Declarative language for specifying a security policy6779120Abstract The invention is a declarative language system and comprises a language as a tool for expressing network security policy in a formalized way. It allows the specification of security policy across a wide variety of networking layers and protocols. Using the language, a security administrator assigns a disposition to each and every network event that can occur in a data communications network. The event's disposition determines whether the event is allowed (i.e. conforms to the specified policy) or disallowed and what action, if any, should be taken by a system monitor in response to that event. Possible actions include, for example, logging the information into a database, notifying a human operator, and disrupting the offending network traffic. Claims What is claimed is: Description BACKGROUND OF THE INVENTION
TABLE A
Built-in Objects
The following is a set of built-in language objects known to both the
policy compiler and the policy engine.
First the built-in groups. It should be noted that, unlike user-defined
groups, built-in groups cannot be extended in a policy specification.
// List of supported protocols
( group all-protocols protocol_t
( union IP UDP ICMP TCP SSL HTTP )
// NOTE: new protocols can be added as needed
)
// List of supported hash algorithms
( group hash-algorithms hash_alg_t
( union MD5 SHA1 )
)
// List of supported agent directives
( group agent-directives agent_directive_t
( union DECRYPT DISRUPT LOG_TRAFFIC )
)
// List of supported logging severity codes
( group severity-codes severity_t
( union CRITICAL HIGH MEDIUM WARNING MONITOR
INFORMATION )
)
// List of supported disposition codes
( group disposition-codes code_t
( union OK CONTINUE ACCESS_DENIED
AUTHENTICATION_VIOLATION
SECURITY_ATTACK SECURITY_QOS POLICY.sub.--
ERROR )
)
// Certificate status values for valid certificates
( group valid-certs cert_status_t
( union VALID )
)
// Certificate status values for certificates rendered invalid
( group invalid-certs cert_status_t
( union EXPIRED NOT_YET_VALID REVOKED SUSPENDED )
)
// Certificate status values for rejected certificates
( group rejected-certs cert_status_t
( union MALFORMED UNSUPPORTED_CRITICAL.sub.--
EXTENSION )
)
// Certificate status values for all bad certificates
( group bad-certs cert_status_t
( union rejected-certs invalid-certs
)
// List of all possible certificate status values
( group cert-status-values cert_status_t
( union valid-certs invalid-certs rejected-certs )
)
// List of all possible authentication status values
( group auth-status-values auth_status_t
( union SUCCEEDED REJECTED ABORTED )
)
// List of all SSL ciphersuites
( group ssl-ciphersuites ciphersuite_t
( union SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_IDEA_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DH_RSA_WITH_DES_CBC_SHA
SSL_DH_DSS_WITH_DES_CBC_SHA
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5
SSL_DH_ANON_WITH_RC4 _128_MD5
SSL_DH_ANON_EXPORT_WITH_DES40.sub.--
CBC_SHA
SSL_DH_ANON_WITH_DES_CBC_SHA
SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40.sub.--
CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40.sub.--
CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_FORTEZZA_KEA_WITH_NULL_SHA
SSL_FORTEZZA_KEA_WITH_FORTEZZA.sub.--
CBC_SHA
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA
SSL_V2_RC4_128_WITH_MD5
SSL_V2_RC4_128_EXPORT40_WITH_MD5
SSL_V2_RC2_CBC_128_CBC_WITH_MD5
SSL_V2_RC2_CBC_128_CBC_EXPORT40.sub.--
WITH_MD5
SSL_V2_IDEA_128_CBC_WITH_MD5
SSL_V2_DES_64_CBC_WITH_MD5
SSL_V2_DES_192_EDE3_CBC_WITH_MD5
)
)
// List of supported action codes for TCP
( group tcp-action-codes action_t
( union CONNECT
MISSED_CONNECT
TIMEOUT
ABORT
CLOSE )
)
// List of supported action codes for UDP
( group udp-action-codes action_t
ASSOCIATION
)
// List of supported action codes for IP
( group ip-action-codes action_t
ASSOCIATION
)
// List of supported action codes for ICMP
( group icmp-action-codes action_t
( union ASSOCIATION
BAD_CODE
FRAGMENTATION_NEEDED
HOST_UNREACHABLE
NETWORK_UNREACHABLE
PORT_UNREACHABLE
PROTOCOL_UNREACHABLE
SOURCE_ROUTE_FAILED
ECHO
ECHO_REPLY
INFORMATION_REQUEST
INFORMATION_REPLY
PARAMETER_PROBLEM
REDIRECT_HOST
REDIRECT_TYPE_OF_SERVICE_AND_HOST
REDIRECT_NETWORK
REDIRECT_TYPE_OF_SERVICE_AND_NETWORK
SOURCE_QUENCH
TIME_TO_LIVE_EXCEEDED
REASSEMBLY_TIME_EXCEEDED
TIMESTAMP
TIMESTAMP_REPLY )
)
// List of supported action codes for SSL
( group ssl-action-codes action_t
( union HANDSHAKE
MISSED_HANDSHAKE
SESSION_CLOSED
SESSION_ABORTED
)
// List of supported action codes for HTTP
( group http-action-codes action_t
( union GET
HEAD
POST
PUT
DELETE
OPTIONS
TRACE
CONNECT
MISSED_REQUEST
RESPONSE )
)
// List of all supported action codes
( group all-action-codes action_t
( union udp-action-codes
ip-action-codes
icmp-action-codes
tcp-action-codes
ssl-action-codes
http-action-codes )
)
Now, the dispositions and policy rules built into the Policy Engine. These rules can be overwritten by user-defined policy rules.
