Policy-Based Management: Bridging the Gap
Mi-Joung Choi
DP&NM Lab. POSTECH, Pohang Korea
Tel: +82-562-279-5653Email: [email protected]
POSTECHDP&NM Lab.
(2)Integration of Mobile agents with SNMP
Basic Concepts
• Distributed System Management– monitoring the activity of a system
– making management decision
– performing control actions to modify the behavior of the system
• Policy– a relationship between a domain of subjects (managers) and
a domain of target managed objects
– one aspect of information which influences the behavior of objects within the system
• Policy-based Management– perform management based on policy
POSTECHDP&NM Lab.
(3)Integration of Mobile agents with SNMP
PBM Architecture
Managed Object
ManagementInterface
NormalFunctionalityInterfaces
ManagementPolicies
ManagementPolicies
Managers
Interpret
Monitor
Control
Interpreter
Policy : 표현 (expression), 해석 (interpret),
적용 (control)
POSTECHDP&NM Lab.
(4)Integration of Mobile agents with SNMP
Contents
• Introduction• Policy Expression• Policy Compilation• Cisco Secure Policy Manager infrastructure• Policy Standards and Related Work• Conclusions & Future work • References
POSTECHDP&NM Lab.
(5)Integration of Mobile agents with SNMP
Introduction (1)
• Policy goals are described w.r.t. network entities instead of enforcement points
• Advantages of global view: Usability, Scalability, Security • This paper describes
– techniques for accurately translating from global policy rules to actual per-device configuration,
– how these techniques were used in the implementation of Cisco Secure Policy Manager.
POSTECHDP&NM Lab.
(6)Integration of Mobile agents with SNMP
Introduction (2)
• Policy: A global goal statement or constraint(ex) Engineering should have access to the department web server
– Policy statement does not identify the implementation detail
– For a set of policy statements to be useful, it must be enforced by a set of appropriately configured devices: firewalls, traffic shaper
– There is a conceptual gap between the policy statement and the enforcing configuration This gap must be bridged to make policy useful in the real world
POSTECHDP&NM Lab.
(7)Integration of Mobile agents with SNMP
Introduction (3)
– There are so many enforcing devices that must be coordinated to implement the policy
Policy translation problem occurs This problem is analogous to the problem of compiling a program
for a distributed machine The policy is program, the enforcing devices are the nodes in the
distributed machine
– Use the same techniques from distributed compilation to perform the translation from policy to a set of consistent device configurations
POSTECHDP&NM Lab.
(8)Integration of Mobile agents with SNMP
Policy Expression
• A policy statement is a guarded action; when the condition is matched the action constraint is enforced.
• Policy condition can test against– many properties of the packet headers (source. or dest. IP
address)
– global conditions (time of day, detected attack, network load)
– extended state associated with the network flow
• To gain an external condition, the policy-based system must have access to agents that monitor the state of the world
• Policy actions are constraints or requirements associated with the network flows that match the guarding condition
POSTECHDP&NM Lab.
(9)Integration of Mobile agents with SNMP
Policy Action• Example :
– Filtering action (permit/deny)
– Cryptographic requirements (use a encrypting IPSEC tunnel)
– Quality of service requirements (give best effort service)
• Example Policy that Specifies constraints on HTTP traffic If Service is HTTP If Destination is S
If Source is H Service level is premium Permit Else If Source is N1 or N4 If Source is N4 Use encrypting tunnel Permit
POSTECHDP&NM Lab.
(10)Integration of Mobile agents with SNMP
Policy expression
• Conditional nesting may aid administrators by allowing them to group features that should be considered together
• An arbitrarily nested policy can be flattened into a canonical list form Deciding whether to nest or to simply require a list of guarded actions is a usability issue not a performance issue
• But order of the policy rules or policy trees is important to resolve potential conflicts
• Policy is merely a data flow specification (no looping mechanisms or state assignments) Without looping, we are guaranteed that evaluating the policy will complete in a fixed amount of time. This guarantee of fixed-time policy evaluation is must for real-time packet filtering
POSTECHDP&NM Lab.
(11)Integration of Mobile agents with SNMP
Policy Targets
• While policy can describe constraints on many service domains, the operational constraints on these domains differ and these differences can influence the tradeoffs made in implementing a policy-based management system
• Policy Domain– Security domain (filtering and cryptography)
– Routing domain has the biggest scaling problem
– QoS domain somewhat between the security domain and the routing domain
POSTECHDP&NM Lab.
(12)Integration of Mobile agents with SNMP
Policy Compilation
• describe the kind of topology information needed to make translation from policy specification to enforcements
• describe compilation algorithm and various conflict detections and resolutions performed during translation
POSTECHDP&NM Lab.
(13)Integration of Mobile agents with SNMP
Topology Information• The policy complier must have accurate information about
network topology to perform an accurate mapping from global policy to local configuration
• It must know the location of all enforcement points under its control
• Ideally, this topology information can be imported from an already existing database or discovered automatically (When implementing s security policy, we only care about the details of the topology near the enforcing devices: firewall and routers)
• When mapping a policy to a real network, the system must first identify enforcing devices and determine the sets of networks enclosed by the enforcing devices
• Each completely enclosed set of networks is a domain of constant policy (identify enforcing devices and determine the sets of networks)
POSTECHDP&NM Lab.
