Policy-Based Management: Bridging the Gap - PowerPoint PPT Presentation

policy based management bridging the gap n.
Skip this Video
Loading SlideShow in 5 Seconds..
Policy-Based Management: Bridging the Gap PowerPoint Presentation
Download Presentation
Policy-Based Management: Bridging the Gap

play fullscreen
1 / 24
Download Presentation
Policy-Based Management: Bridging the Gap
Download Presentation

Policy-Based Management: Bridging the Gap

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Policy-Based Management: Bridging the Gap Mi-Joung Choi DP&NM Lab. POSTECH, Pohang Korea Tel: +82-562-279-5653 Email: mjchoi@postech.ac.kr

  2. Basic Concepts Distributed System Management monitoring the activity of a system making management decision performing control actions to modify the behavior of the system Policy a relationship between a domain of subjects (managers) and a domain of target managed objects one aspect of information which influences the behavior of objects within the system Policy-based Management perform management based on policy

  3. PBM Architecture Management Policies Interpret Normal Functionality Interfaces Management Interface Managed Object Interpreter Managers Monitor Control Policy : 표현(expression), 해석(interpret), 적용(control)

  4. Contents • Introduction • Policy Expression • Policy Compilation • Cisco Secure Policy Manager infrastructure • Policy Standards and Related Work • Conclusions & Future work • References

  5. Introduction (1) • Policy goals are described w.r.t. network entities instead of enforcement points • Advantages of global view: Usability, Scalability, Security • This paper describes • techniques for accurately translating from global policy rules to actual per-device configuration, • how these techniques were used in the implementation of Cisco Secure Policy Manager.

  6. Introduction (2) • Policy: A global goal statement or constraint (ex) Engineering should have access to the department web server • Policy statement does not identify the implementation detail • For a set of policy statements to be useful, it must be enforced by a set of appropriately configured devices: firewalls, traffic shaper • There is a conceptual gap between the policy statement and the enforcing configuration  This gap must be bridged to make policy useful in the real world

  7. Introduction (3) • There are so many enforcing devices that must be coordinated to implement the policy  Policy translation problem occurs • This problem is analogous to the problem of compiling a program for a distributed machine • The policy is program, the enforcing devices are the nodes in the distributed machine • Use the same techniques from distributed compilation to perform the translation from policy to a set of consistent device configurations

  8. Policy Expression • A policy statement is a guarded action; when the condition is matched the action constraint is enforced. • Policy condition can test against • many properties of the packet headers (source. or dest. IP address) • global conditions (time of day, detected attack, network load) • extended state associated with the network flow • To gain an external condition, the policy-based system must have access to agents that monitor the state of the world • Policy actions are constraints or requirements associated with the network flows that match the guarding condition

  9. Policy Action • Example : • Filtering action (permit/deny) • Cryptographic requirements (use a encrypting IPSEC tunnel) • Quality of service requirements (give best effort service) • Example Policy that Specifies constraints on HTTP traffic If Service is HTTP If Destination is S If Source is H Service level is premium Permit Else If Source is N1 or N4 If Source is N4 Use encrypting tunnel Permit

  10. Policy expression • Conditional nesting may aid administrators by allowing them to group features that should be considered together • An arbitrarily nested policy can be flattened into a canonical list form  Deciding whether to nest or to simply require a list of guarded actions is a usability issue not a performance issue • But order of the policy rules or policy trees is important to resolve potential conflicts • Policy is merely a data flow specification (no looping mechanisms or state assignments)  Without looping, we are guaranteed that evaluating the policy will complete in a fixed amount of time. This guarantee of fixed-time policy evaluation is must for real-time packet filtering

  11. Policy Targets • While policy can describe constraints on many service domains, the operational constraints on these domains differ and these differences can influence the tradeoffs made in implementing a policy-based management system • Policy Domain • Security domain (filtering and cryptography) • Routing domain  has the biggest scaling problem • QoS domain  somewhat between the security domain and the routing domain

  12. Policy Compilation • describe the kind of topology information needed to make translation from policy specification to enforcements • describe compilation algorithm and various conflict detections and resolutions performed during translation

  13. Topology Information • The policy complier must have accurate information about network topology to perform an accurate mapping from global policy to local configuration • It must know the location of all enforcement points under its control • Ideally, this topology information can be imported from an already existing database or discovered automatically (When implementing s security policy, we only care about the details of the topology near the enforcing devices: firewall and routers) • When mapping a policy to a real network, the system must first identify enforcing devices and determine the sets of networks enclosed by the enforcing devices • Each completely enclosed set of networks is a domain of constant policy (identify enforcing devices and determine the sets of networks)

  14. Pruning • Pruning is one of the first steps of compiling a logically shared-memory program to a distributed-memory machine. • Pruning is the first step in compiling a policy down to the enforcing configurations. • The policy compiler steps through the global policy rules for each enforcing device and removes all rules that are not relevant to that enforcing device

  15. Consistency Checking • The policy compiler performs a large number of consistency checks and conflict detection steps • Is the enforcement point capable of the request? • Does this enforcement point have sufficient resources to carry out the request? • Are there conflicts between rules of the same action type? (ordering or priority is needed) • Are there conflicts between rules of different action types? ((ex) filtering and tunneling)  Ideally, the policy compiler should be able to detect all conflicts during the initial compilation phase

  16. Cisco Secure Policy Manager Infrastructure • 1997- : Cisco worked on a system for mapping user-specified policy to per-device configuration • History • Centri Firewall 4.0: controls a single enforcing device and combines the policy expression and topology into a single tree • Centri Firewall 5.0: separates the policy and topology trees to enable policy expression as it applied to multiple enforcing devices • Cisco Secure Policy Manager 1.0: compiles policy down to dnforcing devices that are PIX firewalls

  17. Architecture of Cisco Secure Policy Manager

  18. GUI of Cisco Security Manager

  19. Administrative Interface • A administrator enters policy through a GUI • It presents several trees of which two are most important • Topology tree : information about the physical relationship • Policy enforcement tree : information about logical relationship • Source-based enforcement tree • Source network objects can be placed in a hierarchy of folders in the enforcement tree  Policies can be attached to the folders or the network objects • Policy evaluation follows a best match algorithm • Policy inheritance makes it easy to make exceptions to a basic policy • After policy changes, UI programs store the proposed policy as a set of global policy objects

  20. Policy compilation • Policy Generation block • Policy compiler is notified when new policy objects are presented in the database • Policy compiler takes the topology information and the global policy objects  generates a per-device policy list in a canonical form • This compiled policy rule list is linked with the enforcing device and stored in the policy database • Policy compilation phase maps the policy enforcement tree to device-specific configurations • Policy compiler flattens out the inheritance hierarchy and then re-optimize the common policy rules

  21. Policy distribution • Device-specific control agent program is associated with each controlled enforcement point as “Policy Distribution” block • The control agents perform two main functions • Configuration creation : control agent reads the new policy rule list out of the object store and translates the generic policy rule into the syntax of the enforcement device • Store configuration into a buffer of commands  when commands approved, control agent telnets in and download the commands • Configuration deployment : update order is important • Complete solution is a two-phase commit  separate memory block(one for new configuration, the other for previous configuration)

  22. Policy standards and Related work • Much standardization has been motivated by QoS requirements rather than security • The policy working group is trying to standardize on policy schemas that can be implemented in LDAP directories • COPS • Defined in the RSVP Admission Policy working group as a standard protocol for moving policy to the devices • Provides a more compact, standard protocol for automating policy changes • RSVP can use COPS to query policy information from a policy server • Related Work • Guttman: describes a language for global filtering policies and algorithms, differ in the input policy language • Bartal, Mayer, et. al.: Firewall filtering, similar attempt to derive per-device configuration from a global policy, differ in description & inheritance scheme

  23. Conclusions & Future work • Policy-based management has many benefits of delivering consistent, correct, and understandable network systems • The benefits of policy-based management will grow as network systems become more complex and offer more services (security service and QoS) • If PBMS has sufficient information about the network topology, the compiler takes care of the details of generating consistent device configurations • Now, first generation policy-based management systems are useful, but many improvements are needed in the next generation • Improved download method • Better device support • Improved mapping transformations

  24. References • Hinrichs, S. , “Policy-based management: bridging the gap”, Computer Security Applications Conference, 1999. (ACSAC '99). Proceedings. 15th Annual , 1999, Page(s): 209 –218 • J. Strassner, E. Ellesson, and B. Moore, “Policy Framework Core Information Model”, Internet Draft, May 17, 1999 • Cisco Systems, San Jose, CA. Cisco Secure Policy Manager Tutorial, 1999 • Jim Boyle, et al, “The COPS ( Common Open Policy Service) Protocol”, Internet Draft, February 1999