Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Published byΚαλλιόπη Στεφανόπουλος Modified over 4 years ago

Similar presentations

Presentation on theme: "Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi"— Presentation transcript:

1 Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi
Communications Network Management Technologies

2 Introduction What are Policies? What does security policies define?
Policies are rules governing the choices in behaviour of a system. What does security policies define? Security policies define what actions are permitted or not permitted, for what or for whom, and under what conditions. What are management policies? Management policies define what actions need to be carried out when specific events occur within a system or what resources must be allocated under specific conditions.

3 Ponder language (1) Ponder is a declarative, object-oriented language that can be used to specify both security and management policies. vPonder has four basic policy types: Authorisation policies Obligation polocies Refrain policies Delegations and three composite policy types: roles relationships management structures

4 Ponder language (2) To define policies ponder use:
domains for hierarchically grouping managed objects events for triggering obligation policies constraints for controlling the enforcement of policies at runtime Domains provide a means of grouping objects to which policies apply and can be used to partition the objects in a large system according to geographical boundaries, object type, responsibility and authority or for the convenience of human managers. A domain, which is a member of another domain, is called a sub-domain of the parent domain. Domains can overlap. Objects can be added and removed from the domains without having to change the policies. 08/09/2019

5 Authorization policies
Authorization policies define what activities a member of the subject domain can perform on the set of objects in the target domain Access control policies Positive and negative authorization policy Example 1: Example 2 08/09/2019

6 Refrain, Obligation and delegation policies
Refrains define what actions a subject is not permitted to invoke Refrain policies define the actions that subjects must not perform on target objects even though they may actually be permitted Delegation policy permits subjects to grant privileges to grantees in order to perform an action on their behalf Obligation policies are event-triggered condition-action rules which define the activities subjects (human or automated manager components) must perform on objects in the target domain 08/09/2019

7 Ponder composite policies
Ponder composite policies provide the ability to group policies and structure them to reflect organizational structure, preserve the natural way system administrators operate or simply provide reusability of common definitions Facilitate policy management in large, complex enterprises 08/09/2019

8 Roles and relationships
Roles provide a semantic grouping of policies with a common subject, generally pertaining to a position within an organization. A relationship groups the policies defining the rights and duties of roles towards each other. 08/09/2019

9 Management structure Ponder supports the notion of management structures to define a configuration in terms of instances of roles, relationships and nested management structures relating to organizational units. Person can be assigned to multiple roles but rights from one role cannot be used to perform actions relating to another role. 08/09/2019

10 Ponder Toolkit Part of the Ponder development effort
Developed at the Imperial College in London Intended to support the users of the language. Open Source tool for the Specification and management of Ponder Policies. Composed of: Ponder Domain Browser Ponder Policy Editor Ponder Compiler Ponder is suitable for specification of policies. Even complex polices can be specified easily. The ponder rules and policies have to be mapped to the concrete target devices. There exists an approach, in which ponder policies are mapped to the CIM Model. In policy-maker, administrator doesn’t have to learn a new language. They can do directly in CIM. The Common Information Model (CIM) is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them. This is intended to allow consistent management of these managed elements, independent of their manufacturer or provider. Many policy- based systems designed to date focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking flexibility and extensibility. This demonstration presents Ponder2, a self-contained, stand-alone policy environment that is suitable for a wide range of applications in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. Ponder2 environments can be federated giving a consistent view of the name spaces within the environments and the ability to propagate events in a transparent manner. LDAP stands for Lightweight Directory Access Protocol. It is a lightweight protocol for accessing X.500- based directory services. 08/09/2019

11 Domain Browser Graphical User Interface
Objects can represent users, roles, network components or manager agents. Used to group or select Objects for Policy application Allows for creation of a domain structure Domains provide a means of grouping objects to which policies apply and can be used to partition the objects in a large system according to geographical boundaries, object type, responsibility and authority or for the convenience of human managers. The PONDER domain browser provides a common user interface for all aspects of an integrated management environment. It can be used to group or select objects for applying policy, to monitor them or to perform management operations, although the current implementation only supports policy management. The domain browser gives the user a graphical mapping of the network In this tree-like representation, we can see the domains to which the policies apply, we see the domains where the policies are stored, and we can retrieve information about all the entries. A domain structure is created using the domain browser. Administrators can use the domain browser to manage the domain structure, group objects into domains to apply a common policy, modify or create new objects. Objects can represent users, roles, network components or manager agents. 08/09/2019

12 Policy Editor Provides an easy to use development environment for specifying, reviewing and modifying policies Templates can be used to create policies easily The domain browser can be invoked to select the subject and target domains for policies. The policy editor tool is integrated with both the domain browser and the PONDER compiler Existing policies and policy types can be selected from the directory with the aid of the domain browser, loaded into the editor, modified, recompiled and stored back to the directory. Code generators added to the compiler framework, are accessible and can be enabled from within the editor to select the type of code to be generated 08/09/2019

13 Compiler Framework The compiler maps policies to low-level representations suitable for the underlying system. The Compiler Settings menu item in the menu can be used to select the various options for the Compiler If there are errors during the compilation, you can double-click on the line of the error, and you will be pointed to the line of the error. You can syntactically analyse or compile the current specification using the buttons on the toolbar or the menu options under the Build Menu. The screenshot shows a successful compilation. Build messages are output to the build-tab. It consists of a Syntax Analyser, and the default Java Code Generator for Obligation and Refrain Policies. 08/09/2019

14 Ponder Management Module
The main console of the management toolkit, includes all the tools available, and allows a user to manage them (start/stop) from a central location It may Include       - Domain browser       - Configuration manager       - Policy editor       - Ponder Compiler The Configuration manager allows the specification of the various parameters which can then be shared by all the tools in the system. A tool can be added by implementing a specific interface.  The screenshot shows the main console of the Ponder toolkit. There are 5 tools open. The first three are Policy Editor windows. The selected tool is the Configuration Manager. Selecting a tool gives focus to that tool. All policies stored in LDAP could be called through the management console 3.3 using the domain browser. Once they are loaded in the Policy Objects View, the policies can be ”Load”, ”Enable”, ”Disable”, ”Unload” and stopped, and in this overview we can read the complete informations about the policy, where it is stored, what its name is, what kind of a policy it is, what the subject and target are, what the event is which triggered the policy and so on. 08/09/2019

Download ppt "Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi"

Similar presentations

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
0 UMN 2011 ERP Terapan SAP BASIS General Concept Session # 3.

0 UMN 2011 ERP Terapan SAP BASIS General Concept Session # 3.
Database Systems: Design, Implementation, and Management Tenth Edition

Database Systems: Design, Implementation, and Management Tenth Edition
MP IP Strategy 2005-06-22 Stateye-GUI Provided by Edotronik Munich, May 05, 2006.

MP IP Strategy Stateye-GUI Provided by Edotronik Munich, May 05, 2006.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Visual Web Information Extraction With Lixto Robert Baumgartner Sergio Flesca Georg Gottlob.

Visual Web Information Extraction With Lixto Robert Baumgartner Sergio Flesca Georg Gottlob.
Introduction to Active Directory

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Database Management Systems (DBMS)

Database Management Systems (DBMS)
Understanding Active Directory

Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google