1 / 29

Policy Analysis Using Margrave

This document discusses the application of Margrave for analyzing firewall rules at Brown University. It covers the implementation of Access Control Lists (ACLs) for external firewall configurations, including rules for denying and accepting traffic based on source and destination IPs, ports, and protocols. It examines scenarios in which a manager's PC may be denied connections, considering internal NAT translations and external denials. The analysis highlights principles of property-free analysis, verification, and multi-lingual support of policies.

lee-lewis
Télécharger la présentation

Policy Analysis Using Margrave

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy AnalysisUsing Margrave Shriram KrishnamurthiBrown University 1

  2. 2

  3. ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

  4. employees contractors manager DMZ int dmz dmz ext

  5. tcp www blacklist blacklist telnet tcp smtp tcp www

  6. tcp www tcp  smtp tcp smtp ipsrc fw2_static

  7. Problem The manager can’t connect to the Web.

  8. When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine?

  9.  p . p.dstprt = www  p.proto = TCP  p.ipdest  outIPs  p.ipsrc = manager  Int.ACL denies p   p’ . Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  Ext.ACL denies p’

  10. When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine? • Always: • Int’s ACL accepts the packet via rule 4. • Int’s NAT applies to the packet. • Ext’s ACL denies the post-NAT packet via rule 7.

  11. Margrave Design Principles

  12. Property-Free Analysis(e.g., Change Impact)

  13. thepolicy  ⊦ P • Does • its property? • satisfy

  14. ⊦ P Can people state them? Are they good enough? 14

  15. ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

  16.  p . Int.ACL accepts p   p’ . Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  ((Ext.ACL denies p’  Ext.ACLNew accepts p’)  (Ext.ACL accepts p’  Ext.ACLNew denies p’))

  17. p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

  18. p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp Defining Difference A function mappingrequests tochanges in outcome Deny to Permit Permit to Deny  packets

  19. Change as a First-Class Entity • Restrict changes to External Firewall View • Which machines lost privileges? Query • Confirm no machines gained privileges Verification

  20. Configuration checking Refactoring testing ? “What if” questions Upgrade checking Finding hotspots Mutationtesting 20

  21. Scenario-Based Output p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

  22. Exhaustive Answers (in Some (Useful) Cases) Bernays-Schönfinkel-Ramsey  +  overloading (subtyping) and empty sorts

  23. Minimality

  24. Multi-Lingual Support Datalog-based intermediate language

  25. Margrave Supports… • Most of XACML 1.0 and 2.0 • Cisco IOS: • ACL: standard and extended • NAT: static; dynamic: ACL-based, map-based • routing: static and policy-based • limited: BGP announcements and VPN endpoints • Amazon Access Policy Language (in SQS) • Hypervisor, based on sHype (IBM)

  26. How SDNs Change Things Global view of Configuration and State: Current networks: hard SDNs: easy (But you already know all that.)

  27. Principles Recap Property-free analysis Change-impact w/ first-class changes Scenario-based output Exhaustive answers (where possible) Minimality Multi-lingual support

  28. Dan Dougherty [WPI] • Kathi Fisler [WPI] • Tim Nelson [WPI] • Alums: • Chris Barratt [Brown ScM  BEA] • Leo Meyerovich [Brown u.g.  Berkeley] • Michael Tschantz [Brown u.g.  CMU] http://www.margrave-tool.org/

More Related