Re: Security policy language

[Dave Piscitello <dave () corecom com>]

How about English, or the language(s) native to your organization?

I think there are real dangers in assuming that you can articulate a 
policy in a metalanguage, force it through a policy UI or script, and 
produce a policy configuration. Especially as I find myself dragged into 
more situations where the asset values and risks are high and the 
sophistication level of the users is low, it's much more important to 
write security policies and AUPs that the folks who are the root cause 
of most security problems will read and actually understand.

I've found that "simple pictures are best". Short, active tense 
sentences that read like commandments are easily translated into a 
policy configuration, especially if you include conditionals:

"If you are a member of the accounting department, the only server you 
may access is accounting.example.com. The only services you may access 
on accounting.example.com are X, Y, and Z. You may not access these 
services on weekends. You must use your SecureID token and PIN to access 
these services..."

If you can write it concisely, you can probably configure it precisely.

Marco Cremonini wrote:
> Hi all,
>      I would like to ask you a suggestion for a project we are  
> developing.
> The project aims to automate some monitoring functionality with  
> firewall policy management (just iptables, at present).
> The problem is: We would like to implement/adopt a high-level  
> specification language for the definition of a security policy,  
> something that should let to specify the policy at organizational  
> level. Such a policy should then  be translated into specific fw rules.
>
> I'm puzzled because it's not a new problem, but I can't find good  
> references. Several standards, especially in the XML-Web Services  
> area, have been proposed by W3C, OASIS etc., to define security  
> policies, but to me they seem quite useless in our case since I can't  
> see how and why Web Services should be integrated in this context.
>
> I've found out that Mitre has a language, Oval (http://oval.mitre.org/ 
> index.html), which could be considered, although more focused on  
> vulnerability and assessment.
>
> Otherwise, many have designed ad-hoc languages (I guess, just using  
> GNU Flex&Bison or the like for their definition).
>
> Before going for yet-another-adhoc-language I just want to ask if  
> anybody knows a good standard or reference specification language.
>
> Thank you.
> Marco
>
> ===================================
> Marco Cremonini
> cremonini () dti unimi it
> Dept. of Information Technology
> University of Milan
> Via Bramante 65 - 26013 Crema (CR), Italy
> ===================================
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards