[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Negative Policies
At the F2F I raised the issue of negative policies. Although I still believe they are dangerous and should be avoided, the group has largely convinced me we will have to provide for them. I would, however like to address one specific point. I asserted that one of the reasons that negative policies are bad is that sooner or later, the universe that negative is defined in will be changed, thus changing the semantics of the policy even though the policy itself has not been modified. Carlisle pointed out quite correctly that the same thing happens for positive policies and asked why the situation is not symmetrical. Later I realized the answer. Positive policies fail closed, negative policies fail open. Failing closed (default deny) is preferable for two related reasons. First is the general security practitioner paranoid view that good security means that things should only be allowed if explicitly specified. (Cheswick and Bellovin refer to the choice between this and its opposite as the security "stance".) The second is purely practical. If new resources are added (for example) and users can not get to them, the users will complain and the admin will fix the policy. This is a nuisance, but no big deal. If on the other hand, new resources are added and anybody can get at them, no one will notice, except possibly the bad guys, who are unlikely to complain. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC