[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: XACML ipAddress-regexp-match and how to author a policy with dynamic
I've made some progress, so please let me refine my question.
I can't determine how a policy might reference a source of PIP
information in different formats. For example, in the below policy, the
Condition's set/bag would ultimately be referencing an external PIP
source of information. There's a gap in the XACML spec between where the
PIP is a source of Attributes and how to reference those Attributes and
how the resulting policy might reflect this.
For example, my policy CAN'T list every set/bag attribute individually.
It would be impractical. So what's the syntax for referencing said
set/bag? I'll keep digging, and its probably spelled out in the spec,
but for right now it feels like the spec doc is missing this piece.
Thanks!
<Policy PolicyId="urn:oasis:names:tc:policy:WebAccess">
<Description>This policy is intended to allow access to corporate web
servers, except where threat hosts have been identified.</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Actions>
<AnyAction/>
</Actions>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
</ResourceAttributeDesignator>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:0" Effect="Deny">
<Description>Hosts will be conditionally granted access as long as
their are not identified as a threat.</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Actions>
<AnyAction/>
</Actions>
<Resources>
<AnyResource/>
</Resources>
</Target>
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>116.14.1.95</Attribut
eValue>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>65.4.89.192</Attribut
eValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:test-attr"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Condition>
</Rule>
</Policy>
-----Original Message-----
From: Chris McKenzie
Sent: Tuesday, May 05, 2009 10:12 AM
To: 'xacml-users@lists.oasis-open.org'
Subject: XACML ipAddress-regexp-match and how to author a policy with
dynamic
Hi.
The mailing list isn't easy to search, so I thought I would pose my
question while commanding the list to e-mail me the last 150 posts.
I was trying to put together an XACML 2.0 policy set that captured 2
policies, which when combined, allowed for both a sort of global allow
and selective deny. Essentially a Firewall access policy where hosts
which have been identified as a threat would be denied access to the
target resource. (say a web server) The PIP information supplying the
list of threat IP Addresses could be sorted in a database.
My main query that I can't gather from the literature I've read so far
is how all attributes of a Subject, Action or Resource are identified.
(I'm sure it's an easy answer, I'll be happy with anything really) For
example, an external system identifies a point of information which the
policy would use to help determine if a deny rule should be applied. In
this case, how is the policy authored to reference attributes of said
piece of information?
For example, a SIM event (we'll just go with this for now) which
contains the threatening host IP and requested resource. (say a
protected portion of the corporate web site) How do I identify the PIP
information in a urn? I was assuming that when the PDP gathers
information from the PIP (and from the PEP's access request message?)
that the Subject, Action and Resource will have things like subject-id's
ipAddress attribute already populated, because the Subject in question
has an IP.
Maybe I'm just not there yet. So I'll leave my query here. If anyone has
a bit of practical advice to enlighten me, it would be very beneficial.
Thanks!
Sample policy with a hole (note the ...???) where the external PIP
information on threat host IPs would be referenced:
<Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat">
<Description>This policy is intended to deny attacking hosts for
corporate web servers.</Description>
<Target/>
<Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny">
<Description>All identified host threats shall not be permitted
access.</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
...???
</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
</SubjectAttributeDesignator>
</SubjectMatch>
</Subjects>
<Actions>
<AttributeValue></AttributeValue>
</Actions>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
</ResourceAttributeDesignator>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignatorAttributeId="protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp
</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
Chris McKenzie
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]