How about English, or the language(s) native to your organization?
I think there are real dangers in assuming that you can articulate a
policy in a metalanguage, force it through a policy UI or script, and
produce a policy configuration. Especially as I find myself dragged into
more situations where the asset values and risks are high and the
sophistication level of the users is low, it's much more important to
write security policies and AUPs that the folks who are the root cause
of most security problems will read and actually understand.
I've found that "simple pictures are best". Short, active tense
sentences that read like commandments are easily translated into a
policy configuration, especially if you include conditionals:
"If you are a member of the accounting department, the only server you
may access is accounting.example.com. The only services you may access
on accounting.example.com are X, Y, and Z. You may not access these
services on weekends. You must use your SecureID token and PIN to access
these services..."
If you can write it concisely, you can probably configure it precisely.
Marco Cremonini wrote:
Hi all,
I would like to ask you a suggestion for a project we are
developing.
The project aims to automate some monitoring functionality with
firewall policy management (just iptables, at present).
The problem is: We would like to implement/adopt a high-level
specification language for the definition of a security policy,
something that should let to specify the policy at organizational
level. Such a policy should then be translated into specific fw rules.
I'm puzzled because it's not a new problem, but I can't find good
references. Several standards, especially in the XML-Web Services
area, have been proposed by W3C, OASIS etc., to define security
policies, but to me they seem quite useless in our case since I can't
see how and why Web Services should be integrated in this context.
I've found out that Mitre has a language, Oval (http://oval.mitre.org/
index.html), which could be considered, although more focused on
vulnerability and assessment.
Otherwise, many have designed ad-hoc languages (I guess, just using
GNU Flex&Bison or the like for their definition).
Before going for yet-another-adhoc-language I just want to ask if
anybody knows a good standard or reference specification language.
Thank you.
Marco
===================================
Marco Cremonini
cremonini@dti.unimi.it
Dept. of Information Technology
University of Milan
Via Bramante 65 - 26013 Crema (CR), Italy
===================================
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
dave.vcf
Description: Vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|