disposition ok
( code OK )
)
( disposition continue
( code CONTINUE )
)
( disposition policy-error
( description "Policy error caused by uncaught event" )
( code POLICY_ERROR )
( log-directive
CRITICAL
"Uncaught event" )
)
( rule default-rule
( description "Catch-all rule for all protocols" )
( protocol present )
( action present )
( initiator ignore )
( target ignore )
( outcome
( final
( default policy-error )
)
)
)
It is noted that the list of built-in objects included in Table A is by no means complete. In other embodiments, the set of built-in objects is expanded or reduced to reflect the set of protocols supported by the Policy Monitoring System. It is noted that in the preferred embodiment the Policy Engine 101 ranks default-rule lower than any user-defined rule. For example, a user-defined rule having initiator and target credentials set to ignore ranks higher than using default-rule. In a preferred embodiment, security policy decisions are also affected by any previous history of security violations involving one or both of the principals. FIG. 4 is a schematic diagram of communicating parties according to the invention; wherein an initiator host machine 141 attempts to contact a target host machine 142 over a network, and its events are listened to by an Agent 102 and events are passed onto the invention herein 100. For example, a host machine 141 that repeatedly attempts to perform an illegal operation within a given time window may be blacklisted and rendered incapable of conducting further communication activity within the security domain. In one embodiment, a policy manager maintains a count of security policy violations perpetrated by or against specific principals and provides that information to the Policy Engine 101 as input to a policy evaluation procedure. Specification Language A security policy is formulated using the Policy manager module's policy specification language (FIG. 1) 108. A preferred embodiment chooses a simplified form of S-expressions as the policy specification language 108. S-expressions are LISP-like parenthesized expressions. The preferred embodiment uses a variant of S-expressions devised by Ron Rivest in R. Rivest, code and description of S-expressions, http://theory.les.mit.edu/.about.rivest/sexp.html, and used in SPKI/SDSI in C. Ellison, SPKI Certificate Documentation, http://www.clark.net/pub/cme/html/spki.html. In the preferred embodiment the use of Rivest's S-expressions are restricted in a way such that no empty lists are allowed and such that each list must have a type (a byte string) as its first element, denoting the type of the object represented by the list. The use of Rivest's S-expressions is further restricted by only requiring support for the canonical and advanced representations of S-expressions, a preferred embodiment of which is depicted in Table B herein below. An advantage of using the canonical representation of S-expressions in the preferred embodiment is for digital signature purposes as well as for relatively efficient communication. It is easy to parse, fairly compact, and is unique for any given S-expression. An advantage of using the advanced representation of S-expressions is for human consumption. It can be thought of as a pretty print of the canonical representation.
TABLE B
An example of an advanced representation:
( certificate ( issuer alice ) ( subject bob ) )
An example of a canonical representation:
(11:certificate(6:issuer5:alice) (7:subject3:bob))
It should be noted that replacing language tokens (e.g. certificate, issuer) with minimally encoded identifiers further optimizes the canonical representation. The main advantages of using S-expressions in the preferred embodiment are: It is easy to represent arbitrary data with S-expressions. S-expressions are easy to extend and modify. In their advanced representation they are easy to read and edit using, for example, a simple text editor. Their canonical representation was designed for efficient packing and parsing. In particular, parsing requires minimal look-ahead and no re-scanning. Their canonical representation allows for easy transportation, for example, in files or email messages. In their canonical encoding they can be digitally signed. It is relatively simple to convert between the advanced and the canonical representation of S-expressions. A formal description of the policy specification language 108 is provided herein below in Table C.
TABLE C
This table contains a Backus-Naur Form (BNF) description of the
grammar for the policy specification language, including an annotation
section. All valid policies derive from the <policy> production.
This grammar applies to the policy specification after all comments are
removed and all macros are expanded. Comments begin with
.quadrature.//.quadrature.
and extend to the end-of-line. Macros are defined using the C
macro syntax.
Incomplete parts of the grammar are noted in italics.
Terminals are shown in bold.
//
// Basic language stuff
//
// Terminals requiring further syntax specification
<integer> ::= TBD // [0-9]*
<symbol> ::= TBD // alphanumeric and `-`,
// `_`, starts with letter
<string> ::= <concat> .vertline. TBD // any ASCII
character
// enclosed in double-quotes
<mac-addr> ::= TBD // 6 hex byte values
// separated by `-`
<ip-addr> ::= TBD // IPv4 dotted decimal
// notation
<ip-mask> ::= TBD // address prefix per
// RFC-2280
<hex-string> ::= TBD // n hex byte values
// separated by `:`
<version-string> ::= TBD // a string of the form
// <major>.<minor>
// Some productions used only for clarity
<name> ::= <symbol>
<type> ::= <symbol>
<attr-name> ::= <symbol>
// The basic types in the language
<atom> ::= <symbol> .vertline. <integer> .vertline.
<string> .vertline.
<ip-addr> .vertline. <mac-addr>
.vertline.
<version> .vertline. <hash-atom>
.vertline. <bool>
//
// Productions for the policy specification section
//
// These are values that describe the values of things with values
<meta-value> ::= present .vertline. absent .vertline. ignore
// Productions used in a few places
<assertion> ::= ( assertion <bool-expr> )
// Version conversion function
<version> ::= ( version <version-string> )
// Attributes, used as arguments in predicates and other operations
<attr-part-list> ::= <atom> .vertline.
<attr-part-list> <atom>
<attr-op> ::= ( <attr-name> <attr-part-list> )
<attribute> ::= <attr-name> .vertline. <attr-op>
// Hashes
<hash-alg-name>::= [Some set of terminals of type hash.sub.--
alg.sub.-- t]
<hash-op> ::= ( hash <hash-alg-name> <attribute> )
<hash-atom> ::= <hex-string>
<hash> ::= <hash-atom> .vertline. <hash-op>
// Operations that operate on attributes and return a
// basic type (atom)
<atom-ops> ::= <hash-op>
// Predicates - used in building boolean expressions
<generic-compare-op> ::= eq
<num-compare-op> ::= gt .vertline. lt .vertline. ge .vertline. le
<rng-compare-op> ::= range
<string-compare-op> ::= prefix .vertline. substring
<member-compare-op> ::= member
<ipmask-compare-op> ::= ip-mask
<iprng-compare-op> ::= ip-range
<cred-match-op> ::= root .vertline. has
<presence-op> ::= present .vertline. absent
// Generic argument
<arg> ::= <attribute> .vertline. <atom> .vertline.
<atom-ops>
<generic-cmp-arg> ::= <arg>
<generic-compare> ::= ( <generic-compare-op>
<generic-cmp-arg> <generic-cmp-arg> )
<num-cmp-arg> ::= <attribute> .vertline. <integer>
.vertline. <version>
<num-compare> ::= ( <num-compare-op>
<num-cmp-arg> <num-cmp-arg> )
.vertline.
( <rng-compare-op>
<num-cmp-arg>
<num-cmp-arg> <num-cmp-arg> )
<string-cmp-arg> ::= <attribute> .vertline. <string>
<string-compare> ::= ( <string-compare-op>
<string-cmp-arg> <string-cmp-arg> )
<member-cmp-arg> ::= <arg>
<member-part-list> ::= <member-cmp-arg> <union>
.vertline.
<member-cmp-arg> <member-cmp-arg> )
<member-compare> ::= ( <member-compare-op>
<member-part-list> )
<ipmask-compare> ::= ( <ipmask-compare-op>
<attribute> <ip-mask> )
<iprng-cmp-arg> ::= <attribute> .vertline. <ip-addr>
<iprng-compare> ::= ( <iprng-compare-op>
<iprng-cmp-arg>
<iprng-cmp-arg> <iprng-cmp-arg> )
<cred-match> ::= ( <cred-match-op> <attribute>
<cred-name> )
<presence> ::= ( <presence-op> <attribute> )
<predicate> ::= <generic-compare> .vertline.
<num-compare> .vertline.
<string-compare> .vertline.
<member-compare> .vertline.
<ipmask-compare> .vertline.
<iprng-compare> .vertline.
<cred-match> .vertline. <presence>
// Boolean expressions
<bool-list-op> ::= and .vertline. or
<bool-monadic-op> ::= not
<bool> ::= TRUE .vertline. FALSE
<bool-list> ::= <bool-expr> .vertline. <bool-list>
<bool-expr>
<bool-expr> ::= <name> .vertline. <bool> .vertline.
<predicate> .vertline.
( <bool-monadic-op> .vertline.
<bool-expr> ) .vertline.
( <bool-list-op> <bool-list> )
// Descriptions are comments that are carried along with the constructs
<string-list> ::= <string> .vertline. <string-list>
<string>
<description> ::= ( description <string-list> )
// When we need to break up a string across lines, we use concat to
// put it back together (just like descriptions)
<concat> ::= ( concat <string-list> )
// Unions are unnamed collections of one or more symbols
// (with matching types)
<union-symbol> ::= <atom> .vertline. <group-name>
<union-list> ::= <union-symbol> .vertline.
<union-list> <union-symbol> .vertline.
( union <union-list> ) .vertline.
<union-list> ( union <union-list> )
<union> ::= ( union <union-list> ) .vertline.
<union-symbol>
// Groups are named and typed unions (all symbols must have one type)
<group-part-list> ::= <union> .vertline. <description>
<union> .vertline.
<union> <description>
<group-name> ::= <name>
<group> ::= ( group <group-name> <type>
<group-part-list> )
// Credentials
<cred-part> ::= <description> .vertline. <assertion>
<cred-part-list> ::= <cred-part> .vertline.
<cred-part-list> <cred-part>
<cred-name> ::= <name>
<credential> ::= ( credential <cred-name>
<cred-part-list> )
// Dispositions
<agent-directives> ::= [Some set of terminals of type
agent-directive.sub.-- t]
<agent-directive-list> ::= <agent-directives> .vertline.
<agent-directive-list>
<agent-directives>
<agent-directive> ::= ( agent-directive <agent-directive-list>
)
// preliminary list of severity codes; more TBD
<log-severity> ::= [Some set of terminals of type severity.sub.-- t]
<log-directive> ::= ( log-directive <log-severity>
<string> ) .vertline.
( log-directive <log-severity> )
// preliminary list of disposition codes; more TBD
<disposition-code> ::= [Some set of terminals of type code.sub.-- t]
<disp-code> ::= ( code <disposition-code> )
<disp-part> ::= <description> .vertline.
<disp-code>.vertline.
<log-directive> .vertline.
<agent-directive>
<disp-part-list> ::= <disp-part> .vertline.
<disp-part-list> <disp-part>
<disposition-name>::= <name>
<disposition> ::= ( disposition <disposition-name>
<disp-part-list> )
// Conditions
<condition-part-list> ::= <description> <assertion>
.vertline.
<assertion> <description> .vertline.
<assertion>
<condition-name>::= <name>
<condition> ::= ( condition <condition-name>
<condition-part-list> )
// Outcomes are bindings of conditions to dispositions used in rules
<outcome-default> ::= ( default <disposition-name> )
<guard> ::= if .vertline. ifnot
<outcome-clause> ::= ( <guard> <condition-name>
<disposition-name> )
<outcome-list> ::= <outcome-default> .vertline.
<outcome-clause> <outcome-list>
<immediate> ::= ( immediate <outcome-list> )
<final> ::= ( final <outcome-list> )
<outcome-types> ::= <immediate> .vertline.
<final>.vertline.
<immediate> <final> .vertline.
<final> <immediate>
<outcome> ::= ( outcome <outcome-types> )
// Rules
<protocol> ::= ( protocol <union> ) .vertline.
( protocol <meta-value> )
<action> ::= ( action <union> ) .vertline.
( action <meta-value> )
<initiator> ::= ( initiator <cred-name> ) .vertline.
( initiator <meta-value> )
<target> ::= ( target <cred-name> ) .vertline.
( target <meta-value> )
<agent> ::= ( agent <cred-name> )
<rule-name> ::= <name>
<rule-list> ::= <rule-name> .vertline. <rule-list>
<rule-name>
<prerequisite> ::= ( prerequisite <rule-list> )
<rank-above> ::= ( rank-above <rule-name> )
<rule-part> ::= <description> .vertline. <protocol>
.vertline. <action> .vertline.
In the preferred embodiment the policy specification language 108 is typed. The policy compiler 101 performs the necessary type checking of all S-expressions found in a policy specification 107. Typing aids in catching and diagnosing both common and subtle user errors. A preferred embodiment of the type information is described herein below in Table D.
TABLE D
Types
The subtables in this section describe, in a pseudo-formal manner, the
type information in the language that is enforced by the parser.
The types used should be self-evident.
First some notation used throughout the tables:
( list-of type ) - ( foo ( list-of T ) ) .fwdarw. ( foo A B C ) where A, B,
and C are of the type T; the list must have at least one element.
( multi-of type ) - ( foo ( multi-of T ) ) .fwdarw. ( foo ( union A B C ) )
where A, B, and C are of the type T or .fwdarw. ( foo ABC ) where ABC is
the
name of a group of type T.
( mix-of type1 type2 type3 ) - ( foo ( mix-of R S T ) ) .fwdarw. ( foo A B
C D ) where A, B, C, and D are randomly of types R, S, and T.
match - a type that is required to be the same as all other
occurrences of match in the expression -
( foo match match ) requires that the two arguments of foo be of the
same type (e.g., int_t, string_t).
The following table lists the typed attributes used in conditions and credentials.
Applicable Argument
Attribute Name Protocols Types Result Type
agent-attribute all-protocols -- (multi-of agent_attr_t)
auth-status SSL -- auth_status_t
cert-status SSL -- cert_status_t
der-cert SSL -- octet_string_t
encipher-keysize SSL -- int_t
http-cookie HTTP string_t (multi-of string_t)
http-password HTTP -- string_t
http-req-hdr HTTP string_t string_t
http-resp-hdr HTTP string_t string_t
http-set-cookie HTTP string_t (multi-of string_t)
http-status-code HTTP -- int_t
http-username HTTP -- string_t
icmp-gateway- ICMP -- ip_addr_t
address
icmp-nested-address ICMP -- ip_addr_t
icmp-nested-port ICMP -- int_t
initiator-access-rate all-protocols -- int_t
initiator-auth- SSL -- int_t
keysize
initiator-violation- all-protocols -- int_t
rate
ip-address IP UDP TCP -- ip_addr_t
ICMP
ip-port IP UDP TCP -- int_t
ICMP
ke-keysize SSL -- int_t
mac-address IP UDP TCP -- mac_addr_t
ICMP
protocol-version all-protocols -- version_t
ssl-ciphersuite SSL -- ciphersuite_t
target-access-rate all-protocols -- int_t
target-auth-keysize SSL -- int_t
target-violation-rate all-protocols -- int_t
url HTTP -- string_t
x509-cert-path SSL -- cert_path_t
x509-issuer SSL -- string_t
x509-subject SSL -- string_t
The table below lists all the operations in the language that return a dynamic result. For each operation it shows both argument and result types
Operation Result Type Argument Types
absent bool_t string_t
and bool_t (list-of bool_t)
default disposition_t disposition_t
eq bool_t match match
has bool_t cert_path_t cred_t
hash base64_t hash_alg_t octet_string_t
ge.sup.1 bool_t match match
gt.sup.1 bool_t match match
if disposition_t condition_t disposition_t
ifnot disposition_t condition_t disposition_t
ip-mask bool_t ip_addr_t ip_mask_t
.sup.1 Operator only supports types int_t and version_t as arguments.
