Firewall Wizards mailing list archives
Re: Security policy language
From: Dave Piscitello <dave () corecom com>
Date: Wed, 24 Jan 2007 11:58:54 -0500
How about English, or the language(s) native to your organization?I think there are real dangers in assuming that you can articulate a policy in a metalanguage, force it through a policy UI or script, and produce a policy configuration. Especially as I find myself dragged into more situations where the asset values and risks are high and the sophistication level of the users is low, it's much more important to write security policies and AUPs that the folks who are the root cause of most security problems will read and actually understand.
I've found that "simple pictures are best". Short, active tense sentences that read like commandments are easily translated into a policy configuration, especially if you include conditionals:
"If you are a member of the accounting department, the only server you may access is accounting.example.com. The only services you may access on accounting.example.com are X, Y, and Z. You may not access these services on weekends. You must use your SecureID token and PIN to access these services..."
If you can write it concisely, you can probably configure it precisely. Marco Cremonini wrote:
Hi all,I would like to ask you a suggestion for a project we are developing. The project aims to automate some monitoring functionality with firewall policy management (just iptables, at present). The problem is: We would like to implement/adopt a high-level specification language for the definition of a security policy, something that should let to specify the policy at organizational level. Such a policy should then be translated into specific fw rules.I'm puzzled because it's not a new problem, but I can't find good references. Several standards, especially in the XML-Web Services area, have been proposed by W3C, OASIS etc., to define security policies, but to me they seem quite useless in our case since I can't see how and why Web Services should be integrated in this context.I've found out that Mitre has a language, Oval (http://oval.mitre.org/ index.html), which could be considered, although more focused on vulnerability and assessment.Otherwise, many have designed ad-hoc languages (I guess, just using GNU Flex&Bison or the like for their definition).Before going for yet-another-adhoc-language I just want to ask if anybody knows a good standard or reference specification language.Thank you. Marco =================================== Marco Cremonini cremonini () dti unimi it Dept. of Information Technology University of Milan Via Bramante 65 - 26013 Crema (CR), Italy =================================== _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security policy language Marco Cremonini (Jan 24)
- Re: Security policy language Marcus J. Ranum (Jan 24)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Avishai Wool (Jan 25)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Dave Piscitello (Jan 24)
- Re: Security policy language R. DuFresne (Jan 25)
- Re: Security policy language Stephen P. Berry (Jan 24)
- Re: Security policy language Matthew Hannigan (Jan 24)
- <Possible follow-ups>
- Re: Security policy language Jean-Denis Gorin (Jan 25)
- Re: Security policy language Marcus J. Ranum (Jan 24)