OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-actuator message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SLPF; Arguments to support the DELETE action

All,

A scenario was identified where it would be desirable to simply delete an entry in the rule set (rather than issue an allow to counteract a previously issued deny) 

In order to make this work we will need to know the identifier of the rule in question (or 'rule-number').   

PROPOSAL ONE:  When the orchestrator issues the deny it explicitly assigns a rule-number (captured in the 'rule-number' argument).  In this case, the orchestrator has finer control over where the rule is placed (relative to other rules)  but requires the orchestrator to maintain knowledge of all the rule numbers for all the firewalls.  (take a look at the bullets at the end of section 2.3.2 for a more detailed description of the rule-number option) 

PROPOSAL TWO:  When the orchestrator issues a deny, the actuator responds with the rule-number that was assigned.  The orchestrator has the option of instructing the firewall to place the new rule at the beginning or end of the rule set.  In this case, the orchestrator is simply logging information about the rule numbers it receives (rather than maintaining the state of all the firewalls)  but it loses fine control over the order that the rules within the firewall are evaluated.  (take a look at the bullets at the end of section 2.3.1 for a more detailed description of the prepend option)

Question:  Do we go with proposal one, two or both?  

THE FOLLOWING IS MY OPINION ONLY:  I think we should go with proposal two.  My logic or lack thereof, OpenC2 has been focusing on the response or acting portion of cyber defense.  I am NOT stating that analytics, configuration management, maintaining state of awareness of the network etc. are not important, but I believe that burdening the orchestrator with the need reconcile, deconflict and maintain the ruleset for all of the firewalls is onerous and not compatible with the notion of distributed systems.  Proposal two enables us to implement the 'delete rule number' command and avoids some of the complexity, scalability and scope creep concerns.  AGAIN, THAT WAS MY OPINION ONLY. 

VR

Joe Brule

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]