Information Technology Reference
In-Depth Information
Rule-Based Systems Security Model
*
Michael Smirnov
Fraunhofer FOKUS
Kaiserin-Augusta-Allee, 31
Berlin 10589, Germany
smirnow@fokus.fraunhofer.de
Tel. +49 30 3463 7113
Fax.: +49 30 3463 8000
Abstract.
Rule-based systems in networking control access for various
resources and usually are statically configured. Dynamic service creation and
preparedness for the unexpected require possibility to update rules at run-time
without loss of performance. This is possible with our event oriented
programmable model, where rule designer does not need to care about obsolete
rules; conflicts between new rules and installed rules are resolved
automatically. Synchronisation between rule designer and current state of
installed rules is based on self-organisation property of FGK algorithm that can
be used without any modificatioins.
1
Introduction
Rule based systems security is getting a high level of attention nowadays. Report
from the NSF workshop “Responding to the Unexpected” summarises this need by
putting the following networking research priority: “
Rule-based Systems Security
:
Designing security policies and a framework for policy management that will allow
necessary access to systems and data in previously unplanned ways, and by persons
and systems not normally permitted to do so, is a big need” [1].
Rule based systems essentially are performing filtering and are playing ever in-
creasing role in many existing and emerging networking mechanisms: firewalls are
protecting network domains from unwanted traffic; differentiated services classifiers
select flows that need to get contracted treatment; while shapers help to enforce this
treatment; Internet autonomous systems, or domains are regulating traffic exchanges
between them by enforcing transit policies; last but not least security policy systems
as such are rule-based. All these have at least three aspects in common:
1. A rule grants (or denies)
access
to certain functionality, while a rule itself is not
functionality;
2. Rules are helping network functionality to be performed correctly, where correct-
ness is defined
externally
(e.g. which traffic is allowed, which packet flows are
supported by service level agreements; what are business agreements between do-
main providers, etc.);
*
Research outlined in this paper is partially funded by project SOPHIE — Self Organised
Policy Handling in Internet Environment
