Policy-Based Management: Bridging the Gap - PowerPoint PPT Presentation

About This Presentation
Title:

Policy-Based Management: Bridging the Gap

Description:

(ex) Engineering should have access to the department web server ... Policy Targets ... Store configuration into a buffer of commands when commands approved, control ... – PowerPoint PPT presentation

Number of Views:16
Avg rating:3.0/5.0
Slides: 25
Provided by: dpnmPos
Category:

less

Transcript and Presenter's Notes

Title: Policy-Based Management: Bridging the Gap


1
Policy-Based Management Bridging the Gap
Mi-Joung Choi DPNM Lab. POSTECH, Pohang
Korea Tel 82-562-279-5653 Email
mjchoi_at_postech.ac.kr
2
Basic Concepts
  • Distributed System Management
  • monitoring the activity of a system
  • making management decision
  • performing control actions to modify the behavior
    of the system
  • Policy
  • a relationship between a domain of subjects
    (managers) and a domain of target managed objects
  • one aspect of information which influences the
    behavior of objects within the system
  • Policy-based Management
  • perform management based on policy

3
PBM Architecture
Policy ??(expression), ??(interpret),
??(control)
4
Contents
  • Introduction
  • Policy Expression
  • Policy Compilation
  • Cisco Secure Policy Manager infrastructure
  • Policy Standards and Related Work
  • Conclusions Future work
  • References

5
Introduction (1)
  • Policy goals are described w.r.t. network
    entities instead of enforcement points
  • Advantages of global view Usability,
    Scalability, Security
  • This paper describes
  • techniques for accurately translating from global
    policy rules to actual per-device configuration,
  • how these techniques were used in the
    implementation of Cisco Secure Policy Manager.

6
Introduction (2)
  • Policy A global goal statement or constraint
  • (ex) Engineering should have access to the
    department web server
  • Policy statement does not identify the
    implementation detail
  • For a set of policy statements to be useful, it
    must be enforced by a set of appropriately
    configured devices firewalls, traffic shaper
  • There is a conceptual gap between the policy
    statement and the enforcing configuration ? This
    gap must be bridged to make policy useful in the
    real world

7
Introduction (3)
  • There are so many enforcing devices that must be
    coordinated to implement the policy
  • ? Policy translation problem occurs
  • This problem is analogous to the problem of
    compiling a program for a distributed machine
  • The policy is program, the enforcing devices are
    the nodes in the distributed machine
  • Use the same techniques from distributed
    compilation to perform the translation from
    policy to a set of consistent device
    configurations

8
Policy Expression
  • A policy statement is a guarded action when the
    condition is matched the action constraint is
    enforced.
  • Policy condition can test against
  • many properties of the packet headers (source. or
    dest. IP address)
  • global conditions (time of day, detected attack,
    network load)
  • extended state associated with the network flow
  • To gain an external condition, the policy-based
    system must have access to agents that monitor
    the state of the world
  • Policy actions are constraints or requirements
    associated with the network flows that match the
    guarding condition

9
Policy Action
  • Example
  • Filtering action (permit/deny)
  • Cryptographic requirements (use a encrypting
    IPSEC tunnel)
  • Quality of service requirements (give best effort
    service)
  • Example Policy that Specifies constraints on HTTP
    traffic
  • If Service is HTTP
  • If Destination is S
  • If Source is H
  • Service level is premium
  • Permit
  • Else If Source is N1 or N4
  • If Source is N4
  • Use encrypting tunnel
  • Permit

10
Policy expression
  • Conditional nesting may aid administrators by
    allowing them to group features that should be
    considered together
  • An arbitrarily nested policy can be flattened
    into a canonical list form ? Deciding whether to
    nest or to simply require a list of guarded
    actions is a usability issue not a performance
    issue
  • But order of the policy rules or policy trees is
    important to resolve potential conflicts
  • Policy is merely a data flow specification (no
    looping mechanisms or state assignments) ?
    Without looping, we are guaranteed that
    evaluating the policy will complete in a fixed
    amount of time. This guarantee of fixed-time
    policy evaluation is must for real-time packet
    filtering

11
Policy Targets
  • While policy can describe constraints on many
    service domains, the operational constraints on
    these domains differ and these differences can
    influence the tradeoffs made in implementing a
    policy-based management system
  • Policy Domain
  • Security domain (filtering and cryptography)
  • Routing domain ? has the biggest scaling problem
  • QoS domain ? somewhat between the security domain
    and the routing domain

12
Policy Compilation
  • describe the kind of topology information needed
    to make translation from policy specification to
    enforcements
  • describe compilation algorithm and various
    conflict detections and resolutions performed
    during translation

13
Topology Information
  • The policy complier must have accurate
    information about network topology to perform an
    accurate mapping from global policy to local
    configuration
  • It must know the location of all enforcement
    points under its control
  • Ideally, this topology information can be
    imported from an already existing database or
    discovered automatically (When implementing s
    security policy, we only care about the details
    of the topology near the enforcing devices
    firewall and routers)
  • When mapping a policy to a real network, the
    system must first identify enforcing devices and
    determine the sets of networks enclosed by the
    enforcing devices
  • Each completely enclosed set of networks is a
    domain of constant policy (identify enforcing
    devices and determine the sets of networks)

14
Pruning
  • Pruning is one of the first steps of compiling a
    logically shared-memory program to a
    distributed-memory machine.
  • Pruning is the first step in compiling a policy
    down to the enforcing configurations.
  • The policy compiler steps through the global
    policy rules for each enforcing device and
    removes all rules that are not relevant to that
    enforcing device

15
Consistency Checking
  • The policy compiler performs a large number of
    consistency checks and conflict detection steps
  • Is the enforcement point capable of the request?
  • Does this enforcement point have sufficient
    resources to carry out the request?
  • Are there conflicts between rules of the same
    action type?
  • (ordering or priority is needed)
  • Are there conflicts between rules of different
    action types?
  • ((ex) filtering and tunneling)
  • ? Ideally, the policy compiler should be able to
    detect all conflicts during the initial
    compilation phase

16
Cisco Secure Policy Manager Infrastructure
  • 1997- Cisco worked on a system for mapping
    user-specified policy to per-device configuration
  • History
  • Centri Firewall 4.0 controls a single enforcing
    device and combines the policy expression and
    topology into a single tree
  • Centri Firewall 5.0 separates the policy and
    topology trees to enable policy expression as it
    applied to multiple enforcing devices
  • Cisco Secure Policy Manager 1.0 compiles policy
    down to dnforcing devices that are PIX firewalls

17
Architecture of Cisco Secure Policy Manager
18
GUI of Cisco Security Manager
19
Administrative Interface
  • A administrator enters policy through a GUI
  • It presents several trees of which two are most
    important
  • Topology tree information about the physical
    relationship
  • Policy enforcement tree information about
    logical relationship
  • Source-based enforcement tree
  • Source network objects can be placed in a
    hierarchy of folders in the enforcement tree ?
    Policies can be attached to the folders or the
    network objects
  • Policy evaluation follows a best match algorithm
  • Policy inheritance makes it easy to make
    exceptions to a basic policy
  • After policy changes, UI programs store the
    proposed policy as a set of global policy objects

20
Policy compilation
  • Policy Generation block
  • Policy compiler is notified when new policy
    objects are presented in the database
  • Policy compiler takes the topology information
    and the global policy objects ? generates a
    per-device policy list in a canonical form
  • This compiled policy rule list is linked with the
    enforcing device and stored in the policy
    database
  • Policy compilation phase maps the policy
    enforcement tree to device-specific
    configurations
  • Policy compiler flattens out the inheritance
    hierarchy and then re-optimize the common policy
    rules

21
Policy distribution
  • Device-specific control agent program is
    associated with each controlled enforcement point
    as Policy Distribution block
  • The control agents perform two main functions
  • Configuration creation control agent reads the
    new policy rule list out of the object store and
    translates the generic policy rule into the
    syntax of the enforcement device
  • Store configuration into a buffer of commands ?
    when commands approved, control agent telnets in
    and download the commands
  • Configuration deployment update order is
    important
  • Complete solution is a two-phase commit ?
    separate memory block(one for new configuration,
    the other for previous configuration)

22
Policy standards and Related work
  • Much standardization has been motivated by QoS
    requirements rather than security
  • The policy working group is trying to standardize
    on policy schemas that can be implemented in LDAP
    directories
  • COPS
  • Defined in the RSVP Admission Policy working
    group as a standard protocol for moving policy to
    the devices
  • Provides a more compact, standard protocol for
    automating policy changes
  • RSVP can use COPS to query policy information
    from a policy server
  • Related Work
  • Guttman describes a language for global
    filtering policies and algorithms, differ in the
    input policy language
  • Bartal, Mayer, et. al. Firewall filtering,
    similar attempt to derive per-device
    configuration from a global policy, differ in
    description inheritance scheme

23
Conclusions Future work
  • Policy-based management has many benefits of
    delivering consistent, correct, and
    understandable network systems
  • The benefits of policy-based management will grow
    as network systems become more complex and offer
    more services (security service and QoS)
  • If PBMS has sufficient information about the
    network topology, the compiler takes care of the
    details of generating consistent device
    configurations
  • Now, first generation policy-based management
    systems are useful, but many improvements are
    needed in the next generation
  • Improved download method
  • Better device support
  • Improved mapping transformations

24
References
  • Hinrichs, S. , Policy-based management bridging
    the gap, Computer Security Applications
    Conference, 1999. (ACSAC '99). Proceedings. 15th
    Annual , 1999, Page(s) 209 218
  • J. Strassner, E. Ellesson, and B. Moore, Policy
    Framework Core Information Model, Internet
    Draft, May 17, 1999
  • Cisco Systems, San Jose, CA. Cisco Secure Policy
    Manager Tutorial, 1999
  • Jim Boyle, et al, The COPS ( Common Open Policy
    Service) Protocol, Internet Draft, February 1999
Write a Comment
User Comments (0)
About PowerShow.com