15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

Policy-Based Management: Bridging the Gap

Susan Hinrichs, shinrich@cisco.com
Cisco Systems

In a policy-based system, policy goals are described with respect to network entities (e.g., networks and users) instead of enforcement points (e.g., firewalls and routers). This global view has several advantages: usability, global rules are closer to the goals of the human administrator; scalability, the policy system ensures that the enforcement points are configured appropriately, whether there are 1 or 100 enforcement points; and security, the policy system ensures that the policy is enforced consistently. This paper describes techniques for accurately translating from global policy rules to actual per-device configurations, and it describes how these techniques were used in the implementation of Cisco Secure Policy Manager.