ip-range bool_t ip_addr_t ip_addr_t
ip_addr_t
le.sup.1 bool_t match match
lt.sup.1 bool_t match match
member bool_t match (multi-of match)
not bool_t bool_t
or bool_t ( list-of bool_t )
prefix bool_t string_t string_t
present bool_t string_t
range.sup.1 bool_t match match match
root bool_t cert_path_t cred_t
substring bool_t string_t string_t
version version_t string_t
The table below is pushing the concept of .quadrature.type.quadrature. far beyond its normal meaning since, in it, we often use type merely to convey positional information. It shows the type of every object in the language and the types of their arguments.
Object Name Object Type .quadrature.Argument.quadrature. Types
action act_t ( multi-of action_t )
agent agt_t credential_t
agent- agtdir_t ( multi-of agent_directive_t )
directive
assertion assert_t bool_t
code code_def_t code_t
condition cond_t condition_t ( mix-of desc_t
bool_t )
credential cred_t credential_t ( mix-of assert_t desc_t
prot_t )
description desc_t ( list-of string_t )
disposition disp_t disposition_t ( mix-of desc_t
code_def_t
log_t agtdir_t )
final dispo_t (list-of guard_t)
group group_t match type_t ( multi-of match )
immediate dispo_t (list-of guard_t)
initiator init_t credential_t
log-directive log_t severity_t string_t
outcome out_t ( list-of dispo_t )
policy policy_def_t policy_t string_t ( mix-of desc_t
group_t cred_t
cond_t disp_t rule_t def_t )
prerequisite pre_t ( list-of rule_t )
protocol prot_t ( multi-of protocol_t )
rank-above rank_t rule_t
rule rule_def_t rule_t ( mix-of desc_t agt_t prot_t act_t
init_t targ_t out_t pre_t rank_t )
target targ_t credential_t
union ( multi-of ( list-of match )
match )
It is noted that the list of credential and condition attributes included in Table D is by no means complete. In other embodiments, the set of attributes is expanded or reduced to reflect the set of protocols supported by the Policy Monitoring System. It is noted that although the remainder of this disclosure describes the specification language 108 by means of examples, and that for improved readability, said examples use the advanced rather than the canonical representation of S-expressions, this is not meant to further limit the invention. In the preferred embodiment of the invention, the language 108 allows for comments to be embedded in S-expressions. A comment is allowed anywhere whitespace is valid. A comment begins with "//" and continues to the end-of-line. In compilation, comments are ignored because they serve merely as an aid to the human user. In the preferred embodiment of the invention, the language 108 allows for external files to be included using the #include syntax of C. Included files are supported to enhance modularity and reusability of policy language segments. In the preferred embodiment of the invention, the language, 108 allows for macros to be defined using the #define syntax of C. Macros are supported to enhance readability. By convention, macros start with, an uppercase letter but need not be fully capitalized. The language 108 comprises the following first-class objects: Condition Credential Disposition Group Policy Rule In the preferred embodiment first-class objects have names. Names are normally used to refer to an object from another object. By convention, names of built-in objects start with a lowercase letter and use hyphens (-) to separate words. Names of user-defined objects start with an uppercase letter and use intercaps or underscores (_) to separate words, but do not use hyphens. Names of data types start with a lowercase letter and end with an underscore followed by a lowercase `t` (_t). In the preferred embodiment a named object must be defined before its name can be used. The scope of a name is that of the entire policy specification as defined by the policy object. In the preferred embodiment first-class objects may optionally include a description field. The description provides human readable text associated with the object. Unlike comments, description fields are preserved by the policy parser. When using the advanced representation, description strings may be split across several lines, using the C rules of string concatenation. That is, following the description token are one or more character strings, each enclosed in a set of double quotes. Policy In the preferred embodiment a policy is the top-most object defined by the specification language 108 and includes all other first-class objects. A policy manager may load several policies into its internal database. However, at any one point in time, only one active policy is in effect. That is the policy known to the Policy Engine 101. Following is an example of a policy object.
( policy Sample_Policy_1 "1.0" // policy <name> <version>
( description "This is a policy specification description"
"that is continued on a second line" )
. . .
)
In the preferred embodiment a policy object has two mandatory parameters: name, which is used to reference the policy, and version number, which defines the version of the policy specification language 108. A policy's version number is used to check for compatibility between a policy specification and a policy compiler. Groups and Unions In the preferred embodiment groups are named collections of a given type. The union object creates the collection from a set of items. The group object gives the union a name and a type. Following is an example expressing a collection of colors:
( group SomeColors color_t // group <name> <type>
( description "Some colors I like" )
( union RED GREEN YELLOW )
)
In the example, the object identifies RED, GREEN and YELLOW as items, i.e. symbols, of type color_t (a fictitious data type) collected in a set named SomeColors. By convention, symbols defined in unions are fully capitalized. In the preferred embodiment once a symbol is identified as being of a certain type, it is transparently added to an unnamed set of items of that type. It may then be reused in other unions, groups or wherever an individual item of that type is valid. For example, a valid way to define another group is as follows:
( group RedByAnyOtherName color_t
( description "Red in different languages" )
( union RED ROSSO ROUGE VERMELHO )
)
However in the preferred embodiment the following group would not be allowed since RED would already have been tagged as being of type color_t.
( group AfewOfMyFavoriteThings thing_t
( union RED PASTA WINE ) // ERROR! RED previously defined as
) // having type color_t
In the preferred embodiment sets can be combined with other predefined sets. For example,
( group MoreColors color_t
( union
SomeColors
RedByAnyOtherName // overlapping ok
PURPLE BEIGE BURGUNDY
)
)
It is noted that RED overlaps both SomeColors and RedByAnyOtherName, which according to the invention is perfectly acceptable. The resulting set will include only one instance of the set item RED. In the preferred embodiment unions are similar to the C enum type, with the added benefit that unions can be combined and extended without concern for conflicting item values. In a preferred embodiment unions are used, but are not limited to, to define collections of items, such as, for example, IP addresses, MAC addresses, integers, version numbers and hash values. That is, unions can define any data item that has a primitive data type in the language. An example of a group of IP addresses is defined as:
( group MyComputers ip_addr_t
( union
207.5.63.23 // desktop at work
207.5.63.42 // laptop
128.7.16.64 // home computer
)
)
In the preferred embodiment the type of the items in the union must agree with the type specified in the group. In a preferred embodiment, groups are referenced from other first-class objects. For example, groups are typically used to define collections of protocol actions, SSL ciphersuites, and IP addresses. Note that wherever a group is allowed, the following are also valid: A union object (essentially, an unnamed group) provided that any symbols used as elements in the union have already been given a type via a group definition. A single collection item. This is equivalent to a union object with a single element. If the item is a symbol, its type must have been previously defined in a group. A list of built-in groups is given in section Table A. Credentials In the preferred embodiment a credential is a statement about a principal in a protocol event. It consists of a logical expression containing one or more assertions about the attributes that make up a principal's credentials. When a policy rule is evaluated against a protocol event, the credentials presented in the protocol event are compared to the credentials specified in a purported credential object. If the logical expression defined in the credential object is satisfied, the principal's presented credentials are said to satisfy the purported credentials. As an example, the following purported credentials are satisfied if the principal's IP address is 207.5.63.8 and its IP port number is either 80 or greater than 443.
( credential Credentials_Example_1 // credential <name>
( assertion
( and
( eq ip-address 207.5.63.8 )
( or
( eq ip-part 80 )
( gt ip-port 443 )
)
)
)
)
In the preferred embodiment each protocol has a set of attributes that may be used to build purported credentials. Table E herein below lists all the attributes currently defined and, for each attribute, it shows, the protocols where the attribute might be included in the presented credentials, as well as the operations where the attribute may be used as an operand.
TABLE E
Attribute Applicable Compare
Name Protocols Description Operations
agent-attribute all- The attributes of the member
protocols.sup.2 reporting Agent, as
a union of symbolic
names
cert-status SSL The validity status eq, member
of a certificate
der-cert SSL A DER encoded hash
certificate
http-password HTTP The password used eq, member,
in basic substring, prefix
authentication
http-username HTTP The user name used eq, member,
in basic substring, prefix
authentication
ip-address IP UDP An IP address eq, member, ip-
TCP ICMP mask, ip-range
ip-port IP UDP An IP port eq, member, gt, ge,
TCP ICMP lt, le, range
mac-address IP UDP A MAC address eq, member
TCP ICMP
url HTTP A URL eq, member,
substring, prefix
x509-cert-path SSL An X.509 certificate root, has
chain
x509-issuer SSL An X.509 certificate eq, member,
issuer substring, prefix
x509-subject SSL An X.509 certificate eq, member,
subject substring, prefix
.sup.2 Can be used to identify the reporting Agent in any policy rule must
but must not be mixed with other credential attributes.
It is noted that the list of credential attributes included in Table E is by no means complete. In other embodiments, the set of attributes is expanded or reduced to reflect the set of protocols supported by the Policy Monitoring System. In the preferred embodiment each attribute can be thought of as having an implied getter function that returns its value. Most attribute getters take no arguments and return a single value. In the preferred embodiment, however, some attribute getters (e.g. http-req-hdr and http-cookie) are functions that take one or more arguments and may return complex results. For example, http-cookie takes as an argument the name of a cookie in an HTTP request header and returns its value or values as a union of strings. In the preferred embodiment it is important not to mix credential attributes from different protocol sets in a credential specification. For example, combining ip-address and der-cert in the same credential object would be an error and flagged by the policy compiler. As another example, using a credential in a policy rule for a protocol action that is incompatible with the credential attributes in the credential object is considered an error, flagged by the policy compiler. However, it is possible to use those attributes in two separate credential objects and establish relationships between them within policy rules (e.g. access to resource X is restricted to principals previously authenticated with credentials Y). See example Check_Access_Denial herein below for an example of establishing this type of relationships in policy rules. In the preferred embodiment the credential attribute agent-attribute is used to define the credentials of the Agent 102 reporting the protocol event 103. Agents are individually configured with a set of attributes, which are used to identify them to a policy manager. In another embodiment, some agent attributes might uniquely identify a specific Agent (e.g. MONITOR_NEXT_TO_ROUTER.sub.--X) while others might identify a group of Agents (e.g. ALL_MONITORS_IN_SUBNET.sub.--Y). The agent-attributes attribute returns a union of identification attributes for the reporting Agent 102. In the preferred embodiment within a credential specification, assertions about agent attributes may not be mixed with assertions about any other credential attributes. Table F herein below lists all the operations used in a preferred embodiment to make assertions about attributes.
TABLE F
Oper-
ation Description
absent Whether (true) the attribute denoted by the operand does not
have a value in the protocol event
and Logical AND of a list of boolean expressions, its operands
eq Whether(true) two operands have the same value
ge Whether (true) the first operand.quadrature.s value is greater
than, or
equal to, the second.quadrature.s
gt Whether (true) the first operand.quadrature.s value is greater than
the second.quadrature.s
has Whether (true) the certificate chain defined by the first
operand.quadrature.s value contains a certificate that satisfies
the second operand (a credential name)
hash Computes a digest of the second operand.quadrature.s value using
the hashing function defined by the first operand; returns
the hash as a hexadecimal string
ip-mask Whether (true) the first operand.quadrature.s value is included in
the set
of IP addresses defined by the second operand, an IP address
prefix [RFC2280]; an address prefix is represented as an IPv4
address (dotted-decimal format with four integers) followed
by the character slash .quadrature./.quadrature. followed by an
integer in the range
from 0 to 32. The latter denotes the number of high-order
bits from the preceding address that constitute a subnetwork
address. If the subnetwork address bits match exactly the
corresponding bits in the first operand.quadrature.s value, the
operation
returns true.
The following are valid address prefixes:
128.9.128.5132, 128.9.0.0116, 0.0.0.0/0; the
following address prefixes are invalid: 0/0, 128.9/16 since 0
or 128.9 are not dotted-decimal strings containing four integers.
