Firewalls and other software products that enforce security policies on traffic in computer systems typically provide policy models based on rules. A firewall inspects the traffic passing through it and applies the policy to the traffic. Current rule based systems typically include a fixed set of criteria from which rules can be built that is used to evaluate an access policy. Use of a fixed set of criteria prohibits implementation of new types of criteria. Current rule based systems also restrict rules' criteria to items that can be evaluated only when the policy is evaluated.