240 likes | 345 Views
Policy-Based Management: Bridging the Gap. Mi-Joung Choi DP&NM Lab. POSTECH, Pohang Korea Tel: +82-562-279-5653 Email: mjchoi@postech.ac.kr. Basic Concepts. Distributed System Management monitoring the activity of a system making management decision
E N D
Policy-Based Management: Bridging the Gap Mi-Joung Choi DP&NM Lab. POSTECH, Pohang Korea Tel: +82-562-279-5653 Email: mjchoi@postech.ac.kr
Basic Concepts Distributed System Management monitoring the activity of a system making management decision performing control actions to modify the behavior of the system Policy a relationship between a domain of subjects (managers) and a domain of target managed objects one aspect of information which influences the behavior of objects within the system Policy-based Management perform management based on policy
PBM Architecture Management Policies Interpret Normal Functionality Interfaces Management Interface Managed Object Interpreter Managers Monitor Control Policy : 표현(expression), 해석(interpret), 적용(control)
Contents • Introduction • Policy Expression • Policy Compilation • Cisco Secure Policy Manager infrastructure • Policy Standards and Related Work • Conclusions & Future work • References
Introduction (1) • Policy goals are described w.r.t. network entities instead of enforcement points • Advantages of global view: Usability, Scalability, Security • This paper describes • techniques for accurately translating from global policy rules to actual per-device configuration, • how these techniques were used in the implementation of Cisco Secure Policy Manager.
Introduction (2) • Policy: A global goal statement or constraint (ex) Engineering should have access to the department web server • Policy statement does not identify the implementation detail • For a set of policy statements to be useful, it must be enforced by a set of appropriately configured devices: firewalls, traffic shaper • There is a conceptual gap between the policy statement and the enforcing configuration This gap must be bridged to make policy useful in the real world
Introduction (3) • There are so many enforcing devices that must be coordinated to implement the policy Policy translation problem occurs • This problem is analogous to the problem of compiling a program for a distributed machine • The policy is program, the enforcing devices are the nodes in the distributed machine • Use the same techniques from distributed compilation to perform the translation from policy to a set of consistent device configurations
Policy Expression • A policy statement is a guarded action; when the condition is matched the action constraint is enforced. • Policy condition can test against • many properties of the packet headers (source. or dest. IP address) • global conditions (time of day, detected attack, network load) • extended state associated with the network flow • To gain an external condition, the policy-based system must have access to agents that monitor the state of the world • Policy actions are constraints or requirements associated with the network flows that match the guarding condition
Policy Action • Example : • Filtering action (permit/deny) • Cryptographic requirements (use a encrypting IPSEC tunnel) • Quality of service requirements (give best effort service) • Example Policy that Specifies constraints on HTTP traffic If Service is HTTP If Destination is S If Source is H Service level is premium Permit Else If Source is N1 or N4 If Source is N4 Use encrypting tunnel Permit
Policy expression • Conditional nesting may aid administrators by allowing them to group features that should be considered together • An arbitrarily nested policy can be flattened into a canonical list form Deciding whether to nest or to simply require a list of guarded actions is a usability issue not a performance issue • But order of the policy rules or policy trees is important to resolve potential conflicts • Policy is merely a data flow specification (no looping mechanisms or state assignments) Without looping, we are guaranteed that evaluating the policy will complete in a fixed amount of time. This guarantee of fixed-time policy evaluation is must for real-time packet filtering
Policy Targets • While policy can describe constraints on many service domains, the operational constraints on these domains differ and these differences can influence the tradeoffs made in implementing a policy-based management system • Policy Domain • Security domain (filtering and cryptography) • Routing domain has the biggest scaling problem • QoS domain somewhat between the security domain and the routing domain
Policy Compilation • describe the kind of topology information needed to make translation from policy specification to enforcements • describe compilation algorithm and various conflict detections and resolutions performed during translation
Topology Information • The policy complier must have accurate information about network topology to perform an accurate mapping from global policy to local configuration • It must know the location of all enforcement points under its control • Ideally, this topology information can be imported from an already existing database or discovered automatically (When implementing s security policy, we only care about the details of the topology near the enforcing devices: firewall and routers) • When mapping a policy to a real network, the system must first identify enforcing devices and determine the sets of networks enclosed by the enforcing devices • Each completely enclosed set of networks is a domain of constant policy (identify enforcing devices and determine the sets of networks)
