Policy-Based Management: Bridging the Gap

Policy-Based Management: Bridging the Gap

Mi-Joung Choi

DP&NM Lab. POSTECH, Pohang Korea

Tel: +82-562-279-5653Email: mjchoi@postech.ac.kr

POSTECHDP&NM Lab.

(2)Integration of Mobile agents with SNMP

Basic Concepts

• Distributed System Management– monitoring the activity of a system

– making management decision

– performing control actions to modify the behavior of the system

• Policy– a relationship between a domain of subjects (managers) and

a domain of target managed objects

– one aspect of information which influences the behavior of objects within the system

• Policy-based Management– perform management based on policy

POSTECHDP&NM Lab.

(3)Integration of Mobile agents with SNMP

PBM Architecture

Managed Object

ManagementInterface

NormalFunctionalityInterfaces

ManagementPolicies

ManagementPolicies

Managers

Interpret

Monitor

Control

Interpreter

Policy : 표현 (expression), 해석 (interpret),

적용 (control)

POSTECHDP&NM Lab.

(4)Integration of Mobile agents with SNMP

Contents

• Introduction• Policy Expression• Policy Compilation• Cisco Secure Policy Manager infrastructure• Policy Standards and Related Work• Conclusions & Future work • References

POSTECHDP&NM Lab.

(5)Integration of Mobile agents with SNMP

Introduction (1)

• Policy goals are described w.r.t. network entities instead of enforcement points

• Advantages of global view: Usability, Scalability, Security • This paper describes

– techniques for accurately translating from global policy rules to actual per-device configuration,

– how these techniques were used in the implementation of Cisco Secure Policy Manager.

POSTECHDP&NM Lab.

(6)Integration of Mobile agents with SNMP

Introduction (2)

• Policy: A global goal statement or constraint(ex) Engineering should have access to the department web server

– Policy statement does not identify the implementation detail

– For a set of policy statements to be useful, it must be enforced by a set of appropriately configured devices: firewalls, traffic shaper

– There is a conceptual gap between the policy statement and the enforcing configuration This gap must be bridged to make policy useful in the real world

POSTECHDP&NM Lab.

(7)Integration of Mobile agents with SNMP

Introduction (3)

– There are so many enforcing devices that must be coordinated to implement the policy

Policy translation problem occurs This problem is analogous to the problem of compiling a program

for a distributed machine The policy is program, the enforcing devices are the nodes in the

distributed machine

– Use the same techniques from distributed compilation to perform the translation from policy to a set of consistent device configurations

POSTECHDP&NM Lab.

(8)Integration of Mobile agents with SNMP

Policy Expression

• A policy statement is a guarded action; when the condition is matched the action constraint is enforced.

• Policy condition can test against– many properties of the packet headers (source. or dest. IP

address)

– global conditions (time of day, detected attack, network load)

– extended state associated with the network flow

• To gain an external condition, the policy-based system must have access to agents that monitor the state of the world

• Policy actions are constraints or requirements associated with the network flows that match the guarding condition

POSTECHDP&NM Lab.

(9)Integration of Mobile agents with SNMP

Policy Action• Example :

– Filtering action (permit/deny)

– Cryptographic requirements (use a encrypting IPSEC tunnel)

– Quality of service requirements (give best effort service)

• Example Policy that Specifies constraints on HTTP traffic If Service is HTTP If Destination is S

If Source is H Service level is premium Permit Else If Source is N1 or N4 If Source is N4 Use encrypting tunnel Permit

POSTECHDP&NM Lab.

(10)Integration of Mobile agents with SNMP

Policy expression

• Conditional nesting may aid administrators by allowing them to group features that should be considered together

• An arbitrarily nested policy can be flattened into a canonical list form Deciding whether to nest or to simply require a list of guarded actions is a usability issue not a performance issue

• But order of the policy rules or policy trees is important to resolve potential conflicts

• Policy is merely a data flow specification (no looping mechanisms or state assignments) Without looping, we are guaranteed that evaluating the policy will complete in a fixed amount of time. This guarantee of fixed-time policy evaluation is must for real-time packet filtering

POSTECHDP&NM Lab.

(11)Integration of Mobile agents with SNMP

Policy Targets

• While policy can describe constraints on many service domains, the operational constraints on these domains differ and these differences can influence the tradeoffs made in implementing a policy-based management system

• Policy Domain– Security domain (filtering and cryptography)

– Routing domain has the biggest scaling problem

– QoS domain somewhat between the security domain and the routing domain

POSTECHDP&NM Lab.

(12)Integration of Mobile agents with SNMP

Policy Compilation

• describe the kind of topology information needed to make translation from policy specification to enforcements

• describe compilation algorithm and various conflict detections and resolutions performed during translation

POSTECHDP&NM Lab.

(13)Integration of Mobile agents with SNMP

Topology Information• The policy complier must have accurate information about

network topology to perform an accurate mapping from global policy to local configuration

• It must know the location of all enforcement points under its control

• Ideally, this topology information can be imported from an already existing database or discovered automatically (When implementing s security policy, we only care about the details of the topology near the enforcing devices: firewall and routers)

• When mapping a policy to a real network, the system must first identify enforcing devices and determine the sets of networks enclosed by the enforcing devices

• Each completely enclosed set of networks is a domain of constant policy (identify enforcing devices and determine the sets of networks)

POSTECHDP&NM Lab.