(14)Integration of Mobile agents with SNMP
Pruning
• Pruning is one of the first steps of compiling a logically shared-memory program to a distributed-memory machine.
• Pruning is the first step in compiling a policy down to the enforcing configurations.
• The policy compiler steps through the global policy rules for each enforcing device and removes all rules that are not relevant to that enforcing device
POSTECHDP&NM Lab.
(15)Integration of Mobile agents with SNMP
Consistency Checking• The policy compiler performs a large number of
consistency checks and conflict detection steps– Is the enforcement point capable of the request?
– Does this enforcement point have sufficient resources to carry out the request?
– Are there conflicts between rules of the same action type?
(ordering or priority is needed)
– Are there conflicts between rules of different action types?
((ex) filtering and tunneling)
Ideally, the policy compiler should be able to detect all conflicts during the initial compilation phase
POSTECHDP&NM Lab.
(16)Integration of Mobile agents with SNMP
Cisco Secure Policy Manager Infrastructure• 1997- : Cisco worked on a system for mapping user-
specified policy to per-device configuration• History
– Centri Firewall 4.0: controls a single enforcing device and combines the policy expression and topology into a single tree
– Centri Firewall 5.0: separates the policy and topology trees to enable policy expression as it applied to multiple enforcing devices
– Cisco Secure Policy Manager 1.0: compiles policy down to dnforcing devices that are PIX firewalls
POSTECHDP&NM Lab.
(17)Integration of Mobile agents with SNMP
Architecture of Cisco Secure Policy Manager
POSTECHDP&NM Lab.
(18)Integration of Mobile agents with SNMP
GUI of Cisco Security Manager
POSTECHDP&NM Lab.
(19)Integration of Mobile agents with SNMP
Administrative Interface • A administrator enters policy through a GUI• It presents several trees of which two are most important
– Topology tree : information about the physical relationship– Policy enforcement tree : information about logical relationship
• Source-based enforcement tree– Source network objects can be placed in a hierarchy of folders
in the enforcement tree Policies can be attached to the folders or the network objects
– Policy evaluation follows a best match algorithm– Policy inheritance makes it easy to make exceptions to a basic
policy
• After policy changes, UI programs store the proposed policy as a set of global policy objects
POSTECHDP&NM Lab.
(20)Integration of Mobile agents with SNMP
Policy compilation• Policy Generation block
• Policy compiler is notified when new policy objects are presented in the database
• Policy compiler takes the topology information and the global policy objects generates a per-device policy list in a canonical form
• This compiled policy rule list is linked with the enforcing device and stored in the policy database
• Policy compilation phase maps the policy enforcement tree to device-specific configurations
• Policy compiler flattens out the inheritance hierarchy and then re-optimize the common policy rules
POSTECHDP&NM Lab.
(21)Integration of Mobile agents with SNMP
Policy distribution• Device-specific control agent program is associated with
each controlled enforcement point as “Policy Distribution” block
• The control agents perform two main functions– Configuration creation : control agent reads the new policy rule
list out of the object store and translates the generic policy rule into the syntax of the enforcement device
• Store configuration into a buffer of commands when commands approved, control agent telnets in and download the commands
– Configuration deployment : update order is important• Complete solution is a two-phase commit separate memory block(one
for new configuration, the other for previous configuration)
POSTECHDP&NM Lab.
(22)Integration of Mobile agents with SNMP
Policy standards and Related work• Much standardization has been motivated by QoS requirements
rather than security
• The policy working group is trying to standardize on policy schemas that can be implemented in LDAP directories
• COPS– Defined in the RSVP Admission Policy working group as a standard protocol
for moving policy to the devices
– Provides a more compact, standard protocol for automating policy changes
– RSVP can use COPS to query policy information from a policy server
• Related Work– Guttman: describes a language for global filtering policies and algorithms,
differ in the input policy language
– Bartal, Mayer, et. al.: Firewall filtering, similar attempt to derive per-device configuration from a global policy, differ in description & inheritance scheme
POSTECHDP&NM Lab.
(23)Integration of Mobile agents with SNMP
Conclusions & Future work
• Policy-based management has many benefits of delivering consistent, correct, and understandable network systems
• The benefits of policy-based management will grow as network systems become more complex and offer more services (security service and QoS)
• If PBMS has sufficient information about the network topology, the compiler takes care of the details of generating consistent device configurations
• Now, first generation policy-based management systems are useful, but many improvements are needed in the next generation– Improved download method
– Better device support
– Improved mapping transformations
POSTECHDP&NM Lab.
(24)Integration of Mobile agents with SNMP
References• Hinrichs, S. , “Policy-based management: bridging the gap”,
Computer Security Applications Conference, 1999. (ACSAC '99). Proceedings. 15th Annual , 1999, Page(s): 209 –218
• J. Strassner, E. Ellesson, and B. Moore, “Policy Framework Core Information Model”, Internet Draft, May 17, 1999
• Cisco Systems, San Jose, CA. Cisco Secure Policy Manager Tutorial, 1999
• Jim Boyle, et al, “The COPS ( Common Open Policy Service) Protocol”, Internet Draft, February 1999
Top Related