Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi Communications Network Management Technologies
Introduction What are Policies? What does security policies define? Policies are rules governing the choices in behaviour of a system. What does security policies define? Security policies define what actions are permitted or not permitted, for what or for whom, and under what conditions. What are management policies? Management policies define what actions need to be carried out when specific events occur within a system or what resources must be allocated under specific conditions.
Ponder language (1) Ponder is a declarative, object-oriented language that can be used to specify both security and management policies. vPonder has four basic policy types: Authorisation policies Obligation polocies Refrain policies Delegations and three composite policy types: roles relationships management structures
Ponder language (2) To define policies ponder use: domains for hierarchically grouping managed objects events for triggering obligation policies constraints for controlling the enforcement of policies at runtime Domains provide a means of grouping objects to which policies apply and can be used to partition the objects in a large system according to geographical boundaries, object type, responsibility and authority or for the convenience of human managers. A domain, which is a member of another domain, is called a sub-domain of the parent domain. Domains can overlap. Objects can be added and removed from the domains without having to change the policies. 08/09/2019
Authorization policies Authorization policies define what activities a member of the subject domain can perform on the set of objects in the target domain Access control policies Positive and negative authorization policy Example 1: Example 2 08/09/2019
Refrain, Obligation and delegation policies Refrains define what actions a subject is not permitted to invoke Refrain policies define the actions that subjects must not perform on target objects even though they may actually be permitted Delegation policy permits subjects to grant privileges to grantees in order to perform an action on their behalf Obligation policies are event-triggered condition-action rules which define the activities subjects (human or automated manager components) must perform on objects in the target domain 08/09/2019
Ponder composite policies Ponder composite policies provide the ability to group policies and structure them to reflect organizational structure, preserve the natural way system administrators operate or simply provide reusability of common definitions Facilitate policy management in large, complex enterprises 08/09/2019
Roles and relationships Roles provide a semantic grouping of policies with a common subject, generally pertaining to a position within an organization. A relationship groups the policies defining the rights and duties of roles towards each other. 08/09/2019
Management structure Ponder supports the notion of management structures to define a configuration in terms of instances of roles, relationships and nested management structures relating to organizational units. Person can be assigned to multiple roles but rights from one role cannot be used to perform actions relating to another role. 08/09/2019
Ponder Toolkit Part of the Ponder development effort Developed at the Imperial College in London Intended to support the users of the language. Open Source tool for the Specification and management of Ponder Policies. Composed of: Ponder Domain Browser Ponder Policy Editor Ponder Compiler Ponder is suitable for specification of policies. Even complex polices can be specified easily. The ponder rules and policies have to be mapped to the concrete target devices. There exists an approach, in which ponder policies are mapped to the CIM Model. In policy-maker, administrator doesn’t have to learn a new language. They can do directly in CIM. The Common Information Model (CIM) is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them. This is intended to allow consistent management of these managed elements, independent of their manufacturer or provider. Many policy- based systems designed to date focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking flexibility and extensibility. This demonstration presents Ponder2, a self-contained, stand-alone policy environment that is suitable for a wide range of applications in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. Ponder2 environments can be federated giving a consistent view of the name spaces within the environments and the ability to propagate events in a transparent manner. LDAP stands for Lightweight Directory Access Protocol. It is a lightweight protocol for accessing X.500- based directory services. 08/09/2019
Domain Browser Graphical User Interface Objects can represent users, roles, network components or manager agents. Used to group or select Objects for Policy application Allows for creation of a domain structure Domains provide a means of grouping objects to which policies apply and can be used to partition the objects in a large system according to geographical boundaries, object type, responsibility and authority or for the convenience of human managers. The PONDER domain browser provides a common user interface for all aspects of an integrated management environment. It can be used to group or select objects for applying policy, to monitor them or to perform management operations, although the current implementation only supports policy management. The domain browser gives the user a graphical mapping of the network In this tree-like representation, we can see the domains to which the policies apply, we see the domains where the policies are stored, and we can retrieve information about all the entries. A domain structure is created using the domain browser. Administrators can use the domain browser to manage the domain structure, group objects into domains to apply a common policy, modify or create new objects. Objects can represent users, roles, network components or manager agents. 08/09/2019
Policy Editor Provides an easy to use development environment for specifying, reviewing and modifying policies Templates can be used to create policies easily The domain browser can be invoked to select the subject and target domains for policies. The policy editor tool is integrated with both the domain browser and the PONDER compiler Existing policies and policy types can be selected from the directory with the aid of the domain browser, loaded into the editor, modified, recompiled and stored back to the directory. Code generators added to the compiler framework, are accessible and can be enabled from within the editor to select the type of code to be generated 08/09/2019
Compiler Framework The compiler maps policies to low-level representations suitable for the underlying system. The Compiler Settings menu item in the menu can be used to select the various options for the Compiler If there are errors during the compilation, you can double-click on the line of the error, and you will be pointed to the line of the error. You can syntactically analyse or compile the current specification using the buttons on the toolbar or the menu options under the Build Menu. The screenshot shows a successful compilation. Build messages are output to the build-tab. It consists of a Syntax Analyser, and the default Java Code Generator for Obligation and Refrain Policies. 08/09/2019
Ponder Management Module The main console of the management toolkit, includes all the tools available, and allows a user to manage them (start/stop) from a central location It may Include - Domain browser - Configuration manager - Policy editor - Ponder Compiler The Configuration manager allows the specification of the various parameters which can then be shared by all the tools in the system. A tool can be added by implementing a specific interface. The screenshot shows the main console of the Ponder toolkit. There are 5 tools open. The first three are Policy Editor windows. The selected tool is the Configuration Manager. Selecting a tool gives focus to that tool. All policies stored in LDAP could be called through the management console 3.3 using the domain browser. Once they are loaded in the Policy Objects View, the policies can be ”Load”, ”Enable”, ”Disable”, ”Unload” and stopped, and in this overview we can read the complete informations about the policy, where it is stored, what its name is, what kind of a policy it is, what the subject and target are, what the event is which triggered the policy and so on. 08/09/2019