that they knew who the ...
    (rec.boats)
  • Re: IIS 6 exploited
    ... System policy ... My first recommendation that how to start. ... Review the security policies at IIS ...
    (Security-Basics)
  • Re: Hacked?
    ... > Event Source: Security ... > Computer: CODPAF01 ... > Domain Policy Changed: Password Policy modified ... > have GPO's being applied to it, all security policies are local and no one ...
    (microsoft.public.inetserver.iis.security)