290 likes | 311 Vues
A detailed analysis of an ACL policy for an external firewall, highlighting rules for denying or accepting connections based on source, destination, and protocol, addressing connectivity issues for specific users like managers. The analysis covers design principles, property-free examination, change impact, and scenario-based output.
E N D
Policy AnalysisUsing Margrave Shriram KrishnamurthiBrown University 1
ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise
employees contractors manager DMZ int dmz dmz ext
tcp www blacklist blacklist telnet tcp smtp tcp www
tcp www tcp smtp tcp smtp ipsrc fw2_static
Problem The manager can’t connect to the Web.
When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine?
p . p.dstprt = www p.proto = TCP p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p’ . Int.NAT translates p to p’ p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’
When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine? • Always: • Int’s ACL accepts the packet via rule 4. • Int’s NAT applies to the packet. • Ext’s ACL denies the post-NAT packet via rule 7.
thepolicy ⊦ P • Does • its property? • satisfy
⊦ P Can people state them? Are they good enough? 14
ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise
p . Int.ACL accepts p p’ . Int.NAT translates p to p’ p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))
p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp
p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp Defining Difference A function mappingrequests tochanges in outcome Deny to Permit Permit to Deny packets
Change as a First-Class Entity • Restrict changes to External Firewall View • Which machines lost privileges? Query • Confirm no machines gained privileges Verification
Configuration checking Refactoring testing ? “What if” questions Upgrade checking Finding hotspots Mutationtesting 20
Scenario-Based Output p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp
Exhaustive Answers (in Some (Useful) Cases) Bernays-Schönfinkel-Ramsey + overloading (subtyping) and empty sorts
Multi-Lingual Support Datalog-based intermediate language
Margrave Supports… • Most of XACML 1.0 and 2.0 • Cisco IOS: • ACL: standard and extended • NAT: static; dynamic: ACL-based, map-based • routing: static and policy-based • limited: BGP announcements and VPN endpoints • Amazon Access Policy Language (in SQS) • Hypervisor, based on sHype (IBM)
How SDNs Change Things Global view of Configuration and State: Current networks: hard SDNs: easy (But you already know all that.)
Principles Recap Property-free analysis Change-impact w/ first-class changes Scenario-based output Exhaustive answers (where possible) Minimality Multi-lingual support
Dan Dougherty [WPI] • Kathi Fisler [WPI] • Tim Nelson [WPI] • Alums: • Chris Barratt [Brown ScM BEA] • Leo Meyerovich [Brown u.g. Berkeley] • Michael Tschantz [Brown u.g. CMU] http://www.margrave-tool.org/