[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf pm issue #23 - policy termination

>>>>> On Tue, 05 Jun 2001 11:40:26 -0400, David Harrington <dbh@enterasys.com> said:

David> I am concerned that for policies which may affect the security
David> of the network, it may not be acceptable to wait until the next
David> regularly-scheduled policy evaluation; a more immediate
David> determination of the policy to apply may be necessary to ensure
David> the viability of the security environment.

David, thanks for writing up the exact point that I would have made.
It is a grave flaw to simply "wait" for the next update.

David> OTOH, I also recognize that forcing a complete evaluation cycle
David> to occur every time a policy becomes inactive may be
David> problematic. Is there any way with the existing language and
David> primitives to cause the evaluation to be done immediately when
David> selected policies become inactive?

Really you want to evaluate just the current element, which is what I
think you're applying.  Or, if a policy is deleted/made-in-active you
should evaluate any elements that it may have covered.  Unfortunately,
the point that this gets either ugly or expensive is a good point.
However, I think an immediate evaluation must be done regardless of
the costs (to do otherwise would prevent security policies from making
use of this work).
Wes Hardaker
NAI Labs
Network Associates