Pruning • Pruning is one of the first steps of compiling a logically shared-memory program to a distributed-memory machine. • Pruning is the first step in compiling a policy down to the enforcing configurations. • The policy compiler steps through the global policy rules for each enforcing device and removes all rules that are not relevant to that enforcing device
Consistency Checking • The policy compiler performs a large number of consistency checks and conflict detection steps • Is the enforcement point capable of the request? • Does this enforcement point have sufficient resources to carry out the request? • Are there conflicts between rules of the same action type? (ordering or priority is needed) • Are there conflicts between rules of different action types? ((ex) filtering and tunneling) Ideally, the policy compiler should be able to detect all conflicts during the initial compilation phase
Cisco Secure Policy Manager Infrastructure • 1997- : Cisco worked on a system for mapping user-specified policy to per-device configuration • History • Centri Firewall 4.0: controls a single enforcing device and combines the policy expression and topology into a single tree • Centri Firewall 5.0: separates the policy and topology trees to enable policy expression as it applied to multiple enforcing devices • Cisco Secure Policy Manager 1.0: compiles policy down to dnforcing devices that are PIX firewalls
Administrative Interface • A administrator enters policy through a GUI • It presents several trees of which two are most important • Topology tree : information about the physical relationship • Policy enforcement tree : information about logical relationship • Source-based enforcement tree • Source network objects can be placed in a hierarchy of folders in the enforcement tree Policies can be attached to the folders or the network objects • Policy evaluation follows a best match algorithm • Policy inheritance makes it easy to make exceptions to a basic policy • After policy changes, UI programs store the proposed policy as a set of global policy objects
Policy compilation • Policy Generation block • Policy compiler is notified when new policy objects are presented in the database • Policy compiler takes the topology information and the global policy objects generates a per-device policy list in a canonical form • This compiled policy rule list is linked with the enforcing device and stored in the policy database • Policy compilation phase maps the policy enforcement tree to device-specific configurations • Policy compiler flattens out the inheritance hierarchy and then re-optimize the common policy rules
Policy distribution • Device-specific control agent program is associated with each controlled enforcement point as “Policy Distribution” block • The control agents perform two main functions • Configuration creation : control agent reads the new policy rule list out of the object store and translates the generic policy rule into the syntax of the enforcement device • Store configuration into a buffer of commands when commands approved, control agent telnets in and download the commands • Configuration deployment : update order is important • Complete solution is a two-phase commit separate memory block(one for new configuration, the other for previous configuration)
Policy standards and Related work • Much standardization has been motivated by QoS requirements rather than security • The policy working group is trying to standardize on policy schemas that can be implemented in LDAP directories • COPS • Defined in the RSVP Admission Policy working group as a standard protocol for moving policy to the devices • Provides a more compact, standard protocol for automating policy changes • RSVP can use COPS to query policy information from a policy server • Related Work • Guttman: describes a language for global filtering policies and algorithms, differ in the input policy language • Bartal, Mayer, et. al.: Firewall filtering, similar attempt to derive per-device configuration from a global policy, differ in description & inheritance scheme
Conclusions & Future work • Policy-based management has many benefits of delivering consistent, correct, and understandable network systems • The benefits of policy-based management will grow as network systems become more complex and offer more services (security service and QoS) • If PBMS has sufficient information about the network topology, the compiler takes care of the details of generating consistent device configurations • Now, first generation policy-based management systems are useful, but many improvements are needed in the next generation • Improved download method • Better device support • Improved mapping transformations
References • Hinrichs, S. , “Policy-based management: bridging the gap”, Computer Security Applications Conference, 1999. (ACSAC '99). Proceedings. 15th Annual , 1999, Page(s): 209 –218 • J. Strassner, E. Ellesson, and B. Moore, “Policy Framework Core Information Model”, Internet Draft, May 17, 1999 • Cisco Systems, San Jose, CA. Cisco Secure Policy Manager Tutorial, 1999 • Jim Boyle, et al, “The COPS ( Common Open Policy Service) Protocol”, Internet Draft, February 1999