[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Modification to the stateless-packet-filter profile
All, Here is my attempt at the language binding in the stateless packet filter profile (located at
https://docs.google.com/document/d/1CvD4dhnGPsYVYrMoJTIjeQA9vN3i33eqwkhEGRWsBVA/edit# ) First I cooked up a matrix of the actions and targets.
Then I created a subsection for each cell that was populated. For example:
2.2.1.1 Allow ip-connection Implementation of the Allow ip-connection command is required. The command permits traffic that is consistent with the specified ip-connection. A valid allow ip-connection command has at least one property of
the ip-connection populated and may have any combination of the five properties populated. An unpopulated property within the the ip-connection target must be treated as an ‘all’.
NOTE TO SELF, ASK THE FIREWALL GUYS Table 2.1.1.1 summarizes the allow ip-command as refined by one or more options.
Then I did the same for the other targets for allow.
For deny, I admit I got kind of lazy, but there was so much repetition, it looked stupid, so I did this:
2.2.2 Deny Deny can be treated as mathematical complement to allow. With the exception of three additional options outlined in table 2.1.2, the targets, specifiers, modifiers and corresponding
responses are identical to the four allow commands.
Does this seem like a logical approach?
Thank oyu and please advise VR Joe Brule -----Original Message----- All, During yesterday's actuator profile SC meeting, another approach was suggested. The short version of the approach was kind of a nested loop:
For each OpenC2 action applicable to the firewall profile: For each OpenC2 target type applicable to that action: Describe what the action will do Describe the meaning of each applicable option/specifier Provide sample commands The basic idea was: Stating whether or not an action or target is mandatory, optional or even meaningful is not practical unless you have the action in the context of the specified target, so address each command holistically rather than work each component
of the command. That was really logical, and I attempted to implement the idea but to be quite blunt with you, I am NOT pleased with my effort. When you get a chance, take a look at https://docs.google.com/document/d/1CvD4dhnGPsYVYrMoJTIjeQA9vN3i33eqwkhEGRWsBVA/edit#heading=h.8mqj73xx8y2t
, especially look at section 2.2. Give me more than a 'it is bad' (I already know that). If you can send me a sample write up, do it in the googledoc, create your own googledoc, put it in an email or whatever. I just need some help on it.
Thank you VR Joe B |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]