[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML ipAddress-regexp-match and how to author a policy with dynamic
Hi. The mailing list isn't easy to search, so I thought I would pose my question while commanding the list to e-mail me the last 150 posts. I was trying to put together an XACML 2.0 policy set that captured 2 policies, which when combined, allowed for both a sort of global allow and selective deny. Essentially a Firewall access policy where hosts which have been identified as a threat would be denied access to the target resource. (say a web server) The PIP information supplying the list of threat IP Addresses could be sorted in a database. My main query that I can't gather from the literature I've read so far is how all attributes of a Subject, Action or Resource are identified. (I'm sure it's an easy answer, I'll be happy with anything really) For example, an external system identifies a point of information which the policy would use to help determine if a deny rule should be applied. In this case, how is the policy authored to reference attributes of said piece of information? For example, a SIM event (we'll just go with this for now) which contains the threatening host IP and requested resource. (say a protected portion of the corporate web site) How do I identify the PIP information in a urn? I was assuming that when the PDP gathers information from the PIP (and from the PEP's access request message?) that the Subject, Action and Resource will have things like subject-id's ipAddress attribute already populated, because the Subject in question has an IP. Maybe I'm just not there yet. So I'll leave my query here. If anyone has a bit of practical advice to enlighten me, it would be very beneficial. Thanks! Sample policy with a hole (note the ...???) where the external PIP information on threat host IPs would be referenced: <Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat"> <Description>This policy is intended to deny attacking hosts for corporate web servers.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny"> <Description>All identified host threats shall not be permitted access.</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ...??? </AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </SubjectAttributeDesignator> </SubjectMatch> </Subjects> <Actions> <AttributeValue></AttributeValue> </Actions> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$ </AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignatorAttributeId="protocol" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp </AttributeValue> </Apply> </Condition> </Rule> </Policy> Chris McKenzie
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]