(14)Integration of Mobile agents with SNMP

Pruning

• Pruning is one of the first steps of compiling a logically shared-memory program to a distributed-memory machine.

• Pruning is the first step in compiling a policy down to the enforcing configurations.

• The policy compiler steps through the global policy rules for each enforcing device and removes all rules that are not relevant to that enforcing device

POSTECHDP&NM Lab.

(15)Integration of Mobile agents with SNMP

Consistency Checking• The policy compiler performs a large number of

consistency checks and conflict detection steps– Is the enforcement point capable of the request?

– Does this enforcement point have sufficient resources to carry out the request?

– Are there conflicts between rules of the same action type?

(ordering or priority is needed)

– Are there conflicts between rules of different action types?

((ex) filtering and tunneling)

Ideally, the policy compiler should be able to detect all conflicts during the initial compilation phase

POSTECHDP&NM Lab.

(16)Integration of Mobile agents with SNMP

Cisco Secure Policy Manager Infrastructure• 1997- : Cisco worked on a system for mapping user-

specified policy to per-device configuration• History

– Centri Firewall 4.0: controls a single enforcing device and combines the policy expression and topology into a single tree

– Centri Firewall 5.0: separates the policy and topology trees to enable policy expression as it applied to multiple enforcing devices

– Cisco Secure Policy Manager 1.0: compiles policy down to dnforcing devices that are PIX firewalls

POSTECHDP&NM Lab.

(17)Integration of Mobile agents with SNMP

Architecture of Cisco Secure Policy Manager

POSTECHDP&NM Lab.

(18)Integration of Mobile agents with SNMP

GUI of Cisco Security Manager

POSTECHDP&NM Lab.

(19)Integration of Mobile agents with SNMP

Administrative Interface • A administrator enters policy through a GUI• It presents several trees of which two are most important

– Topology tree : information about the physical relationship– Policy enforcement tree : information about logical relationship

• Source-based enforcement tree– Source network objects can be placed in a hierarchy of folders

in the enforcement tree Policies can be attached to the folders or the network objects

– Policy evaluation follows a best match algorithm– Policy inheritance makes it easy to make exceptions to a basic

policy

• After policy changes, UI programs store the proposed policy as a set of global policy objects

POSTECHDP&NM Lab.

(20)Integration of Mobile agents with SNMP

Policy compilation• Policy Generation block

• Policy compiler is notified when new policy objects are presented in the database

• Policy compiler takes the topology information and the global policy objects generates a per-device policy list in a canonical form

• This compiled policy rule list is linked with the enforcing device and stored in the policy database

• Policy compilation phase maps the policy enforcement tree to device-specific configurations

• Policy compiler flattens out the inheritance hierarchy and then re-optimize the common policy rules

POSTECHDP&NM Lab.

(21)Integration of Mobile agents with SNMP

Policy distribution• Device-specific control agent program is associated with

each controlled enforcement point as “Policy Distribution” block

• The control agents perform two main functions– Configuration creation : control agent reads the new policy rule

list out of the object store and translates the generic policy rule into the syntax of the enforcement device

• Store configuration into a buffer of commands when commands approved, control agent telnets in and download the commands

– Configuration deployment : update order is important• Complete solution is a two-phase commit separate memory block(one

for new configuration, the other for previous configuration)

POSTECHDP&NM Lab.

(22)Integration of Mobile agents with SNMP

Policy standards and Related work• Much standardization has been motivated by QoS requirements

rather than security

• The policy working group is trying to standardize on policy schemas that can be implemented in LDAP directories

• COPS– Defined in the RSVP Admission Policy working group as a standard protocol

for moving policy to the devices

– Provides a more compact, standard protocol for automating policy changes

– RSVP can use COPS to query policy information from a policy server

• Related Work– Guttman: describes a language for global filtering policies and algorithms,

differ in the input policy language

– Bartal, Mayer, et. al.: Firewall filtering, similar attempt to derive per-device configuration from a global policy, differ in description & inheritance scheme

POSTECHDP&NM Lab.

(23)Integration of Mobile agents with SNMP

Conclusions & Future work

• Policy-based management has many benefits of delivering consistent, correct, and understandable network systems

• The benefits of policy-based management will grow as network systems become more complex and offer more services (security service and QoS)

• If PBMS has sufficient information about the network topology, the compiler takes care of the details of generating consistent device configurations

• Now, first generation policy-based management systems are useful, but many improvements are needed in the next generation– Improved download method

– Better device support

– Improved mapping transformations

POSTECHDP&NM Lab.

(24)Integration of Mobile agents with SNMP

References• Hinrichs, S. , “Policy-based management: bridging the gap”,

Computer Security Applications Conference, 1999. (ACSAC '99). Proceedings. 15th Annual , 1999, Page(s): 209 –218

• J. Strassner, E. Ellesson, and B. Moore, “Policy Framework Core Information Model”, Internet Draft, May 17, 1999

• Cisco Systems, San Jose, CA. Cisco Secure Policy Manager Tutorial, 1999

• Jim Boyle, et al, “The COPS ( Common Open Policy Service) Protocol”, Internet Draft, February 1999