ip-range Whether (true) the first operand.quadrature.s value is included in
the set of
IPv4 addresses defined by an IP address range whose lower
bound is the operand with the lower value and whose upper
bound is the operand with the higher value; the three operand
values are taken as 32-bit unsigned integers and, if the first
operand value falls within the inclusive numerical range defined
by the two other operand values, the operation returns true
le Whether (true) the first operand.quadrature.s value is less than,
or
equal to, the second.quadrature.s
lt Whether (true) the first operand.quadrature.s value is
less than the second.quadrature.s
member Whether (true) the first operand.quadrature.s value is a member of
the
set defined by the second operand (a union)
not Logical negation of its operand.quadrature.s value
or Logical OR of a list of boolean expressions, its operands
prefix Whether (true) the string that constitutes the first
operand.quadrature.s
value includes, starting at the first character, the string
defined by the second operand
present Whether (true) the attribute denoted by the operand has a value
in the protocol event
range Whether (true) the first operand.quadrature.s value is within the
inclusive
numerical range defined by the values of the second a third
operands; the range comprises the set of values between the
lower operand value and the higher
root Whether (true) the certificate chain defined by the first
operand.quadrature.s value has, as its root, a certificate that
satisfies the second operand (a credential name)
sub- Whether (true) the string that constitutes the first
operand.quadrature.s
string value includes the string defined by the second operand
It is noted that the list of operations included in Table F is by no means complete. In other embodiments, the set of operations is expanded or reduced to reflect the set of protocols and features supported by the Policy Monitoring System. In the preferred embodiment credentials may be combined with other credentials or with additional assertions. Consider the following example:
( credential Credentials_Example_2
( assertion
( or
Credentials_Example_1
and
( ip-mask ip-address 207.5.0.0/16 )
( range ip-port 25 443 )
)
)
)
)
The example herein above defines purported credentials that will be satisfied if either Credentials_Example.sub.-- 1 is satisfied or if the presented credentials' IP address falls within the subnetwork defined by the address prefix 207.5.00/16 and if the IP port is between 25 and 443, inclusive. In the preferred embodiment the absence of an assertion about a specific attribute in a credential specification indicates that its value is to be ignored in considering the presented credentials. In the preferred embodiment, it is often useful to indicate that a particular attribute must or must not be specified in the presented credentials, irrespective of the attribute's value, if any. The operations absent and present accomplish this, as illustrated by the following examples:
( credential Credentials_Example_3
( assertion
( and
// http-username must exist, but don't care about its value
( present http-username )
// the absence of an assertion about http-password indicates
// that its presence or absence is irrelevant
)
)
)
( credential Credentials_Example_4
( assertion
( and
// an X.509 certificate must not have been presented
( absent der-cert )
)
)
)
Conditions In the preferred embodiment a condition defines a constraint upon a protocol event 103. Said condition comprises a logical expression containing one or more assertions about attributes of the protocol event. Policy rules use conditions to specify particular constraints that must or must not be satisfied by the protocol event 103. Table G lists attributes of a protocol event 103 that may be used when formulating conditions. For each attribute the table shows protocols for which the attribute is defined, as well as the operations which can take the attribute as an operand.
TABLE G
Attribute Applicable Compare
Name Protocols Description Operations
auth-status SSL The status of an authen- eq, member
ticated session at the end
of the authentication
handshake
encipher- SSL The size of the key used eq, member,
keysize for data encipherment gt, ge, lt, le,
(e.g., size of an range
IDEA key)
http-cookie HTTP Takes as an argument member
the name of a cookie
in the request header
and returns its value(s)
as a union of strings
http-req-hdr HTTP Takes as an argument eq, member,
the name of a client substring,
request header and prefix
returns its value
http-resp-hdr HTTP Takes as an argument the eq, member,
name of a server substring,
response header and prefix
returns its value
http-set-cookie HTTP Takes as an argument the member
name of a cookie in the
response header and
returns its value(s)
as a union of strings
http-status-code HTTP The status code returned eq, member,
on HTTP responses gt, ge, lt, le,
(aka response code) range
icmp-gateway- ICMP The IP address of the eq, member,
address gateway host on a ip-mask, ip-
redirect message range
icmp-nested- ICMP The IP address carried eq, member,
address in a .quadrature.destination ip-mask,
unreachable.quadrature. message ip-range
icmp-nested- ICMP The port number carried eq, member,
port in a .quadrature.destination gt, ge, lt, le,
unreachable.quadrature. message range
initiator- all-protocols The rate at which the eq, member,
access-rate current active principal gt, ge, lt, le,
has been the initiator of range
communications, over a
predefined (configurable)
period of time
initiator-auth- SSL The size of the key used eq, member,
keysize for initiator authentica- gt, ge, lt, le,
tion and/or digital range
signatures (e.g., size
of public key modulus)
initiator- all-protocols The rate at which the eq, member,
violation-rate current active principal gt, ge, lt, le,
has been the initiator range
of security policy
violations, over a
predefined (configurable)
period of time
ke-keysize SSL The size of the key-enci- eq, member,
pherment key (e.g., size gt, ge, lt, le,
of public key modulus) range
protocol- all-protocols The version of the eq, member,
version protocol gt, ge, lt, le,
range
ssl-ciphersuite SSL The negotiated eq, member
ciphersuite
target-access- all-protocols The rate at which the eq, member,
rate current passive principal gt, ge, lt, le,
has been the target of range
communications, over a
predefined (configurable)
period of time
target-auth- SSL The size of the key used eq, member,
keysize for target authentication gt, ge, lt, le,
and/or digital signatures range
(e.g., size of public
key modulus)
target- all-protocols The rate at which the eq, member,
violation- current passive principal gt, ge, lt, le,
rate has been the target of range
security policy viola-
tions, over a predefined
(configurable) period
of time
It is noted that the list of condition attributes included in Table G is by no means complete. In other embodiments, the set of attributes is expanded or reduced to reflect the set of protocols and features supported by the Policy Monitoring System. In the preferred embodiment operations listed in Table G may be used to build assertions about condition attributes. In the preferred embodiment condition attributes cannot mix with those from different protocol sets in a condition specification. A condition used in a policy rule for a protocol that is incompatible with the condition attributes in the condition object is considered an error and is flagged by the policy compiler. For example, it is illegal to use ssl-ciphersuite in a condition referenced by a policy rule for HTTP. Following are some examples:
( group Strong_RSA_Ciphersuites ciphersuite_t
( description "Strong ciphers with RSA key exchange" )
( union SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_IDEA_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
(
(
( condition SslV3StrongCiphers // condition <name>
( assertion
( and
( ge protocol-version ( version "3.0" ) )
( member ssl-ciphersuite Strong_RSA_Ciphersuites )
( ge ke-keysize 768 )
( ge target-auth-keysize 1024 )
)
)
)
( condition HackerTripwire
( assertion
( ge initiator-violation-rate 10
)
)
( condition ProtectSSL
( assertion
( and SslV3StrongCiphers HackerTripwire )
)
Herein above, the condition SslV3StrongCiphers can be used with an SSL protocol event to ensure that SSL 3.0 or higher is used, that the negotiated ciphersuite is one of the strong RSA-based ciphersuites, that the RSA key-encipherment key has a modulus of no less than 768 bits, and that the RSA authentication key has a modulus of no less than 1024 bits. Herein above, the condition HackerTripwire can be used with any protocol event 103 to ensure that the active principal 141 is not a potential attacker. The third condition, ProtectSSL, simply combines the first two. Dispositions In the preferred embodiment a disposition defines an outcome of a policy rule. Each policy rule may have many possible outcomes depending on, for example, constraints imposed on the protocol event. See Table H herein for a list of disposition codes and an explanation of their meanings in the preferred embodiment.
TABLE H
Disposition Code Description
OK The network event conforms to the security policy
CONTINUE Additional information is needed before determining
whether or not the network event conforms to the
security policy
ACCESS.sub.-- Access to the target resource is denied
DENIED by the security policy
AUTHEN- Authentication between the communication parties
TICATION.sub.-- does not conform to the requirements set out by the
VIOLATION security policy
SECURITY.sub.-- A security attack has been detected
ATTACK
SECURITY_QOS The security quality of service parameters associated
with a protocol event do not meet the requirements
set out by the security policy
POLICY.sub.-- An error has been detected in
ERROR the security policy specification
It is noted that the list of disposition codes included in Table H is by no means complete. In other embodiments, the set of disposition codes is expanded, or reduced to reflect the set of features supported by the Policy Monitoring System. Table I herein below lists possible severity codes in the preferred embodiment.
TABLE I
Severity Code Description
CRITICAL Critical security violation, e.g., the network is under-
going an active security attack
HIGH High-severity security violation, e.g., attempt to
access sensitive data
MEDIUM Medium-severity security violation, e.g., attempt to
access a protected (but not highly sensitive) resource
WARNING Low-severity security violation, e.g., an incorrect
password was entered
MONITOR A security violation was not detected but an unusual
or potentially suspect network event has occurred,
e.g., TELNET access to a public web server
INFORMATION A perfectly valid network event
is being reported for
informational purposes only
It is noted that the list of severity codes included in Table I is by no means complete. In other embodiments, the set of severity codes is expanded or reduced to reflect the set of features supported by the Policy Monitoring System. Table J herein below lists possible agent directives in the preferred embodiment.
TABLE J
Agent
Directive Description
DECRYPT The Agent is instructed to decrypt all traffic at the
current protocol layer
DISRUPT The Agent is instructed to terminate and/or disrupt all
subsequent traffic associated with this network event
LOG.sub.-- The Agent is instructed to log all traffic at the current
TRAFFIC protocol layer
It is noted that the list of agent directives included in Table J is by no means complete. In other embodiments, the set of agent directives is expanded or reduced to reflect the set of features supported by the Policy Monitoring System. Following are examples of preferred embodiments of dispositions:
// Network event ok but should be logged
disposition Ok_Monitor // disposition <name>
( code OK ) // disposition code
( log-directive // logging directive
MONITOR // severity code
"Monitored activity" ) // logging string
)
The Ok_Monitor disposition is used to dispose of a valid network event 103 while flagging a logging subsystem that this event should be logged at a low severity level (MONITOR).
// Decrypt SSL session data and continue processing network event
( disposition Continue_Decrypt
( code CONTINUE )
( agent-directive DECRYPT )
)
The Continue_Decrypt disposition is used to inform the Policy Engine 101 that additional information is needed from the Agent 102 before determining a final disposition 105 for the network event 103 while, at the same time, instructing an appropriate Agent to decrypt all traffic at a current protocol layer.
// access to target resource is denied
( disposition Access_Denied
( code ACCESS_DENIED
( log-directive
HIGH
"Access denied" )
)
The Access_Denied disposition is used as a final disposition 105 for a network event 103. It denotes a policy violation. A list of built-in dispositions of the preferred embodiment is provided herein above in Table A. Rules In the preferred embodiment a rule object defines a policy rule. A policy rule governs a specific interaction, or set of interactions, between two communicating entities. The Policy Engine 101 evaluates policy rules against protocol events to determine if the latter conform to the active security policy. Following is an example of a policy rule according to a preferred embodiment of the invention:
( rule Tcp_Ext2Int // rule <name>
( description "Communications from external hosts" )
( agent Foo_Subnet_Monitor ) // the reporting agent
( protocol TCP ) // the protocol
( action CONNECT ) // the protocol action
( initiator External_Hosts ) // the active principal
( target Internal_Hosts ) // the passive principal
( outcome
( immediate // the immediate outcome
// if/if not <condition> <disposition>
( if Catch_Suspect Security_Attack_Possible )
( if Catch_Attacker Security_Attack_Progress
( default continue ) // using built-in disposition
)
( final // the final outcome
( default Ok_Monitor )
)
)
)
In the preferred embodiment a policy rule comprises: Agent--represents Agent 102 that reported the protocol event 103. The Agent 102 is denoted by a credential name. The policy rule is only considered if this credential is satisfied by the credentials presented by the reporting Agent 102. In the example above, Foo_Subnet_Monitor is the name of a credential object identifying one or more Agents. This field is optional. If omitted, the rule applies to all Agents. Protocol--a protocol to which the rule is applicable. A protocol event 103 addresses one and only one protocol. This field is mandatory. Note that the special token ignore is used to denote a rule that applies to all protocols. Action--a protocol action to which this rule is applicable. Each protocol comprises one or more several distinct actions (e.g. connect, transfer-data, release), some of which might be of interest to the security policy. A protocol event denotes one and only one protocol action. This field is mandatory. Note that the special token ignore is used to denote a rule that applies to all actions within the specified protocol. Initiator--represents the active principal 141 in the protocol event 103. The initiator 141 is denoted by a credential name or by the special tokens absent (credentials must not be presented in the protocol event), present (credentials must be presented but their actual value is unimportant) and ignore (credentials may or may not be presented). In the example herein above, External_Hosts is the name of a credential object identifying one or more TCP/IP hosts. This field is mandatory. Target--represents the passive principal 142 in the protocol event 103. The target 142 is denoted by a credential name or by the special tokens absent, present and ignore. In the example above, Internal_Hosts is the name of a credential object identifying one or more TCP/IP hosts. This field is mandatory. Prerequisite--(not shown in the example above) one or more rules that must be satisfied by a previous protocol event. Prerequisite rules are identified by names. Prerequisites are used to place additional constraints on an entire network event 103. See an example herein that illustrates the use of prerequisites in rules. It should be noted that if two or more rules are listed as prerequisites, the prerequisite is satisfied if any of the listed rules taken in the order in which they are listed satisfies a previous protocol event. This field is optional. Outcome--the outcome section defines what to do with the protocol (or network) 103 event if the current policy rule is applied to the protocol event. That is, if the rule is selected by the Policy Engine 101 as the most suitable for the protocol (or network) event. Every policy rule must have a disposition that applies to the protocol event and another disposition that applies to the entire network event. In some cases these are one and the same. The Policy Engine 101 evaluates the outcome and produces a disposition for either the protocol or the network event. There are two outcomes defined: Immediate--an immediate outcome applies to the protocol event immediately. A policy rule may or may not include an immediate outcome. If it does, the outcome is evaluated as soon as the rule is selected for the protocol event. If it does not, there is an implied disposition for the protocol event, a built-in disposition continue (see Table A for the definition) which instructs the Policy Engine 101 to continue processing the network event. If the immediate outcome generates a disposition with a disposition code other than CONTINUE, this disposition becomes the disposition for the entire network event. In this instance, the final outcome, defined herein below, will not be evaluated. Final--an outcome that applies to the entire network event if this rule becomes a final rule evaluated for that event. The final outcome must be specified if the immediate outcome does not generate a final disposition for the network event. If it is not, an implied disposition for the network event, the built-in disposition policy-error, see Table A for the definition, denotes a policy specification error. The final outcome is evaluated when the Policy Engine determines that no additional protocol events are to be considered for the current network event. The final outcome must always generate a final disposition, i.e. a disposition with a disposition code of CONTINUE is not allowed in a final outcome. In the preferred embodiment each outcome section comprises one or more conditional statements, each followed by a disposition. The purpose of conditional statements is to specify constraints upon a protocol event, or special conditions that, if satisfied, cause the generation of an alternate disposition for the protocol (or network) event. Conditional statements are evaluated in the order in which they are specified within the outcome section. In the preferred embodiment a conditional statement starts with one of the following keywords: if--takes as arguments a condition and a disposition, each referenced by name. If the condition evaluates to TRUE, the disposition becomes the disposition for the protocol event. if not--takes as arguments a condition and a disposition, each referenced by name. If the condition evaluates to FALSE, the disposition becomes the disposition for the protocol event. default--takes a single argument, a disposition referenced by name. It is equivalent to a condition that is always satisfied, thereby triggering the disposition that is its argument. This conditional statement is mandatory and must be the last conditional statement in an outcome. The following examples illustrate the use of prerequisites in rules in a preferred embodiment. The first rule is the prerequisite.
