Re: Security policy language

["Marcus J. Ranum" <mjr () ranum com>]

Marco Cremonini wrote:
> The problem is: We would like to implement/adopt a high-level  
> specification language for the definition of a security policy,  
> something that should let to specify the policy at organizational  
> level. Such a policy should then  be translated into specific fw rules.

Here's one question -- can you actually completely describe a
sensible policy in terms of just firewall rules?? My guess is
that to establish a fully worked policy you'll need to include
user-level specifications, authentication states, log actions to
take, encryption levels, and potentially even application-level
controls.

A typical statement that a fully worked policy might need to
implement could look like:
"Allow any users in group FOO to access data from
table BAR on host BLECH once they have authenticated
over an encrypted link."

> I'm puzzled because it's not a new problem, but I can't find good  
> references. Several standards, especially in the XML-Web Services  
> area, have been proposed by W3C, OASIS etc., to define security  
> policies, but to me they seem quite useless in our case since I can't  
> see how and why Web Services should be integrated in this context.

I think that may be your problem. What happens is that trying
to fully specify a policy description language becomes a huge
plate of spaghetti. Eventually your policy description language
becomes, urrrr, C. So many people who approach the problem
try to approach it for a simple application: firewall rules or
XML or whatever. Even that is hard.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards