Page 1 /HP-Labs Bristol Mar. 2003 © E. Lupu, M. Sloman, 2003 Policy Based Network Management...

© E. Lupu, M. Sloman, 2003 /HP-Labs Bristol Mar. 2003

Policy Based Network ManagementPolicy Based Network Management

ControlControlactionsactions

DecisionsDecisionsManaged Managed ObjectsObjects

MonitorMonitorEventsEvents

Manager Manager AgentAgent

EventsEvents

PoliciesPolicies

New functionalityNew functionalityProgrammable NetworksProgrammable Networks

PoliciesPolicies


Security SpecificationSecurity Specification

E-commerce, healthcare E-commerce, healthcare –– multiple organisations multiple organisations Complex security policies with many constraints and Complex security policies with many constraints and

exceptionsexceptions Common security policy specification which can map Common security policy specification which can map

onto heterogeneous implementation mechanisms for OS, onto heterogeneous implementation mechanisms for OS, firewalls, databases …..firewalls, databases …..

Need to specify security policy for groups and roles Need to specify security policy for groups and roles (organisational positions)(organisational positions)

Need to manage security – what actions Need to manage security – what actions to perform when a violation detected?to perform when a violation detected?

Need for analysis toolsNeed for analysis tools


Policy Agents for ManagementPolicy Agents for Management

ControlControl

MonitoringMonitoring

ObligationObligationPolicyPolicy

AuthorisationAuthorisationPolicyPolicy

ManagerManager(SubjectSubject)

ManagedManaged ObjectObject(TargetTarget)


Example PoliciesExample Policies Who is permitted to access a service, what operations they Who is permitted to access a service, what operations they

can they perform, and when. E.g. Research staff can set up can they perform, and when. E.g. Research staff can set up video conferences between UK and USA only between video conferences between UK and USA only between 16:00 and 19:00, Monday to Wednesday.16:00 and 19:00, Monday to Wednesday.

What resources a mobile user can access when visiting a What resources a mobile user can access when visiting a remote locationremote location

What information transformations and UI adaptations should What information transformations and UI adaptations should take place when a user is mobile.take place when a user is mobile.

What actions should be performed when a login violation is What actions should be performed when a login violation is detected. detected.

What diagnostic tests should be performed when an error What diagnostic tests should be performed when an error count is exceeded in a network component.count is exceeded in a network component.

Allocate 10% of available bandwidth to voice over IPAllocate 10% of available bandwidth to voice over IP


Policy DefinitionPolicy Definition

Derived from enterprise goals and service level Derived from enterprise goals and service level agreementsagreements

Need to specify and modify policies without coding Need to specify and modify policies without coding into automated agentsinto automated agents

Policies are Policies are persistent persistent But can be dynamically modifiedBut can be dynamically modified Change system behaviour without modifying Change system behaviour without modifying

implementation implementation –– not new functionalitynot new functionality

Rule governing choices in behaviour of the system


Ponder Policy FrameworkPonder Policy Framework

DomainsDomains Primitive policiesPrimitive policies

AuthorisationAuthorisation ObligationObligation FiltersFilters DelegationDelegation

Composite PoliciesComposite Policies Object orientation Object orientation


Ponder Policy Based SolutionsPonder Policy Based Solutions

ObligationPolicies

TriggeringTriggeringmigrationmigrationdelegation etc.delegation etc.

Large scaleLarge scale Multiple Multiple

OrganisationsOrganisations

Domains/directories

AuthorisationPolicies

SecuritySecurity


Domains Domains Grouping Grouping

A domain is a collection of objects which have A domain is a collection of objects which have been explicitly grouped together for management been explicitly grouped together for management purposes e.g. to apply a common policy purposes e.g. to apply a common policy

(LDAP) directory(LDAP) directory

PeoplePeople SoftwareSoftwareComponentsComponents

Hardware Hardware ComponentsComponents

Hub


Domains Domains Hierarchy Hierarchy

Sub-domains & overlapping domainsSub-domains & overlapping domains

AB C

D

EED

A

B C


Domains and PoliciesDomains and Policies

Impractical to specify policy for individual objects in Impractical to specify policy for individual objects in large systems with many objectslarge systems with many objects

specify policy for domainsspecify policy for domains Can change domain membership without changing Can change domain membership without changing

policypolicy

PolicyPolicyPolicyPolicy

ManagersManagers Manager AgentsManager AgentsManaged ObjectsManaged Objects


Policy PropagationPolicy Propagation

SubjectsSubjects TargetsTargets


Primitive PoliciesPrimitive Policies

Ponder declarative notation for specifying policyPonder declarative notation for specifying policy Primitive policiesPrimitive policies

AuthorisationAuthorisation ObligationObligation FiltersFilters Delegation Delegation


PolicyPolicy

Need to specify and modify policies without Need to specify and modify policies without coding into automated agentscoding into automated agents

Policies are Policies are persistent persistent But can be dynamically modifiedBut can be dynamically modified Many different types of policy Many different types of policy extensible extensible

notationnotation

Rule governing choices in behaviour of the systemRule governing choices in behaviour of the system


Policy NotationPolicy Notation

Precise specification of subjects, targets, actions Precise specification of subjects, targets, actions and constraints for authorisations and obligationsand constraints for authorisations and obligations

Needed for both:Needed for both:

Human Human managersmanagers

Clear specification of responsibility, Clear specification of responsibility, rights and duties rights and duties “job description” “job description”

Automated Automated agentsagents


Authorisation PolicyAuthorisation Policy

Defines what a subject is permitted or Defines what a subject is permitted or not permitted (prohibited) to do to a targetnot permitted (prohibited) to do to a target Permitted operationsPermitted operations

Protect target objects from unauthorised Protect target objects from unauthorised management actionsmanagement actions Target basedTarget based interpretation and enforcement interpretation and enforcement


Authorisation PoliciesAuthorisation Policies

All policies can be specified as a parameterised type from All policies can be specified as a parameterised type from which instances can be createdwhich instances can be created

typetype auth+ auth+ videovideo ( (subjectsubject s, string start, string end) { s, string start, string end) {targettarget videoChannel; videoChannel;actionaction setup; setup;whenwhen time.between (start, end); } time.between (start, end); }

instinst kidsVideokidsVideo = = videovideo (/family/kids, “1400”,“1900”); (/family/kids, “1400”,“1900”);

adultVideo adultVideo = = videovideo (/family/adults, “2000”, “2400”); (/family/adults, “2000”, “2400”);


FiltersFilters

Transformations on parameters of positive authorisation Transformations on parameters of positive authorisation policies, where it is not practical to provide different policies, where it is not practical to provide different operations to reflect permitted parametersoperations to reflect permitted parameters

inst auth+inst auth+ employeeAccess { employeeAccess {subjectsubject employees + managers ;employees + managers ;targettarget <DB> employeeDB ;<DB> employeeDB ;actionaction getEmp (empID) ;getEmp (empID) ;

ifif (subject = employees) (subject = employees)resultresult = reject (result, salary, homeAddr); = reject (result, salary, homeAddr);

}}


Negative AuthorisationNegative Authorisation

Used for revocation of access rightsUsed for revocation of access rights

instinst authauth-- revoke { revoke {subjectsubject /users/JoeBloggs; /users/JoeBloggs;

targettarget /resources/database ;/resources/database ;actionaction - ; - ; // any action// any action

whenwhen time.date > 30:9:2002 }time.date > 30:9:2002 }

Reflect organisational policies and lawsReflect organisational policies and lawsinst auth-inst auth- nostrangle { nostrangle {

subjectsubject projectmanagers; projectmanagers; actionaction strangle; strangle;

targettarget trainees; }trainees; }


Default AuthorisationDefault Authorisation

Default NegativeDefault Negative Everything forbidden unless explicitly authorisedEverything forbidden unless explicitly authorised

Default PositiveDefault Positive Anything permitted unless explicitly forbiddenAnything permitted unless explicitly forbidden

inst auth- gateway {subject s=sysAdmin; target gateways; action load, enable, disable ; when (s.location ComputerRoom) ; }

auth+ gateway {subject s=sysAdmin; target gateways ;action load, enable, disable ;when (s.location = ComputerRoom) ; }


Obligation PolicyObligation Policy

Defines what actions a subject must do Defines what actions a subject must do Subject basedSubject based subject interprets policy and subject interprets policy and

performs actions on targetsperforms actions on targets Event triggered obligationEvent triggered obligation Actions can be remote invocations or local scriptsActions can be remote invocations or local scripts Can specify sequencing or concurrency of Can specify sequencing or concurrency of

actionsactions


Obligation ExampleObligation Example

On a TX circuit failure, replace the circuit with a backup, and, On a TX circuit failure, replace the circuit with a backup, and, in parallel, reconfigure the transceiver with logging the failurein parallel, reconfigure the transceiver with logging the failure

typetype obligoblig fail_reconfigurefail_reconfigure ( (subjectsubject s, s, setset b) { b) { onon failure (cir, trans, failure (cir, trans, switchswitch) ;) ;

targettarget <switchT> f = b ^ {<switchT> f = b ^ {switchswitch} ;} ;dodo f.disable(trans, f.disable(trans, circir) -> {f.enable(trans, “backup”) ) -> {f.enable(trans, “backup”)

|| s.log (|| s.log (circir, trans, switch); }, trans, switch); }}}

instinst p = p = fail_reconfigurefail_reconfigure (.../roles/netops/, (.../roles/netops/, … …/network/switches) ;/network/switches) ;


Refrain PolicyRefrain Policy

instinst refrainrefrain politeBehaviour { politeBehaviour {subjectsubject Agroup ;Agroup ;targettarget AGroupNY + AGroupNY +

DGroupBoston ;DGroupBoston ;actionaction videoconf ; videoconf ; whenwhen (time.day=Friday); }(time.day=Friday); }

Similar to negative authorisation but subject Similar to negative authorisation but subject based interpretationbased interpretation


Delegation PolicyDelegation Policy

Specify which actions a subject can delegate to a Specify which actions a subject can delegate to a granteegrantee

Must be a subset of subjects, actions and targets in an Must be a subset of subjects, actions and targets in an authorisation policyauthorisation policy

enable deleg

reset, enable, disable

auth+

enable auth+


Delegation ExampleDelegation Example

inst auth+inst auth+ serviceMan { serviceMan {subjectsubject brManager; brManager; targettarget brServices ; brServices ;actionaction resetSchedule, enable, disable; } resetSchedule, enable, disable; }

inst deleg+inst deleg+ sDeleg (serviceMan) { sDeleg (serviceMan) {subjectsubject; brManager; ; brManager; granteegrantee brEngineer ; brEngineer ;actionaction resetSchedule ; } resetSchedule ; }

Note: deleg- forbids delegationNote: deleg- forbids delegation


Composite PoliciesComposite Policies

Group PoliciesGroup Policies Manager position roles Manager position roles

and component roles and component roles Role relationships Role relationships Management structuresManagement structures Object orientationObject orientation


Group PoliciesGroup Policies

Defines a syntactic scope for specifying a set of related Defines a syntactic scope for specifying a set of related policies to be instantiated at the same time + constraints policies to be instantiated at the same time + constraints on the policieson the policies

typetype groupgroup serviceFailserviceFail ( (setset < <manager>manager> m, m, setset < <service>service> s) { s) {

constraintconstraint c = time.between(“0800”,”1800”); c = time.between(“0800”,”1800”);

instinst auth+auth+ scheduleReset { scheduleReset {subjectsubject m ; m ; targettarget s; s;actionaction resetSchedule; resetSchedule; whenwhen c;} c;}

obligoblig failReset { failReset {subjectsubject m; m; targettarget s; s;onon failure failure dodo resetSchedule; resetSchedule;

whenwhen c;} c;}}}


User Representation DomainUser Representation Domain

Persistent representation of a registered userPersistent representation of a registered user URD is subject of policies applying to a specific URD is subject of policies applying to a specific

personperson At login adapter object created to represent and At login adapter object created to represent and

act on behalf of person in systemact on behalf of person in system command interpreter command interpreter

authauth+

PersonalPersonal Resources

AdapterAdapter

URDURD


RolesRoles

Role groups the rights and duties related to a Role groups the rights and duties related to a positionposition in an organisation in an organisation

E.g., network operator, network manager, E.g., network operator, network manager, finance director, ward-nursefinance director, ward-nurse

Specify policy in terms of Specify policy in terms of rolesroles rather than rather than personspersons

do not have to re-specify policies when person do not have to re-specify policies when person assigned to new roleassigned to new role


Manager RolesManager Roles

PositionPositionDomainDomain

RoleRolePoliciesPolicies

Target ManagedTarget ManagedObjectsObjects

RoleRole

Agent

authauth+ connectconnectUser

RepresentationRepresentationDomain

AdapterAdapter

RoleRole


Role ExampleRole Example

typetype rolerole opop ( (setset t) { t) {

// restarts failed equipment in target domain t// restarts failed equipment in target domain tinstinst obligoblig restart { restart { targettarget f = t ^ {id}; f = t ^ {id};

onon failure (id); failure (id); dodo f.restart () -> f.run_self_test() ;} f.restart () -> f.run_self_test() ;}

// other authorisation and obligation policies// other authorisation and obligation policies… …

}}


London Site

Paris Site

Role InstancesRole Instances

Multiple operator role Multiple operator role instancesinstances

Different persons Different persons assigned to rolesassigned to roles

Different target Different target componentscomponents

Similar policiesSimilar policies Role TypeRole Type Reuse of role Reuse of role

specificationspecification

Site policies

Site policies


Role SpecialisationRole Specialisation Derive new composite policy specifications from Derive new composite policy specifications from

existing onesexisting ones Specialise roles by adding policiesSpecialise roles by adding policies

InheritanceInheritance

OperatorOperatorRouter OperatorRouter Operator

type role routerOp (…) extends op(…), { … }

Policy

Network Network AdministratorAdministrator

typetype role netAdminT(…) extends op(…), { … }


Example Specialised RoleExample Specialised Role

typetype rolerole routerOprouterOp ( (setset < <routers_typerouters_type> r) > r) extendsextends opop (r) { (r) {

// On link failure the link must be reset.// On link failure the link must be reset.instinst obligoblig reset { reset { targettarget t = r ^ {router} ; t = r ^ {router} ;

onon link_failure (x, router) link_failure (x, router) dodo t.reset (x) ; }t.reset (x) ; }

// other policies// other policies }}

iinstnst LondonOp = LondonOp = routerOProuterOP (londonNetwork); (londonNetwork);

ParisOpParisOp = = routerOprouterOp (parisNetwork); (parisNetwork);


Component RolesComponent Roles

Group policies related to a particular type of Group policies related to a particular type of network component e.g. edge or core routernetwork component e.g. edge or core router

Use same hardware for both types of routersUse same hardware for both types of routers

Role defines policies applying to (i.e. loaded) Role defines policies applying to (i.e. loaded) onto router hardware which is assigned to a role onto router hardware which is assigned to a role


Role RelationshipsRole Relationships RelationshipsRelationships

Rights and duties of roles towards each otherRights and duties of roles towards each other Usage of shared resourcesUsage of shared resources Interaction protocolsInteraction protocols

typetype relrel qSupervision ( qSupervision (

routerOProuterOP netOp, netOp, qEdgeRtr qEdgeRtr qAgent) {qAgent) {

instinst obligoblig report { report { subjectsubject qAgent ; qAgent ;onon timer.at (1800); timer.at (1800);

dodo report(q_info); report(q_info); targettarget netOp; } netOp; }authauth++ config { config { subjectsubject netOp ; netOp ;

actionaction setStrategy; setStrategy; targettarget qAgent; } qAgent; }} }

queue config.queue config.role (qEdgeRtr)role (qEdgeRtr)

routerrouteroperatoroperator

queuequeuesupervisionsupervision

site site networknetwork

corecorenetworknetwork

edge routeredge router


qos

traffictrafficqueue config.queue config.role (qEdgeRtr)role (qEdgeRtr)

routerrouteroperatoroperator

queuequeuesupervisionsupervisionqosqos

Management Structures 1Management Structures 1

Configurations of roles and relationships in Configurations of roles and relationships in organisational units organisational units

site networksite networkedge routeredge router

admissionadmissioncontrolcontrol

traffictrafficshapingshaping

configconfig


Management Structures 2Management Structures 2

type mstruct trafficT (domain site) {import /type/qEdgRtr, /type/routerOp; /type/qSupervision

domain rtr = site/routers;

inst role netOP = routerOp (rtr); qAgent = qEdgRtr (rtr); rel qs = qSupervision (netOP, qAgent);mstruct qos {

inst role admControl {…}; trShaping {…}; rel selectTraffic{…}; } ;

rel configAdmission {inst auth+ { subject netOp; target qos.admControl; action update ( ) }

}


Organisational PatternsOrganisational Patterns

LondonLondonnetworknetwork

edge routeredge router

tr1tr1edgeedge routerrouter

tr2tr2

ParisParisnetworknetworkinst inst mstruct

london/tr1 = trafficT(london)

corecore networknetwork

paris/tr2paris/tr2 = = trafficTtrafficT(paris)(paris)


Ponder SummaryPonder Summary

Object

MetaPol CompositePolicy BasicPolicy

auth oblig refrain deleg role mstruct

auth+ auth- deleg+ deleg-

group rel

Object Meta ModelClass Hierarchy


ConflictsConflicts

Modality conflict detection and resolutionModality conflict detection and resolution Policy priorityPolicy priority Semantic conflicts and meta-policies Semantic conflicts and meta-policies Policy analysis toolsPolicy analysis tools


Multiple Policies May ApplyMultiple Policies May Apply

An object can be a member of multiple domains An object can be a member of multiple domains (overlap)(overlap)

Multiple policies can apply to single domainMultiple policies can apply to single domain

PerformancePolicy

testB, query

Security Policy

testA, testB, query,stop, start

PerformancePolicy

Need conflict detection and resolutionNeed conflict detection and resolution


Modality ConflictsModality Conflicts

Potential conflict from overlap of Potential conflict from overlap of subjects, targets and actionssubjects, targets and actions

3 types: auth+/auth-, oblig/auth-, 3 types: auth+/auth-, oblig/auth-, oblig/refrainoblig/refrain

Note: auth+/refrain is not a conflictNote: auth+/refrain is not a conflict Detected by syntactic analysisDetected by syntactic analysis

Actions+ve

-ve


Example ConflictsExample Conflicts

inst auth-inst auth- bootWS { bootWS {subjectsubject students; students; targettarget workstations; workstations; actionaction reboot ; } reboot ; }

Exception:Exception:

inst auth+inst auth+ projectWS { projectWS {subjectsubject smith; smith; targettarget workstations/project; workstations/project; actionaction reboot ; } reboot ; }

reboot

auth+

auth-Students Workstations

ProjectSmith


PrecedencePrecedence

Can resolve some conflicts automatically by Can resolve some conflicts automatically by specifying precedence. e.g.:specifying precedence. e.g.:

Negative policies overrideNegative policies overrideDoes not permit positive exceptions to negative policies.Does not permit positive exceptions to negative policies.

Specified PrioritiesSpecified Priorities Hard to define priorityHard to define priority Several managers may specify inconsistent priority Several managers may specify inconsistent priority

Evaluating a Evaluating a ‘distance’‘distance’ between a policy and the object between a policy and the object to which it refersto which it refers

Refinement level – more concrete overrides?Refinement level – more concrete overrides? Time of last update – more recent overrides?Time of last update – more recent overrides?


Domain Nesting PrecedenceDomain Nesting Precedence

A particular type of A particular type of distancedistance based on domain based on domain nesting nesting

Priority given to the policy which is Priority given to the policy which is more specificmore specific for either subjects or targetsfor either subjects or targets

Intuitive, flexible, allows incremental specifications Intuitive, flexible, allows incremental specifications and exceptionsand exceptions

Not always validNot always valid

reboot

auth+

auth-Students Workstations

ProjectSmith


Determined & Undetermined CasesDetermined & Undetermined CasesP2 overrides P1 for the areas in which they overlap

No Precedence between P1 or P2 can be determined

P1

P2

P1

P2

P1

P2

P1

P2

P1

P2

P1

P2

and symmetric ...


Precedence between policiesPrecedence between policies


The Conflict Detection ToolThe Conflict Detection ToolP1

P2

positive policiespositive policies negative policiesnegative policies

messagemessagedistinguishes:distinguishes:O+/refrain, O+/A-, A+/A-O+/refrain, O+/A-, A+/A-


Policy Analysis, Refinement and Policy Analysis, Refinement and ValidationValidation

Policy AnalysisPolicy Analysis – policy analysis is insufficient – policy analysis is insufficient Consider constraints when detecting conflictsConsider constraints when detecting conflicts Identify which situations lead to conflict Identify which situations lead to conflict Reason with partial specificationsReason with partial specifications

Policy RefinementPolicy Refinement – derive policies from SLAs and – derive policies from SLAs and business goalsbusiness goals Not automatable but can apply refinement patternsNot automatable but can apply refinement patterns Maintain consistency during refinementMaintain consistency during refinement Ensure completeness – refined policies fully implement Ensure completeness – refined policies fully implement

more abstract onesmore abstract ones

Policy ValidationPolicy Validation – Can a policy be implemented? – Can a policy be implemented?


Policy Refinement

Goal refinementGoal refinement Policy RefinementPolicy Refinement Relationship to Requirements Relationship to Requirements

EngineeringEngineering


Policy RefinementPolicy Refinement

Policies are derived from business and organisational Policies are derived from business and organisational goals or service level agreements (SLA)goals or service level agreements (SLA)

Goals are progressively refined into operational policy Goals are progressively refined into operational policy specifications specifications refinement hierarchy refinement hierarchy

Leaf policies mapped onto implementation mechanisms Leaf policies mapped onto implementation mechanisms eg ACL or router interfaceeg ACL or router interface

Similar to refining requirements and going from Similar to refining requirements and going from specification to implementationspecification to implementation

Cannot be fully automatedCannot be fully automated Use requirements engineering techniques for elicitation of Use requirements engineering techniques for elicitation of

non-functional requirementsnon-functional requirements



oblig videoconf {oblig videoconf {subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ when time.between("14:00", "15:00") ; }when time.between("14:00", "15:00") ; }

oblig oblig enableenable { { on timer.at("13:55“); on timer.at("13:55“); subject NetMan; do enable(); target pol/vid_reserve; } subject NetMan; do enable(); target pol/vid_reserve; }

oblig oblig disabledisable { { on timer.at("15:00“);on timer.at("15:00“);subject NetMan; do disable(); target pol/vid_reserve; }subject NetMan; do disable(); target pol/vid_reserve; }

auth+ auth+ polauthpolauth { { subject NetMan; action enable, disable;subject NetMan; action enable, disable;target pol/vid_reserve }target pol/vid_reserve }

oblig oblig lower_reservelower_reserve { { on request(bw, chanId);on request(bw, chanId);subject edgeRouter; do reduceReserved(bw); target chan/chanId;subject edgeRouter; do reduceReserved(bw); target chan/chanId;when bw < getReserved(chanId) ;}when bw < getReserved(chanId) ;}

oblig oblig increase_reserveincrease_reserve { { on request(bw, chanId) ; on request(bw, chanId) ;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;when bw > getReserved(chanId) ;}when bw > getReserved(chanId) ;}


ChallengesChallenges

Refinement does not preserve policy modality Refinement does not preserve policy modality e.g., an obligation may be refined to a set of e.g., an obligation may be refined to a set of obligation, refrain, authorisation and delegation obligation, refrain, authorisation and delegation policies policies

Refinement may introduce inconsistenciesRefinement may introduce inconsistencies The set of refined policies may not fully The set of refined policies may not fully

implement the goal they were refined fromimplement the goal they were refined fromPreserve consistencyPreserve consistencyEnsure CoverageEnsure Coverage


Static Analysis ApproachStatic Analysis Approach

Need both system behavioural model and policies. Need both system behavioural model and policies. Abduction applied to Event Calculus representation.Abduction applied to Event Calculus representation.

Conflict specification

A

B

C

Behavioural model of managed objects

Translation to Event Calculus

Ponder PoliciesConflicts


Analysis & Refinement: Current StatusAnalysis & Refinement: Current Status

Representation of policies in Event CalculusRepresentation of policies in Event Calculus A. Bandara, E. Lupu, A.Russo. A. Bandara, E. Lupu, A.Russo. Using Event Calculus Using Event Calculus

to Formalise Policy Specification and Analysisto Formalise Policy Specification and Analysis. Policy . Policy 2003, (see last slide).2003, (see last slide).

Currently 2 point timeline -> Generalisation.Currently 2 point timeline -> Generalisation. Stratification -> Decidable. Computable in polynomial Stratification -> Decidable. Computable in polynomial

time.time.

Future WorkFuture Work Generalisation to infinite discrete timeline. Generalisation to infinite discrete timeline. Identify and express requirements patterns. Identify and express requirements patterns. Use goal regression to elaborate plans of actions and Use goal regression to elaborate plans of actions and

identify alternatives for refinement. identify alternatives for refinement.


ConstraintsConstraints

Only potential modality conflicts are detected as Only potential modality conflicts are detected as constraints may limit the applicability of a policy e.g., to a constraints may limit the applicability of a policy e.g., to a particular time intervalparticular time interval

Typed Constraints:Typed Constraints:

Inst auth+Inst auth+lineop { lineop { subjectsubject s = operators ; s = operators ;actionsactions enable, disable, reset, off ; enable, disable, reset, off ;targettarget Sregion ;Sregion ;whenwhen time.between(0800,1800) and time.between(0800,1800) and

s.state = ‘active’}s.state = ‘active’}

inst auth- inst auth- lineop {lineop {subjectsubject s= operators s= operatorsactionsactions enable, disable, reset, off}enable, disable, reset, off}

targettarget SregionSregionwhenwhen time.between(1600,2400) andtime.between(1600,2400) and

s.state = ‘standby’ }s.state = ‘standby’ }

time

subjectstate


Semantic ConflictsSemantic Conflicts

Types of conflict:Types of conflict: separation of duty e.g., the same person is not allowed separation of duty e.g., the same person is not allowed

to authorise payments and initiate themto authorise payments and initiate them self-management e.g., a manager cannot authorise it’s self-management e.g., a manager cannot authorise it’s

own expensesown expenses conflict for resources e.g., not more than 5 persons are conflict for resources e.g., not more than 5 persons are

authorised to change the DBauthorised to change the DB Need to specify the conditions which result in conflictNeed to specify the conditions which result in conflict Constraints on a set of policies (Meta-Policies). Constraints on a set of policies (Meta-Policies).

Specified using Prolog, OCLSpecified using Prolog, OCL Included in composite policies such as roles or mstructsIncluded in composite policies such as roles or mstructs


Separation of DutiesSeparation of Duties

/policies/accounting->exists (P1, P2 | /policies/accounting->exists (P1, P2 |

P1.subjects->intersection(P2.subjects)->notEmpty andP1.subjects->intersection(P2.subjects)->notEmpty and

P1.actions->exists(a | a.name = ‘authorise’) and P1.actions->exists(a | a.name = ‘authorise’) and

P2.actions->exists(a | a.name = ‘initiate’) and P2.actions->exists(a | a.name = ‘initiate’) and

P1.targets->intersection(P2.targets)->exists(t | P1.targets->intersection(P2.targets)->exists(t | t.isOclKindOf(payment))) t.isOclKindOf(payment)))


Implementation Issues

Policies as objectsPolicies as objects Implementation architectureImplementation architecture Obligation policy agent Obligation policy agent Authorisation policy agentAuthorisation policy agent Policy deploymentPolicy deployment Ponder compiler outputPonder compiler output


Protecting PoliciesProtecting Policies

Basic policy is implemented as LDAP objectBasic policy is implemented as LDAP object most primitive unitmost primitive unit Source text = object attributeSource text = object attribute Can generate XML Can generate XML – – store as another attribute store as another attribute

Composite policy derived from domain object Composite policy derived from domain object Policy objects can be protected by authorisation Policy objects can be protected by authorisation

policiespolicies

Security Administrator roleSecurity Administrator role

Policy servicePolicy service

Edit, enable, Edit, enable, disable, removedisable, remove

auth+auth+


Policy ImplementationPolicy Implementation

Query targetsQuery targets

Domain serviceDomain service

Query Query subjects subjects & targets& targets

Policy Management Policy Management Agents (Subjects)Agents (Subjects)

ObligationObligation& Refrain& RefrainPoliciesPolicies

AuthorisationAuthorisationPoliciesPolicies

TargetTargetObjectsObjects

ActionsActions

EventsEvents

Monitoring service

Events

Policy servicePolicy service

Edit, enableEdit, enabledisable ...disable ...


Policy ManagementAgentPolicy ManagementAgent

EventsEvents

OperationsOperationson targeton targetobjectsobjects

Distribute,Distribute,Remove, Remove, Enable, Enable, DisableDisableobligationobligation& refrain& refrainpoliciespolicies

Load,Load,UnloadUnloadcodecode

Execution EnvironmentExecution Environment

Agent specific functionsAgent specific functionsProgrammingProgramming

PoliciesPolicies

Generic InterfaceGeneric Interface Application Specific Application Specific InterfaceInterface


Authorisation AgentAuthorisation Agent

Load,Load,Remove, Remove, Enable, Enable, Disable,Disable,policiespolicies

PoliciesPolicies

Map onto Map onto operating systemoperating systemor object-supportor object-supportaccess control access control mechanismsmechanisms

AuthenticationAuthentication


The Life of a Policy The Life of a Policy

PolicySpec.

Policy Class

compile

Policy Object

instantiatewrite

Dormant

instantiate


The Life of a Policy (load)The Life of a Policy (load)

PolicyObject

load

Enforcement Agents

load

Enforcement Objects

Dormant

Loadedload

instantiate


The Life of a Policy (enable, disable, …)The Life of a Policy (enable, disable, …)

PolicyObject

enable

Enforcement Agents

enable

DeletedDormant

Loaded

Enabled

load unload

enable disable

instantiate

Access Controllers

(Authorisation Policies)

Policy Management

Agents(Obligation &

Refrain Policies)


Loading an Authorisation PolicyLoading an Authorisation Policy

Enforcement Objects Enforcement Objects Enforcement Agents Enforcement Agents

Policy Object Enforcement Agents (EA)

Target Set

1 EA for each Target Object Host1 EO per EA per Host


Loading an Obligation/Refrain PolicyLoading an Obligation/Refrain Policy

Each Subject Object is an Enforcement Agent!Each Subject Object is an Enforcement Agent!

Policy Object Enforcement Agents

Subject Set


Enforcement (Obligation/Refrain)Enforcement (Obligation/Refrain)

OPOsRPOs

load, enable,..

checkRefrains

enable,disable

eventHandler

obligMethod

enable,disable

checkRefrain

register, ...

eventEngine

ACs

OEOs

REOs

Policy Management AgentEvent Service

OPO (Obligation Policy Object)RPO (Refrain Policy Object)

OEO (Obligation Enforcement Object) REO (Refrain Enforcement Object)

Access Controllers

1 2 3

7

4

56

28

9


Policy Refinement

Goal refinementGoal refinement Relationship to Requirements Relationship to Requirements

EngineeringEngineering AnalysisAnalysis Refinement tools Refinement tools



Policies are derived from business and organisational Policies are derived from business and organisational goals or service level agreements (SLA)goals or service level agreements (SLA)

Goals are progressively refined into operational policy Goals are progressively refined into operational policy specifications specifications refinement hierarchy refinement hierarchy

Leaf policies mapped onto implementation mechanisms Leaf policies mapped onto implementation mechanisms eg ACL or router interfaceeg ACL or router interface

Similar to refining requirements and going from Similar to refining requirements and going from specification to implementationspecification to implementation

Cannot be fully automatedCannot be fully automated Use requirements engineering techniques for elicitation of Use requirements engineering techniques for elicitation of

non-functional requirementsnon-functional requirements



oblig videoconf {oblig videoconf {subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ when time.between("14:00", "15:00") ; }when time.between("14:00", "15:00") ; }

oblig oblig enableenable { { on timer.at("13:55“); on timer.at("13:55“); subject NetMan; do enable(); target pol/vid_reserve; } subject NetMan; do enable(); target pol/vid_reserve; }

oblig oblig disabledisable { { on timer.at("15:00“);on timer.at("15:00“);subject NetMan; do disable(); target pol/vid_reserve; }subject NetMan; do disable(); target pol/vid_reserve; }

auth+ auth+ polauthpolauth { { subject NetMan; action enable, disable;subject NetMan; action enable, disable;target pol/vid_reserve }target pol/vid_reserve }

oblig oblig lower_reservelower_reserve { { on request(bw, chanId);on request(bw, chanId);subject edgeRouter; do reduceReserved(bw); target chan/chanId;subject edgeRouter; do reduceReserved(bw); target chan/chanId;when bw < getReserved(chanId) ;}when bw < getReserved(chanId) ;}

oblig oblig increase_reserveincrease_reserve { { on request(bw, chanId) ; on request(bw, chanId) ;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;when bw > getReserved(chanId) ;}when bw > getReserved(chanId) ;}


ChallengesChallenges

Refinement does not preserve policy modality Refinement does not preserve policy modality e.g., an obligation may be refined to a set of e.g., an obligation may be refined to a set of obligation, refrain, authorisation and delegation obligation, refrain, authorisation and delegation policies policies

Refinement may introduce inconsistenciesRefinement may introduce inconsistencies The set of refined policies may not fully The set of refined policies may not fully

implement the goal they were refined fromimplement the goal they were refined fromPreserve consistencyPreserve consistencyEnsure CoverageEnsure Coverage


Case Study

Scenario overviewScenario overview Management StructuresManagement Structures RolesRoles PoliciesPolicies


GSM NetworksGSM Networks

BTS

BTS

MSC

SS7

Operations &Maintenance

Centre (OMC)

VLR

HLR

EIR

GatewayMSC

OMC-Radio

NetworkElement

Administrator

Help DeskOperations

Network

Help DeskManagement Servers

BSC BSC

BSC

connection

control

VisitorLocationRegister

EquipmentIdentityRegister

BaseTransceiver

Stations(BTS)

HomeLocationRegister

Mobile SwitchingCentre

BaseStation

Controllers


Scenario OverviewScenario Overview

OA&M of GSM networksOA&M of GSM networks Problem characterised by:Problem characterised by:

large scalelarge scale large number of policieslarge number of policies multiple instances of roles which often work in teams multiple instances of roles which often work in teams

e.g., network administrators, switch administrators, e.g., network administrators, switch administrators, help-desk staffhelp-desk staff

Need to define: Need to define: geographical repartition and organisational structuregeographical repartition and organisational structure the roles and the rights and duties corresponding to the roles and the rights and duties corresponding to

the those rolesthe those roles


National NetworkNational Network

Regions

BranchesSS7

VLR

HLR

EIR

VisitorLocationRegister

NetworkElementAdministrator

BTS

BSC

Help Desk

BTS

BTS

MSC

BSC

NetworkNetworkElementElementAdministratorAdministrator

BTSBTS

BSCBSC

Help DeskHelp Desk

BTSBTS

BTSBTS

MSCMSC

BSCBSC


Organisational RolesOrganisational Roles

Help-Desk staff (HD)Help-Desk staff (HD) provide the interface between provide the interface between customers and the company (not elaborated in this customers and the company (not elaborated in this scenario).scenario).

Telephone Service Engineers (TSE)Telephone Service Engineers (TSE) investigate faults investigate faults occurring between mobile stations and base transceiver occurring between mobile stations and base transceiver stations, and determine whether a base network operator stations, and determine whether a base network operator should be alerted to deal with the fault.should be alerted to deal with the fault.

Base Network Operators – Switches (BNoS)Base Network Operators – Switches (BNoS) are are responsible for managing the Mobile Switching service responsible for managing the Mobile Switching service Centre (MSC) and Visitors Location Register (VLR) Centre (MSC) and Visitors Location Register (VLR)

Base Network Operators – Radio (BNoR)Base Network Operators – Radio (BNoR) are responsible are responsible for Base Transceiver Systems (BTS)for Base Transceiver Systems (BTS)

Network Element Administrators (NEA)Network Element Administrators (NEA) perform all on-site perform all on-site management tasks requested by BNoS and BNoRmanagement tasks requested by BNoS and BNoR


Management Structures – BranchManagement Structures – Branch

BranchBranch

Customer careCustomer care

HD1HD1 HD2HD2

TSETSE

Net. Elt. ManagmentNet. Elt. Managment

BNoSBNoSBNoRBNoR

NEA1NEA1

NEA2NEA2


Branch Management StructureBranch Management Structure

mstructmstruct branchbranch((domaindomain d, d, domaindomain nw) { nw) {importimport custcare; netelementscustcare; netelements;;

instinst mstructmstruct cc = cc = custcarecustcare (d, nw); (d, nw);mstructmstruct ne = ne = netelementsnetelements (d, nw); (d, nw);

typetype relrel radiofailradiofail ( (rolerole eng, eng, rolerole radio_op) { … } radio_op) { … }// procedures for radio failures investigation// procedures for radio failures investigation

instinst rel rel f = f = radiofailradiofail(cc.tse, ne.bnor);(cc.tse, ne.bnor);}}

domain c = …/wales/branches/cardiff;domain c = …/wales/branches/cardiff;instinst cardiff = cardiff = branchbranch (c, c/nw); (c, c/nw);

d – branch locationnw – network elts.

domain

instantiate substructures

create relationships(type if not imported)

create instance of structure


Netelements management structureNetelements management structure

typetype mstruct mstruct netelementsnetelements ( (domaindomain br, br, domaindomain nw) { nw) {importimport administratoradministrator; ; switch_opswitch_op; ; radio_opradio_op; ;

switchswitch__repair; radio_repair; switch_baserepair; radio_repair; switch_base;;domaindomain r = br/roles/; a = r/nea/; s = br/rel/;r = br/roles/; a = r/nea/; s = br/rel/;

instinst role role a/nea1 = a/nea1 = administratoradministrator ( ... ) ; ( ... ) ;a/nea2 = a/nea2 = administratoradministrator ( ... ) ; ( ... ) ;r/bnos = r/bnos = switch_opswitch_op (nw/bsc/, nw/msc) ; (nw/bsc/, nw/msc) ;r/bnor = r/bnor = radio_opradio_op (nw/bsc/) ; (nw/bsc/) ;

instinst rel rel s/bnos_nea1 = s/bnos_nea1 = switch_repairswitch_repair (bnos, nea1); (bnos, nea1);s/bnos_nea2 = s/bnos_nea2 = switch_repairswitch_repair (bnos, nea2); (bnos, nea2);s/bnor_nea1 = s/bnor_nea1 = radio_repairradio_repair (bnor, nea1); (bnor, nea1);s/bnor_nea2 = s/bnor_nea2 = radio_repairradio_repair (bnor, nea2); (bnor, nea2);s/bnos_bnor = s/bnos_bnor = switch_baseswitch_base (bnos, bnor); (bnos, bnor); }}

BNoSBNoSBNoRBNoR

NEA1NEA1

NEA2NEA2


Base and Switch OperatorsBase and Switch Operators

typetyperole role base_opbase_op ( (setset n) { n) {

instinst obligoblig restart { restart { targettarget f = n^{ f = n^{idid}; }; onon failure( failure(idid); ); dodo restart()- restart()-

>runSelfTest(); } }>runSelfTest(); } }

Base rights and duties for all operatorsBase rights and duties for all operators

specialisationspecialisationrolerole switch_opswitch_op ( (setset <bsc><bsc> bscdbscd, , mscmsc m) m) extendsextends base_opbase_op ( (bscdbscd) {) {

instinstobligoblig reset { reset { targettarget f = bscd^{id}; f = bscd^{id};

onon A_failure(cir, id); A_failure(cir, id); dodo block(cir); block(cir); reset(cir); }reset(cir); }

auth+auth+ circuit { circuit { actionaction block,reset; block,reset; targettarget bscd;} bscd;} } // switch_op} // switch_op


Radio OperatorRadio Operator

typerole radio_op (set <bsc> bscd) extends base_op(bscd) {

inst

oblig clearCell { target f = bscd^{id};on cellOverload(BTSid, id); do forceHO(BTSid);}

oblig increaseTX { target f = bscd^{id};on 3*radioLinkFail(BTSid,id); do

setTxPower(+1);}…

}

radio operators responsible for base transceiver systemsradio operators responsible for base transceiver systems

On cell overload, force a hand-over of connected mobiles

On 3 consecutive radio failures, increase BTS transmission


Authorisation PoliciesAuthorisation Policies

typetype groupgroup gen_auth gen_auth ((setset s1, s1, setset s2, s2, hlrhlr h, h, eireir e, e, vlrvlr v) { v) {

constraintconstraint workHours = time.between(“0800”, “1800”); workHours = time.between(“0800”, “1800”);

instinstauth+auth+ pt1 { pt1 { subjectsubject s1; s1; targettarget h; h; whenwhen workHours workHours

actionaction add, traceSubscriber, lockSubscriber; } add, traceSubscriber, lockSubscriber; }

auth-auth- pt2 { pt2 {subjectsubject s1; s1; targettarget e; e; actionaction blackListEquipment; } blackListEquipment; }

auth+auth+ pt3 { pt3 { subjectsubject s2; s2; targettarget v; v; whenwhen workHours; workHours; actionaction trace; checkHandover; checkRadio;} } trace; checkHandover; checkRadio;} }

Common constraint definitionCommon constraint definition


Scenario SummaryScenario Summary

Scenario exemplifies:Scenario exemplifies: large number of managed objectslarge number of managed objects large numbers of distributed manager (agents) large numbers of distributed manager (agents) reasonable number of policy and role typesreasonable number of policy and role types

O-O style specifications are a real benefit. O-O style specifications are a real benefit. However, it requires regular and well planned domain However, it requires regular and well planned domain

structures. structures. Ponder approach provides an easy means for:Ponder approach provides an easy means for:

creating and using new policy typescreating and using new policy types structuring policies and management teams structuring policies and management teams instantiating and deploying large number of policiesinstantiating and deploying large number of policies


Future Directions

Ponder future workPonder future work ConclusionsConclusions ReferencesReferences


Comparison With Vendor ProductsComparison With Vendor Products

Management SecurityM S M S M S M S M S M S M S M S M S M S M S M S M S

Service Level Agreement / Trust specification

SLA/Trust to policy refinement

Privacy management

OSS or workflow integration

Mobile and Ubiquitous systems WAP

Inter domain policy negotiation

Policy Analysis ?

Automated deployment

Adaptive management

Roles ?

Provisioning Single sign on

MonitoringWeb/DB access

control ?

Event Correlation Intrusion Detection

Application Management Windows AC

QoS Unix AC

Element Management Firewall/ router AC

Future

TivoliPonder PacketeerAccess

360RSA

SecuritiesComputer Assoc.

HP Products

Orche-stream

MS Active

DirectoryCisco Assure SolSoft SystorAllot


Ponder Future WorkPonder Future Work

Policy based programmable networksPolicy based programmable networks Policy aware applicationsPolicy aware applications Policy based network elements Policy based network elements –– routers and firewalls routers and firewalls Direct implementation of policy in hardware (FPGAs)Direct implementation of policy in hardware (FPGAs)

Inter-organisational policy negotiationInter-organisational policy negotiation Policy based response to network attacksPolicy based response to network attacks Refinement and analysis toolsRefinement and analysis tools Trust specification, analysis and refinement into Trust specification, analysis and refinement into

security management policy security management policy Case studies and implementationCase studies and implementation


ConclusionsConclusions

Security Security specificationspecification

Authorisation, filter,Refrain,delegation, role

Event-triggeredObligation, role

ManagementManagement

AnalysisAnalysis Declarative language

Large scaleLarge scale Multiple Multiple

OrganisationsOrganisations

Domains + Composite policies


Trust & Security ManagementTrust & Security Management

What is TrustWhat is Trust Trust ClassificationTrust Classification Trust SpecificationTrust Specification Use of TrustUse of Trust


What is TrustWhat is Trust

A quantified belief by a trustor with respect to the A quantified belief by a trustor with respect to the competence, honesty, security and dependability of a competence, honesty, security and dependability of a trustee within a specified contexttrustee within a specified context

Context: Hotel ServicesTrustor Trustee

Trust relationship

Distrust useful for trust revocation or in default trusted environments

Quantification implies various degrees of trust/distrust


Trust ClassificationTrust Classification

3. Certification of trustee eg VeriSign or Brit. Medical Assoc.

5. Infrastructure trust eg, network, storage

1. Access to Trustor Resources eg MSN Messenger

MyMachine trusts MSNMess to save files

Trustor Trustee

2. Provision of Service by Trustee eg e-news deliveries, email, archive

Tom trusts news.com Trustor Trustee

4. Delegation of trust eg use certification authority for trust decisions

May delegates all decisions concerning verification to her bank

Trustor Trustee


Trust SpecificationTrust Specification

Trust PredicateTrust Predicate

trust (trustor, trustee, actions, level, ) trust (trustor, trustee, actions, level, ) constraint set constraint set

trust (Helen, _hotel, print; processing, 50) trust (Helen, _hotel, print; processing, 50) hotelGroup ( _hotel, HolidayInn)hotelGroup ( _hotel, HolidayInn)

Distrust when level < 0Distrust when level < 0

Recommend PredicateRecommend Predicate

recommend (recommendor, recomendee, actions, level) recommend (recommendor, recomendee, actions, level)

constraint setconstraint set

recommend (Morris, _attendee, verifyCredential, medium) recommend (Morris, _attendee, verifyCredential, medium) ICstaffMember (_attendee)ICstaffMember (_attendee)

trust (Harry, GameCo, DownloadGames, medium) trust (Harry, GameCo, DownloadGames, medium) recommend (Tom, GameCo, DownloadGames, high)recommend (Tom, GameCo, DownloadGames, high)


Trust, Experience and RiskTrust, Experience and Risk

Trust is not static but changes with time as a Trust is not static but changes with time as a result of experience/reputationresult of experience/reputation

Reputation = evaluation of experienceReputation = evaluation of experience Need for 3rd party recommendations c.f. PGPNeed for 3rd party recommendations c.f. PGP Trust is related to risk and valueTrust is related to risk and value

High risk High risk low trust low trustBut high risk, low value may be medium trustBut high risk, low value may be medium trust

Trust framework must monitor experience, Trust framework must monitor experience, risk and constraints in order to dynamically risk and constraints in order to dynamically update trust levels and relationships.update trust levels and relationships.


Trust-based Authorisation PolicyTrust-based Authorisation Policy

type auth+ Access ( domain sub-directory, string TrustValue){

subject Client;

target sub-directory;

action downloadMusic();

when trust+(FrontEnd, ClientApp, downloadMusic(ContentDatabase), TrustValue ) };

inst auth+ AccessHigh = Access(/BMW/ContentBase, HighTrust);

inst auth+ AccessLow = Access(/BMW/ContentBase/Restricted, LowTrust);


Trust Refinement & Adaptive SecurityTrust Refinement & Adaptive Security

Medium Trust

Authorisations Delegation

Monitoring and reacting to unusual behaviour

Low Trust


Communities of DevicesCommunities of Devices

External services

Trust based relationships


Policy-driven ArchitecturePolicy-driven Architecture

Context

Trust Evaluation

Trust Specification

AccessControl

Authorisations

Adaptation

Adaptationpolicies

events

change

Filtering

Privacy

Selectedinformation

Page 1 /HP-Labs Bristol Mar. 2003 © E. Lupu, M. Sloman, 2003 Policy Based Network Management...

Documents

Transcript of Page 1 /HP-Labs Bristol Mar. 2003 © E. Lupu, M. Sloman, 2003 Policy Based Network Management...