Marco Cremonini wrote:
>The problem is: We would like to implement/adopt a high-level
>specification language for the definition of a security policy,
>something that should let to specify the policy at organizational
>level. Such a policy should then be translated into specific fw rules.

Here's one question -- can you actually completely describe a
sensible policy in terms of just firewall rules?? My guess is
that to establish a fully worked policy you'll need to include
user-level specifications, authentication states, log actions to
take, encryption levels, and potentially even application-level

A typical statement that a fully worked policy might need to
implement could look like:
"Allow any users in group FOO to access data from
table BAR on host BLECH once they have authenticated
over an encrypted link."

>I'm puzzled because it's not a new problem, but I can't find good
>references. Several standards, especially in the XML-Web Services
>area, have been proposed by W3C, OASIS etc., to define security
>policies, but to me they seem quite useless in our case since I can't
>see how and why Web Services should be integrated in this context.

I think that may be your problem. What happens is that trying
to fully specify a policy description language becomes a huge
plate of spaghetti. Eventually your policy description language
becomes, urrrr, C. So many people who approach the problem
try to approach it for a simple application: firewall rules or
XML or whatever. Even that is hard.


firewall-wizards mailing list