[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML ipAddress-regexp-match and how to author a policy with dynamic
Hi.
The mailing list isn't easy to search, so I thought I would pose my
question while commanding the list to e-mail me the last 150 posts.
I was trying to put together an XACML 2.0 policy set that captured 2
policies, which when combined, allowed for both a sort of global allow
and selective deny. Essentially a Firewall access policy where hosts
which have been identified as a threat would be denied access to the
target resource. (say a web server) The PIP information supplying the
list of threat IP Addresses could be sorted in a database.
My main query that I can't gather from the literature I've read so far
is how all attributes of a Subject, Action or Resource are identified.
(I'm sure it's an easy answer, I'll be happy with anything really) For
example, an external system identifies a point of information which the
policy would use to help determine if a deny rule should be applied. In
this case, how is the policy authored to reference attributes of said
piece of information?
For example, a SIM event (we'll just go with this for now) which
contains the threatening host IP and requested resource. (say a
protected portion of the corporate web site) How do I identify the PIP
information in a urn? I was assuming that when the PDP gathers
information from the PIP (and from the PEP's access request message?)
that the Subject, Action and Resource will have things like subject-id's
ipAddress attribute already populated, because the Subject in question
has an IP.
Maybe I'm just not there yet. So I'll leave my query here. If anyone has
a bit of practical advice to enlighten me, it would be very beneficial.
Thanks!
Sample policy with a hole (note the ...???) where the external PIP
information on threat host IPs would be referenced:
<Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat">
<Description>This policy is intended to deny attacking hosts for
corporate web servers.</Description>
<Target/>
<Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny">
<Description>All identified host threats shall not be permitted
access.</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
...???
</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
</SubjectAttributeDesignator>
</SubjectMatch>
</Subjects>
<Actions>
<AttributeValue></AttributeValue>
</Actions>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
</ResourceAttributeDesignator>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignatorAttributeId="protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp
</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
Chris McKenzie
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]