This is a cryptographically signed message in MIME format.

--===============1866283112==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms070305010408000307080103"

This is a cryptographically signed message in MIME format.

--------------ms070305010408000307080103
Content-Type: multipart/mixed; boundary="------------030307060307070502000104"

This is a multi-part message in MIME format.
--------------030307060307070502000104
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

How about English, or the language(s) native to your organization?

I think there are real dangers in assuming that you can articulate a
policy in a metalanguage, force it through a policy UI or script, and
produce a policy configuration. Especially as I find myself dragged into
more situations where the asset values and risks are high and the
sophistication level of the users is low, it's much more important to
write security policies and AUPs that the folks who are the root cause
of most security problems will read and actually understand.

I've found that "simple pictures are best". Short, active tense
sentences that read like commandments are easily translated into a
policy configuration, especially if you include conditionals:

"If you are a member of the accounting department, the only server you
may access is accounting.example.com. The only services you may access
on accounting.example.com are X, Y, and Z. You may not access these
services on weekends. You must use your SecureID token and PIN to access
these services..."

If you can write it concisely, you can probably configure it precisely.

Marco Cremonini wrote:
> Hi all,
> I would like to ask you a suggestion for a project we are
> developing.
> The project aims to automate some monitoring functionality with
> firewall policy management (just iptables, at present).
> The problem is: We would like to implement/adopt a high-level
> specification language for the definition of a security policy,
> something that should let to specify the policy at organizational
> level. Such a policy should then be translated into specific fw rules.
>
> I'm puzzled because it's not a new problem, but I can't find good
> references. Several standards, especially in the XML-Web Services
> area, have been proposed by W3C, OASIS etc., to define security
> policies, but to me they seem quite useless in our case since I can't
> see how and why Web Services should be integrated in this context.
>
> I've found out that Mitre has a language, Oval (http://oval.mitre.org/
> index.html), which could be considered, although more focused on
> vulnerability and assessment.
>
> Otherwise, many have designed ad-hoc languages (I guess, just using
> GNU Flex&Bison or the like for their definition).
>
> Before going for yet-another-adhoc-language I just want to ask if
> anybody knows a good standard or reference specification language.
>
> Thank you.
> Marco
>
> ===================================
> Marco Cremonini
> cremonini@dti.unimi.it
> Dept. of Information Technology
> University of Milan
> Via Bramante 65 - 26013 Crema (CR), Italy
> ===================================
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>


--------------030307060307070502000104
Content-Type: text/x-vcard; charset=utf-8;
name="dave.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="dave.vcf"

begin:vcard
fnavid Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@corecom.com
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard


--------------030307060307070502000104--

--------------ms070305010408000307080103
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIII/zCC
AtowggJDoAMCAQICEF0LYBAiw6o0EV6S7w7ELuowDQYJKoZIhv cNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdH kpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB 4XDTA2MDgwNzE2NDI1MFoX
DTA3MDgwNzE2NDI1MFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZW VtYWlsIE1lbWJlcjEfMB0G
CSqGSIb3DQEJARYQZGF2ZUBjb3JlY29tLmNvbTCCASIwDQYJKo ZIhvcNAQEBBQADggEPADCC
AQoCggEBAK00H3a4L9AWWyB6EeuQCuV6a5XECMgTsEvx/5NgXXlokyB9al+etDSm0IdI5Rhc
8ItOtfp0HSV2SkqDrLY+qtJ60wBn73KjpPqthpma4PV9H6OXKI 5RzLk7ePn9aOxONihd9JAD
XDkNTzTkuaogmgOY1enGsafG26Rc+G+z4QusPZelXqaSKwB4+e 3QZTKkPX+UGC0rVHNBOh35
3LY+B6wE3p5rlhDtOeQ9SgDAqR9XXX5bV8wD6ZAaT9DxAU2Jrr RTFSBvhO7zr9z9OAG1tJmP
WbJbNB2lM9EAPU0iQvB82Iz1cXtizYvrdf5H/eznFsRaxlELuZuYbBHw38DCwPkCAwEAAaMt
MCswGwYDVR0RBBQwEoEQZGF2ZUBjb3JlY29tLmNvbTAMBgNVHR MBAf8EAjAAMA0GCSqGSIb3
DQEBBQUAA4GBAG4dtrniVWF3ntg2aYaCCZX/oOOTZf8aXtB6bP7WqiGuPxbv019+Ijbd+czp
dDavh9ovWtYM2++xK9d5Jp+NrfHamZCo4V12WLM/YnTPedcgMLpf8GNdW951A7Rnc2D74iNC
NChO6/qJIhLQCm/iGiWg19J8R0WvIBPBJfzANzQvMIIC2jCCAkOgAwIBAgIQXQtgE CLDqjQR
XpLvDsQu6jANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQT ElMCMGA1UEChMcVGhhd3Rl
IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3 RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDYwODA3MTY0MjUwWhcNMDcwOD A3MTY0MjUwWjBCMR8wHQYD
VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhv cNAQkBFhBkYXZlQGNvcmVj
b20uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ EArTQfdrgv0BZbIHoR65AK
5XprlcQIyBOwS/H/k2BdeWiTIH1qX560NKbQh0jlGFzwi061+nQdJXZKSoOstj6q0n rTAGfv
cqOk+q2GmZrg9X0fo5cojlHMuTt4+f1o7E42KF30kANcOQ1PNO S5qiCaA5jV6caxp8bbpFz4
b7PhC6w9l6VeppIrAHj57dBlMqQ9f5QYLStUc0E6Hfnctj4HrA TenmuWEO055D1KAMCpH1dd
fltXzAPpkBpP0PEBTYmutFMVIG+E7vOv3P04AbW0mY9Zsls0Ha Uz0QA9TSJC8HzYjPVxe2LN
i+t1/kf97OcWxFrGUQu5m5hsEfDfwMLA+QIDAQABoy0wKzAbBgNVHRE EFDASgRBkYXZlQGNv
cmVjb20uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAbh22ueJVYXee2DZp
hoIJlf+g45Nl/xpe0Hps/taqIa4/Fu/TX34iNt35zOl0Nq+H2i9a1gzb77Er13kmn42t8dqZ
kKjhXXZYsz9idM951yAwul/wY11b3nUDtGdzYPviI0I0KE7r+okiEtAKb+IaJaDX0nxHRa8g
E8El/MA3NC8wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQ QGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYX BlIFRvd24xGjAYBgNVBAoT
EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2 F0aW9uIFNlcnZpY2VzIERp
dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW 1haWwgQ0ExKzApBgkqhkiG
9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHh cNMDMwNzE3MDAwMDAwWhcN
MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UECh McVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbm FsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPF VzVftOucqZWh5owHUEcJ3f
6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3c nwK4Vaqj9xVsuvPAsH5/Ef
kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7
AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw
Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbW FpbENBLmNybDALBgNVHQ8E
BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdG VMYWJlbDItMTM4MA0GCSqG
SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlp Sdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd 2pnDmOjCBPZV+V2vf3h9bG
CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZD CCA2ACAQEwdjBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKF B0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0 ECEF0LYBAiw6o0EV6S7w7E
LuowCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSI b3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMDcwMTI0MTY1ODU0WjAjBgkqhkiG9w0BCQQxFgQU+P Frp/EGEUvMc+Qj0Td0CLvX
6iYwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhk iG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCS sGAQQBgjcQBDF4MHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW 5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW 5nIENBAhBdC2AQIsOqNBFe
ku8OxC7qMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBh MCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1 RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAhBdC2AQIsOqNBFeku8OxC7qMA 0GCSqGSIb3DQEBAQUABIIB
AKoLteC6aqQqkr9SAcTJ94PrzFjqjZ8Uro3nJO/YCo8gjWj5SUkLlUrRHamgmZfrihFftH9q
RBCvWtYQW27SwyYkhIP5CwirncFxJcJJD5lkS4cqhxPcmQSLMF +88UOvqo6X8uW9+XhpVb18
slH+RVCU95sg+6ipRsM/pQeJQlQbB4J17RDLcLETeTMs9iLvROGHtk2vDTitgUGzJAB+Xb n2
t3iHv2naKb5Fbu6RS0d7M2NwPZpvApwaJLK1XGE5nekW+e64tw qW68lGYh1BgdXWHsyadsDC
wZHgP8Z75kOVddaMABeKYsx+UWrIXxifXIWxbiDld4PUdxz+T8 dqliwAAAAAAAA=
--------------ms070305010408000307080103--

--===============1866283112==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1866283112==--