Chapter 8. Policy
It was mentioned in previous chapters that policy determines the security services afforded to a packet and the treatment of a packet in the network. However, the issue of policy representation and management of IPSec connections were not discussed. We will address some of these issues in this chapter.
Policy is difficult to describe and define. It is the fuzzy middle between a human desire ("I want to encrypt and authenticate all access that my subcontractors have to my network") and a machine's definition ("encrypt tcp packets from 10.3.86.5 to 10.4/16 with CAST and authenticate them with HMAC-SHA"). Because it is the security interface between human and computer, it is extremely important. The transition from human to computer involves policy definition, policy representation, policy management, and finally, the interactions between the policy and the various components of an IPSec system IKE, the IPSec process itself, the SADB, and the SPD.
Policy is not a standard. IPSec protocol standards define various capabilities of policy. However, IETF does not mandate any particular representation of policy nor does it enforce any particular implementation. The policy issues such as definition and representation are left to implementations. Standards bodies typically refrain from dictating how policy is implemented. For instance, the IPSec working group of the IETF discusses the policy issues mostly from IPSec implementation perspective. However, the main challenge with policy is its definition and representation at a higher level, and then mapping it so that IKE and IPSec protocols can access it efficiently and unambiguously.
Another issue associated with policy is its deployment and management. This involves how policy is defined and communicated among various nodes in a network and how the policy is synchronized among various nodes. Network security is complex, and the larger the network being secured the more complex the policy that dictates how that security is achieved. There is, therefore, an obvious scaling problem with policy definition and deployment. If a network manager must visit each and every network entity and manually configure it in compliance with his or her system security policy, it will take an excessive amount of time. It also opens up the network to subtle errors that can manifest themselves as massive holes in the overall security of the network. Obviously, as networks grow, policy management for them will have to be centrally managed.
Policy is not solely the domain of security. Any network service that desires to identify certain classes of traffic (or =flows= of traffic) and apply different services to them require a policy. Network services such as traffic engineering, where certain flows are identified and given a higher quality of service or allocated specified bandwidth, are a prime example of this. In this chapter, we will discuss the capabilities of an IPSec policy system, its representation, distribution, and address the support the policy system has to provide for the kernel and IKE. The implementation issues are discussed in the next chapter.
Top IPSec (2nd Edition) ISBN: 013046189X
EAN: 2147483647 Year: 2004
Pages: 76 Authors: Naganand Doraswamy, Dan Harkins
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |