Policy-Based Management: Bridging the Gap

1
Policy-Based Management Bridging the Gap
Mi-Joung Choi DPNM Lab. POSTECH, Pohang
Korea Tel 82-562-279-5653 Email
mjchoi_at_postech.ac.kr
2
Basic Concepts

• Distributed System Management
• monitoring the activity of a system
• making management decision
• performing control actions to modify the behavior
  of the system
• Policy
• a relationship between a domain of subjects
  (managers) and a domain of target managed objects
  
• one aspect of information which influences the
  behavior of objects within the system
• Policy-based Management
• perform management based on policy

3
PBM Architecture
Policy ??(expression), ??(interpret),
??(control)
4
Contents

• Introduction
• Policy Expression
• Policy Compilation
• Cisco Secure Policy Manager infrastructure
• Policy Standards and Related Work
• Conclusions Future work
• References

5
Introduction (1)

• Policy goals are described w.r.t. network
  entities instead of enforcement points
• Advantages of global view Usability,
  Scalability, Security
• This paper describes
• techniques for accurately translating from global
  policy rules to actual per-device configuration,
• how these techniques were used in the
  implementation of Cisco Secure Policy Manager.

6
Introduction (2)

• Policy A global goal statement or constraint
• (ex) Engineering should have access to the
  department web server
• Policy statement does not identify the
  implementation detail
• For a set of policy statements to be useful, it
  must be enforced by a set of appropriately
  configured devices firewalls, traffic shaper
• There is a conceptual gap between the policy
  statement and the enforcing configuration ? This
  gap must be bridged to make policy useful in the
  real world

7
Introduction (3)

• There are so many enforcing devices that must be
  coordinated to implement the policy
• ? Policy translation problem occurs
• This problem is analogous to the problem of
  compiling a program for a distributed machine
• The policy is program, the enforcing devices are
  the nodes in the distributed machine
• Use the same techniques from distributed
  compilation to perform the translation from
  policy to a set of consistent device
  configurations

8
Policy Expression

• A policy statement is a guarded action when the
  condition is matched the action constraint is
  enforced.
• Policy condition can test against
• many properties of the packet headers (source. or
  dest. IP address)
• global conditions (time of day, detected attack,
  network load)
• extended state associated with the network flow
• To gain an external condition, the policy-based
  system must have access to agents that monitor
  the state of the world
• Policy actions are constraints or requirements
  associated with the network flows that match the
  guarding condition

9
Policy Action

• Example
• Filtering action (permit/deny)
• Cryptographic requirements (use a encrypting
  IPSEC tunnel)
• Quality of service requirements (give best effort
  service)
• Example Policy that Specifies constraints on HTTP
  traffic
• If Service is HTTP
• If Destination is S
• If Source is H
• Service level is premium
• Permit
• Else If Source is N1 or N4
• If Source is N4
• Use encrypting tunnel
• Permit

10
Policy expression

• Conditional nesting may aid administrators by
  allowing them to group features that should be
  considered together
• An arbitrarily nested policy can be flattened
  into a canonical list form ? Deciding whether to
  nest or to simply require a list of guarded
  actions is a usability issue not a performance
  issue
• But order of the policy rules or policy trees is
  important to resolve potential conflicts
• Policy is merely a data flow specification (no
  looping mechanisms or state assignments) ?
  Without looping, we are guaranteed that
  evaluating the policy will complete in a fixed
  amount of time. This guarantee of fixed-time
  policy evaluation is must for real-time packet
  filtering

11
Policy Targets

• While policy can describe constraints on many
  service domains, the operational constraints on
  these domains differ and these differences can
  influence the tradeoffs made in implementing a
  policy-based management system
• Policy Domain
• Security domain (filtering and cryptography)
• Routing domain ? has the biggest scaling problem
• QoS domain ? somewhat between the security domain
  and the routing domain

12
Policy Compilation

• describe the kind of topology information needed
  to make translation from policy specification to
  enforcements
• describe compilation algorithm and various
  conflict detections and resolutions performed
  during translation

13
Topology Information

• The policy complier must have accurate
  information about network topology to perform an
  accurate mapping from global policy to local
  configuration
• It must know the location of all enforcement
  points under its control
• Ideally, this topology information can be
  imported from an already existing database or
  discovered automatically (When implementing s
  security policy, we only care about the details
  of the topology near the enforcing devices
  firewall and routers)
• When mapping a policy to a real network, the
  system must first identify enforcing devices and
  determine the sets of networks enclosed by the
  enforcing devices
• Each completely enclosed set of networks is a
  domain of constant policy (identify enforcing
  devices and determine the sets of networks)

14
Pruning

• Pruning is one of the first steps of compiling a
  logically shared-memory program to a
  distributed-memory machine.
• Pruning is the first step in compiling a policy
  down to the enforcing configurations.
• The policy compiler steps through the global
  policy rules for each enforcing device and
  removes all rules that are not relevant to that
  enforcing device

15
Consistency Checking

• The policy compiler performs a large number of
  consistency checks and conflict detection steps
• Is the enforcement point capable of the request?
• Does this enforcement point have sufficient
  resources to carry out the request?
• Are there conflicts between rules of the same
  action type?
• (ordering or priority is needed)
• Are there conflicts between rules of different
  action types?
• ((ex) filtering and tunneling)
• ? Ideally, the policy compiler should be able to
  detect all conflicts during the initial
  compilation phase

16
Cisco Secure Policy Manager Infrastructure

• 1997- Cisco worked on a system for mapping
  user-specified policy to per-device configuration
• History
• Centri Firewall 4.0 controls a single enforcing
  device and combines the policy expression and
  topology into a single tree
• Centri Firewall 5.0 separates the policy and
  topology trees to enable policy expression as it
  applied to multiple enforcing devices
• Cisco Secure Policy Manager 1.0 compiles policy
  down to dnforcing devices that are PIX firewalls

17
Architecture of Cisco Secure Policy Manager
18
GUI of Cisco Security Manager
19
Administrative Interface

• A administrator enters policy through a GUI
• It presents several trees of which two are most
  important
• Topology tree information about the physical
  relationship
• Policy enforcement tree information about
  logical relationship
• Source-based enforcement tree
• Source network objects can be placed in a
  hierarchy of folders in the enforcement tree ?
  Policies can be attached to the folders or the
  network objects
• Policy evaluation follows a best match algorithm
• Policy inheritance makes it easy to make
  exceptions to a basic policy
• After policy changes, UI programs store the
  proposed policy as a set of global policy objects

20
Policy compilation

• Policy Generation block
• Policy compiler is notified when new policy
  objects are presented in the database
• Policy compiler takes the topology information
  and the global policy objects ? generates a
  per-device policy list in a canonical form
• This compiled policy rule list is linked with the
  enforcing device and stored in the policy
  database
• Policy compilation phase maps the policy
  enforcement tree to device-specific
  configurations
• Policy compiler flattens out the inheritance
  hierarchy and then re-optimize the common policy
  rules

21
Policy distribution

• Device-specific control agent program is
  associated with each controlled enforcement point
  as Policy Distribution block
• The control agents perform two main functions
• Configuration creation control agent reads the
  new policy rule list out of the object store and
  translates the generic policy rule into the
  syntax of the enforcement device
• Store configuration into a buffer of commands ?
  when commands approved, control agent telnets in
  and download the commands
• Configuration deployment update order is
  important
• Complete solution is a two-phase commit ?
  separate memory block(one for new configuration,
  the other for previous configuration)

22
Policy standards and Related work

• Much standardization has been motivated by QoS
  requirements rather than security
• The policy working group is trying to standardize
  on policy schemas that can be implemented in LDAP
  directories
• COPS
• Defined in the RSVP Admission Policy working
  group as a standard protocol for moving policy to
  the devices
• Provides a more compact, standard protocol for
  automating policy changes
• RSVP can use COPS to query policy information
  from a policy server
• Related Work
• Guttman describes a language for global
  filtering policies and algorithms, differ in the
  input policy language
• Bartal, Mayer, et. al. Firewall filtering,
  similar attempt to derive per-device
  configuration from a global policy, differ in
  description inheritance scheme

23
Conclusions Future work

• Policy-based management has many benefits of
  delivering consistent, correct, and
  understandable network systems
• The benefits of policy-based management will grow
  as network systems become more complex and offer
  more services (security service and QoS)
• If PBMS has sufficient information about the
  network topology, the compiler takes care of the
  details of generating consistent device
  configurations
• Now, first generation policy-based management
  systems are useful, but many improvements are
  needed in the next generation
• Improved download method
• Better device support
• Improved mapping transformations

24
References

• Hinrichs, S. , Policy-based management bridging
  the gap, Computer Security Applications
  Conference, 1999. (ACSAC '99). Proceedings. 15th
  Annual , 1999, Page(s) 209 218
• J. Strassner, E. Ellesson, and B. Moore, Policy
  Framework Core Information Model, Internet
  Draft, May 17, 1999
• Cisco Systems, San Jose, CA. Cisco Secure Policy
  Manager Tutorial, 1999
• Jim Boyle, et al, The COPS ( Common Open Policy
  Service) Protocol, Internet Draft, February 1999