Transcript Policy-based management: bridging the gap

Policy-Based Management:
Bridging the Gap
Mi-Joung Choi
DP&NM Lab.
POSTECH, Pohang Korea
Tel: +82-562-279-5653
Email: [email protected]
Basic Concepts
• Distributed System Management
– monitoring the activity of a system
– making management decision
– performing control actions to modify the behavior of the
system
• Policy
– a relationship between a domain of subjects (managers) and
a domain of target managed objects
– one aspect of information which influences the behavior of
objects within the system
• Policy-based Management
– perform management based on policy
Integration of Mobile agents with SNMP
(2)
POSTECH
DP&NM Lab.
PBM Architecture
Policy : 표현(expression),
해석(interpret),
적용(control)
Management
Policies
Interpret
Interpreter
Monitor
Normal
Functionality
Interfaces
Management
Interface
Managed
Object
Managers
Control
Integration of Mobile agents with SNMP
(3)
POSTECH
DP&NM Lab.
Contents
•
•
•
•
•
•
•
Introduction
Policy Expression
Policy Compilation
Cisco Secure Policy Manager infrastructure
Policy Standards and Related Work
Conclusions & Future work
References
Integration of Mobile agents with SNMP
(4)
POSTECH
DP&NM Lab.
Introduction (1)
• Policy goals are described w.r.t. network entities instead of
enforcement points
• Advantages of global view: Usability, Scalability, Security
• This paper describes
– techniques for accurately translating from global policy rules to
actual per-device configuration,
– how these techniques were used in the implementation of Cisco
Secure Policy Manager.
Integration of Mobile agents with SNMP
(5)
POSTECH
DP&NM Lab.
Introduction (2)
•
Policy: A global goal statement or constraint
(ex) Engineering should have access to the department web server
– Policy statement does not identify the implementation detail
– For a set of policy statements to be useful, it must be enforced
by a set of appropriately configured devices: firewalls, traffic
shaper
– There is a conceptual gap between the policy statement and the
enforcing configuration  This gap must be bridged to make
policy useful in the real world
Integration of Mobile agents with SNMP
(6)
POSTECH
DP&NM Lab.
Introduction (3)
– There are so many enforcing devices that must be coordinated to
implement the policy
 Policy translation problem occurs
This problem is analogous to the problem of compiling a program
for a distributed machine
 The policy is program, the enforcing devices are the nodes in the
distributed machine
– Use the same techniques from distributed compilation to perform
the translation from policy to a set of consistent device
configurations
Integration of Mobile agents with SNMP
(7)
POSTECH
DP&NM Lab.
Policy Expression
• A policy statement is a guarded action; when the condition
is matched the action constraint is enforced.
• Policy condition can test against
– many properties of the packet headers (source. or dest. IP address)
– global conditions (time of day, detected attack, network load)
– extended state associated with the network flow
• To gain an external condition, the policy-based system
must have access to agents that monitor the state of the
world
• Policy actions are constraints or requirements associated
with the network flows that match the guarding condition
Integration of Mobile agents with SNMP
(8)
POSTECH
DP&NM Lab.
Policy Action
• Example :
– Filtering action (permit/deny)
– Cryptographic requirements (use a encrypting IPSEC tunnel)
– Quality of service requirements (give best effort service)
• Example Policy that Specifies constraints on HTTP traffic
If Service is HTTP
If Destination is S
If Source is H
Service level is premium
Permit
Else If Source is N1 or N4
If Source is N4
Use encrypting tunnel
Permit
Integration of Mobile agents with SNMP
(9)
POSTECH
DP&NM Lab.
Policy expression
• Conditional nesting may aid administrators by allowing them to
group features that should be considered together
• An arbitrarily nested policy can be flattened into a canonical list
form  Deciding whether to nest or to simply require a list of
guarded actions is a usability issue not a performance issue
• But order of the policy rules or policy trees is important to resolve
potential conflicts
• Policy is merely a data flow specification (no looping mechanisms
or state assignments)  Without looping, we are guaranteed that
evaluating the policy will complete in a fixed amount of time. This
guarantee of fixed-time policy evaluation is must for real-time
packet filtering
Integration of Mobile agents with SNMP
(10)
POSTECH
DP&NM Lab.
Policy Targets
• While policy can describe constraints on many service
domains, the operational constraints on these domains
differ and these differences can influence the tradeoffs
made in implementing a policy-based management
system
• Policy Domain
– Security domain (filtering and cryptography)
– Routing domain  has the biggest scaling problem
– QoS domain  somewhat between the security domain and the
routing domain
Integration of Mobile agents with SNMP
(11)
POSTECH
DP&NM Lab.
Policy Compilation
• describe the kind of topology information needed to make
translation from policy specification to enforcements
• describe compilation algorithm and various conflict
detections and resolutions performed during translation
Integration of Mobile agents with SNMP
(12)
POSTECH
DP&NM Lab.
Topology Information
• The policy complier must have accurate information about
network topology to perform an accurate mapping from global
policy to local configuration
• It must know the location of all enforcement points under its
control
• Ideally, this topology information can be imported from an
already existing database or discovered automatically (When
implementing s security policy, we only care about the details
of the topology near the enforcing devices: firewall and routers)
• When mapping a policy to a real network, the system must first
identify enforcing devices and determine the sets of networks
enclosed by the enforcing devices
• Each completely enclosed set of networks is a domain of
constant policy (identify enforcing devices and determine the
sets of networks)
Integration of Mobile agents with SNMP
(13)
POSTECH
DP&NM Lab.
Pruning
• Pruning is one of the first steps of compiling a
logically shared-memory program to a distributedmemory machine.
• Pruning is the first step in compiling a policy down to
the enforcing configurations.
• The policy compiler steps through the global policy
rules for each enforcing device and removes all rules
that are not relevant to that enforcing device
Integration of Mobile agents with SNMP
(14)
POSTECH
DP&NM Lab.
Consistency Checking
• The policy compiler performs a large number of
consistency checks and conflict detection steps
– Is the enforcement point capable of the request?
– Does this enforcement point have sufficient resources to carry
out the request?
– Are there conflicts between rules of the same action type?
(ordering or priority is needed)
– Are there conflicts between rules of different action types?
((ex) filtering and tunneling)
 Ideally, the policy compiler should be able to detect all
conflicts during the initial compilation phase
Integration of Mobile agents with SNMP
(15)
POSTECH
DP&NM Lab.
Cisco Secure Policy Manager Infrastructure
• 1997- : Cisco worked on a system for mapping userspecified policy to per-device configuration
• History
– Centri Firewall 4.0: controls a single enforcing device and
combines the policy expression and topology into a single tree
– Centri Firewall 5.0: separates the policy and topology trees to
enable policy expression as it applied to multiple enforcing
devices
– Cisco Secure Policy Manager 1.0: compiles policy down to
dnforcing devices that are PIX firewalls
Integration of Mobile agents with SNMP
(16)
POSTECH
DP&NM Lab.
Architecture of Cisco Secure Policy Manager
Integration of Mobile agents with SNMP
(17)
POSTECH
DP&NM Lab.
GUI of Cisco Security Manager
Integration of Mobile agents with SNMP
(18)
POSTECH
DP&NM Lab.
Administrative Interface
• A administrator enters policy through a GUI
• It presents several trees of which two are most important
– Topology tree : information about the physical relationship
– Policy enforcement tree : information about logical relationship
• Source-based enforcement tree
– Source network objects can be placed in a hierarchy of folders
in the enforcement tree  Policies can be attached to the
folders or the network objects
– Policy evaluation follows a best match algorithm
– Policy inheritance makes it easy to make exceptions to a basic
policy
• After policy changes, UI programs store the proposed
policy as a set of global policy objects
Integration of Mobile agents with SNMP
(19)
POSTECH
DP&NM Lab.
Policy compilation
• Policy Generation block
• Policy compiler is notified when new policy objects are presented in
the database
• Policy compiler takes the topology information and the global policy
objects  generates a per-device policy list in a canonical form
• This compiled policy rule list is linked with the enforcing device and
stored in the policy database
• Policy compilation phase maps the policy enforcement tree to
device-specific configurations
• Policy compiler flattens out the inheritance hierarchy and then reoptimize the common policy rules
Integration of Mobile agents with SNMP
(20)
POSTECH
DP&NM Lab.
Policy distribution
• Device-specific control agent program is associated with
each controlled enforcement point as “Policy Distribution”
block
• The control agents perform two main functions
– Configuration creation : control agent reads the new policy rule
list out of the object store and translates the generic policy rule
into the syntax of the enforcement device
• Store configuration into a buffer of commands  when commands
approved, control agent telnets in and download the commands
– Configuration deployment : update order is important
• Complete solution is a two-phase commit  separate memory block(one
for new configuration, the other for previous configuration)
Integration of Mobile agents with SNMP
(21)
POSTECH
DP&NM Lab.
Policy standards and Related work
• Much standardization has been motivated by QoS requirements
rather than security
• The policy working group is trying to standardize on policy schemas
that can be implemented in LDAP directories
• COPS
– Defined in the RSVP Admission Policy working group as a standard protocol
for moving policy to the devices
– Provides a more compact, standard protocol for automating policy changes
– RSVP can use COPS to query policy information from a policy server
• Related Work
– Guttman: describes a language for global filtering policies and algorithms,
differ in the input policy language
– Bartal, Mayer, et. al.: Firewall filtering, similar attempt to derive per-device
configuration from a global policy, differ in description & inheritance scheme
Integration of Mobile agents with SNMP
(22)
POSTECH
DP&NM Lab.
Conclusions & Future work
• Policy-based management has many benefits of delivering consistent,
correct, and understandable network systems
• The benefits of policy-based management will grow as network
systems become more complex and offer more services (security
service and QoS)
• If PBMS has sufficient information about the network topology, the
compiler takes care of the details of generating consistent device
configurations
• Now, first generation policy-based management systems are useful,
but many improvements are needed in the next generation
– Improved download method
– Better device support
– Improved mapping transformations
Integration of Mobile agents with SNMP
(23)
POSTECH
DP&NM Lab.
References
• Hinrichs, S. , “Policy-based management: bridging the gap”,
Computer Security Applications Conference, 1999. (ACSAC '99).
Proceedings. 15th Annual , 1999, Page(s): 209 –218
• J. Strassner, E. Ellesson, and B. Moore, “Policy Framework Core
Information Model”, Internet Draft, May 17, 1999
• Cisco Systems, San Jose, CA. Cisco Secure Policy Manager
Tutorial, 1999
• Jim Boyle, et al, “The COPS ( Common Open Policy Service)
Protocol”, Internet Draft, February 1999
Integration of Mobile agents with SNMP
(24)
POSTECH
DP&NM Lab.