Information Technology Reference
In-Depth Information
6
Self-organising Security Policy Handling
6.1
Conflict Resolution
Requirements.
Rule-based systems are intended to provide secure access to function-
ality. Frequent updates of rules are not considered traditionally as a requirement,
however as [1] points out it as an important component of a system's preparedness for
unexpected. To meet this new requirement a new mechanisms of rule base self-
organisation are proposed in this section.
The following are important requirements for these new mechanisms:
1. Injection of new rules is to be possible at run-time without suspending the rule-
base system operation for many systems are providing access to critical mission
functionality;
2. Rule base should self-organise, meaning that there should be no need to remove
obsolete rules; conflicts between new rules and old rules have to be detected and
resolved automatically;
3. Rule base should be self-optimising; meaning that after injection of new rules the
system should continue efficient operation because access decisions in many sys-
tems should be made at wire speed.
The first step to handle large rule bases efficiently is to keep in a rule base one rule
for a
range
of SIDs (e.g. for a range of IP addresses) that is natural for networking.
Identities in Rules.
For any rule type a particular SID (or a SID range) may be con-
tained in rule conditions, or in rule action (Table 2).
Table 2.
Rule type
SID semantics in
Condition (C
SID
)
+ Action (A
SID
)
EA
Event is produced by SID
Admit event if originated by SID
BA
Action is requested by SID
Allow invocation for SID
BO
Obligation triggered by SID
Send action request from SID
BN
Action performed on SID's request
SID is to be notified on Action
We assume that all SIDs can be mapped to a linear range of IP addresses having
common prefix of variable length; this range is a contiguous set of 32 bit or 128 bit IP
addresses. The range of all possible and legal SID values is denoted
rg(R
0
)
.
Example.
To understand various semantic options of SIDs consider for example a
session initiation message arriving at signalling proxy from user Alice (EA rule is
triggered and C
SID
is Alice); the message will be admitted if Alice is a legal
2
user (A
SID
is Alice's address). Let the message be an invitation for a session with user Bob (BA
rule is triggered, action is
invitation forwarding
and C
SID
is Alice's address). If Alice is
authorised to call Bob then invitation is forwarded (A
SID
is Bob). Let us also imagine
that Alice wanted all her talks with Bob to be recorded, for that purpose Alice did
install at signalling proxy a call processing rule that must invite a voice recording
2
We assume that signaling proxy may have certain filtering for disallowed or non-existent
(
Martian
) addresses