( credential Host_A
( assertion
( and
( eq ip-address 207.5.63.8 )
( eq ip-port 80 )
)
)
)
( rule Access_Host_A
( protocol TCP )
( action CONNECT )
( initiator ignore )
( target Host_A )
( outcome
( final
( default Access_Denied ) // Access_Denied defined above
)
)
)
Herein above, the rule Access_Host_A states that access to host_A on port 80 by any host is denied, unless explicitly allowed by a rule at a higher protocol layer. Note the use of a final outcome, which is only evaluated if Access_Host_A becomes the applicable rule for the entire network event. The implied disposition for the protocol event is CONTINUE. This rule can be overridden by another rule at the HTTP layer stating that access is allowed to host A on port 80, as shown below:
( rule Http_To_Host_A
( protocol HTTP )
( action ignore )
( initiator ignore )
( target ignore )
( prerequisite Access_Host_A ) // reference to rule above
( outcome
(immediate
( default ok ) // using built-in disposition
)
)
)
The end result of the two policy rules herein above is to prevent all access to host A on port 80 unless that access is using HTTP over TCP/IP. In the preferred embodiment a prerequisite rule is any rule that is selected for a previous protocol event. This includes rules in the same protocol layer. As an example, to ensure that a web server requires HTTP authentication before allowing access to a specific web page, use the following rules:
( credential Some_Url
( assertion
( prefix url "//myserver.com/Documents" )
)
)
( rule Host_A_Anon_Access
( protocol HTTP )
( action ( union GET POST ) )
( initiator absent )
( target Some_Url )
( prerequisite Access_Host_A ) // from example above
( outcome
( final
( default Access_Denied ) // Access_Denied defined above
)
)
)
( condition Require_Auth
( description "Check if server returned the Unauthorized response "
"code"
( assertion
( eq http-status-code 401 )
)
)
( rule Check_Access_Denial
( protocol HTTP )
( action RESPONSE )
( initiator ignore )
( target ignore )
( prerequisite Host_A_Anon_Access )
( outcome
( immediate
( ifnot Require_Auth Access_Denied )
( default ok ) // using built-in disposition
)
)
)
The example herein above shows that access to, the document sub-tree identified by Some_Url requires the, user be authenticated using basic HTTP authentication. The authentication is accomplished by means of the condition Require_Auth which, in the context of rule Check_Access_Denial, checks that the server returns an Unauthorized status code. If the server fails to do so, the Access_Denied disposition is generated. Note that the prerequisite constraint ensures that the rule Check_Access_Denial is only considered if the rule Host_A_Anon_Access is selected when the HTTP request event is evaluated, that is, requests where basic HTTP authentication is not used. The Policy Specification Process In the preferred embodiment the policy specification process comprises the following steps: 1) Identify communicating entities recognized by the security policy. The entities comprise physical networks and sub-networks, host machines, communication protocols, users, applications, services, and any other resources of interest. 2) Identify relationships between the communicating entities and define rules to control said relationships (e.g. host A may communicate with host B but not with host C). 3) Formally define communicating entities and entity relationships using the policy specification language (FIG. 1; 108) according to the invention. In a preferred embodiment a visual tool is used. In another embodiment a text-based editor is used. In the preferred embodiment the output of this step is a policy specification in an advanced encoding format according to the invention. 4) Compile the policy specification with a Policy Compiler (FIG. 1, 106). In one embodiment, said compilation step is incorporated into a graphical policy editor, such that it is incorporated into said policy specification step. In another embodiment it is a distinct step. This step comprises: a) Checking the specification for errors of syntax or semantics; b) Checking the specification of credentials for errors (e.g. credentials that can never be satisfied); c) Checking the specification of conditions for errors (e.g. conditions that can never be satisfied); d) Checking the specification of rules for completeness and coverage; e) Ordering credentials based on their specificity (described in detail herein below); f) Ordering rules based on the credentials of their principals (described in detail herein below); and g) Resulting in an annotated policy specification (FIG. 1, 109) represented by a text file (FIG. 1107). The annotated policy specification 107 is suitable for loading into the Policy Engine 101 for evaluation of one or many network events 103, or back into the graphical policy editor for visualization and further refinement. Evaluation of Rules This section describes how policy rules are organized and evaluated according to the invention. Policy Evaluation Model The policy specification language 108 alone does not describe how the Policy Engine 101 evaluates policy rules. In the preferred embodiment of the invention, a security administrator that writes the policy specification 107 and the Policy Engine 101 that enforces the policy specification 107 share a common view of the evaluation procedure. The evaluation of policy rules is deterministic. In the preferred embodiment of the invention the basic policy specification language 108 is augmented to convey information about how rules are ordered for purposes of evaluation, i.e. which rules are evaluated first and which rules are selected for any given network event. The augmented language is a superset of the basic specification language 108 and it is hereinafter referred to as the annotated specification language 109. In one embodiment the security administrator uses the annotated specification language 109 using a visual tool, such as a graphical policy editor to determine how the policy rules are interrelated, their hierarchical relationships and how they will be evaluated. This step is crucial to determining whether the specified policy correctly reflects the desired security policy and to identifying areas where the policy specification needs refinement. In the preferred embodiment the Policy Engine 101 uses the annotated language 109 to organize the policy, after having converted it to an internal representation in a manner best suited for the efficient evaluation of network events | ||||||