Skip to content
LinkState
Go back

Translating access requests into canonical policy specs

Introduction to Access Request Normalization

Access request normalization is a critical process in network security that involves translating human-readable access requests into standardized, machine-readable formats. This process is essential for ensuring that access control policies are enforced correctly and consistently across an organization’s network.

Challenges of Access Request Normalization

The challenges of access request normalization include:

Importance of Normalization in Access Control

Normalization is crucial in access control because it enables the creation of standardized access control policies that can be enforced consistently across an organization’s network. Normalization helps to:

Senior-Operator CLI Drafting

Senior-operator CLI drafting involves manually configuring access control policies using command-line interfaces (CLIs). This approach requires senior operators to have in-depth knowledge of the network architecture, access control policies, and CLI syntax.

Advantages and Disadvantages of Manual Configuration

The advantages of manual CLI configuration include:

Example CLI Configurations for Access Control

# Define a new access control policy
access-control-policy my-policy {
  # Define the source IP address
  source-ip 10.0.0.0/24
  # Define the destination IP address
  destination-ip 10.0.1.0/24
  # Define the protocol and port
  protocol tcp
  port 80
  # Define the action (allow or deny)
  action allow
}

Policy Compiler Workflows

A policy compiler workflow involves using a policy compiler to translate human-readable access requests into standardized, machine-readable formats. The policy compiler architecture typically consists of:

Workflow Overview and Configuration

The policy compiler workflow typically involves the following steps:

  1. Define the access request in a human-readable format
  2. Translate the access request into a standardized format using the policy compiler engine
  3. Store the compiled access control policy in the policy repository
  4. Deploy the compiled access control policy to the network devices

Policy Compiler Example Use Cases

# Define the access request in a human-readable format
access-request:
  source-ip: 10.0.0.0/24
  destination-ip: 10.0.1.0/24
  protocol: tcp
  port: 80
  action: allow
# Translate the access request into a standardized format using the policy compiler engine
policy-compiler:
  input: access-request
  output: compiled-policy
# Store the compiled access control policy in the policy repository
policy-repository:
  compiled-policy: compiled-policy
# Deploy the compiled access control policy to the network devices
workflow-engine:
  policy-repository: policy-repository
  network-devices: network-devices

LLM-Assisted Request Translation

Large language models (LLMs) are a type of artificial intelligence (AI) that can be used to translate human-readable access requests into standardized, machine-readable formats. LLMs are trained on large datasets of text and can learn to recognize patterns and relationships in language.

LLM-Assisted Request Translation Workflow

The LLM-assisted request translation workflow typically involves the following steps:

  1. Define the access request in a human-readable format
  2. Use the LLM to translate the access request into a standardized format
  3. Store the translated access control policy in a policy repository
  4. Deploy the translated access control policy to the network devices

Example LLM-Assisted Request Translation Configurations

# Import the LLM library
import llm
# Define the access request in a human-readable format
access_request = "allow traffic from 10.0.0.0/24 to 10.0.1.0/24 over tcp port 80"
# Use the LLM to translate the access request into a standardized format
translated_policy = llm.translate(access_request)
# Store the translated access control policy in a policy repository
policy_repository = llm.store(translated_policy)
# Deploy the translated access control policy to the network devices
llm.deploy(policy_repository)

Comparison of Normalization Techniques

Senior-operator CLI drafting, policy compiler workflows, and LLM-assisted request translation are all used to normalize access requests, but they have different advantages and disadvantages.

Comparison of Techniques

TechniqueAdvantagesDisadvantages
Senior-Operator CLI DraftingFine-grained control, ability to handle complex requestsTime-consuming, error-prone, requires specialized knowledge
Policy Compiler WorkflowsAutomated, efficient, standardizedRequires specialized knowledge, complex to troubleshoot
LLM-Assisted Request TranslationAutomated, efficient, flexibleRequires large amounts of training data, prone to errors

Troubleshooting Access Request Normalization Issues

Common issues in access request normalization include:

Troubleshooting Techniques

Troubleshooting techniques for access request normalization include:

Code and CLI Examples

Senior-Operator CLI Drafting Code Examples

# Define a new access control policy
access-control-policy my-policy {
  # Define the source IP address
  source-ip 10.0.0.0/24
  # Define the destination IP address
  destination-ip 10.0.1.0/24
  # Define the protocol and port
  protocol tcp
  port 80
  # Define the action (allow or deny)
  action allow
}

Policy Compiler Workflow Code Examples

# Define the access request in a human-readable format
access-request:
  source-ip: 10.0.0.0/24
  destination-ip: 10.0.1.0/24
  protocol: tcp
  port: 80
  action: allow
# Translate the access request into a standardized format using the policy compiler engine
policy-compiler:
  input: access-request
  output: compiled-policy
# Store the compiled access control policy in the policy repository
policy-repository:
  compiled-policy: compiled-policy
# Deploy the compiled access control policy to the network devices
workflow-engine:
  policy-repository: policy-repository
  network-devices: network-devices

LLM-Assisted Request Translation Code Examples

# Import the LLM library
import llm
# Define the access request in a human-readable format
access_request = "allow traffic from 10.0.0.0/24 to 10.0.1.0/24 over tcp port 80"
# Use the LLM to translate the access request into a standardized format
translated_policy = llm.translate(access_request)
# Store the translated access control policy in a policy repository
policy_repository = llm.store(translated_policy)
# Deploy the translated access control policy to the network devices
llm.deploy(policy_repository)

Scaling Limitations and Considerations

Each technique has scaling limitations and considerations, including:

Best Practices for Access Request Normalization

Best practices for access request normalization include:

Emerging trends in access request normalization include:

Future directions for senior-operator CLI drafting, policy compiler workflows, and LLM-assisted request translation include:


Share this post on:

Previous Post
AI workbench for ECMP drift proof
Next Post
Safe delete workflows for config that cannot be undeleted