I am not clear about why not to use SNMP to configure filters. It
seems much more intuitive than a whole separate language.
I don't quite know what you mean by ``use SNMP''; SNMP is simply a
protocol for setting and retrieving tree-structured variables. The
real issue is the design of the desired tree.
That said, anything remotely like SNMP or its MIBs is a Bad Idea.
Security policies tend to be complex; for a system to be secure,
the filters have to be readable enough that the administrator
can feel confident that they're correct. I'll give a real-life
example... Someone I know set up a firewall, using a well-known
brand of router. He asked me to test it. Prior to dusting off my
collection of breaking and entering tools, I tried a simple telnet
to his machine. Poof -- in a cloud of orange smoke, a login prompt
appeared.
My standard advice to people setting up a firewall is to go through
three steps. First, decide in English (or the natural language of
your choice...) what your security policy is. That is, write down
which machines should offer which services, and to whom. Next,
translate that into formal expressions involving port numbers, addresses,
masks, etc. Finally, figure out how to implement those expressions
in terms of the primitives available on your particular gateway machine.
Don't be surprised if you can't do it; not all policies are implementable
on all platforms, as per Brent's paper.
The purpose of this effort would be to eliminate step 3 entirely, and
to move step 2 as close to step 1 as possible. This is nothing new;
compiler writers have been doing it for decades, and for much the same
reasons.
|
|
