Add to collection(s) Add to saved
  1. No category

Policy AnalysisUsing Margrave

advertisement 
POLICY ANALYSIS
USING MARGRAVE
Shriram Krishnamurthi
Brown University
1
2
ACL for External firewall:
1: DENY if: ifc=fw1_dmz, ipdest in blacklist
2: DENY if: ifc=fw1_ext, ipsrc in blacklist
3: DENY if: ifc=fw1_dmz, portdest=telnet
4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp
5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp
6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=manager
7: DROP otherwise
3
employees
int
dmz
dmz
ext
contractors
manager
DMZ
4
tcp
www
blacklist
blacklist
telnet
tcp
smtp
tcp
www
5
tcp
smtp
tcp
www

ipsrc
tcp
smtp
fw2_static
6
Problem
The manager can’t connect to the Web.
7
? When can a connection from the
manager’s PC be denied if it’s
 to port 80 (www)
 over TCP
 to any machine?
8
 p . p.dstprt = www  p.proto = TCP 
p.ipdest  outIPs  p.ipsrc = manager
 Int.ACL denies p
  p’ . Int.NAT translates p to p’
 p’.dstprt = p.dstprt
 p’.proto = p.proto
 p’.ipdest = p.ipdest
 Ext.ACL denies p’
9
? When can a connection from the
manager’s PC be denied if it’s
 to port 80 (www)
 over TCP
 to any machine?
Always:
 Int’s ACL accepts the packet via rule 4.
 Int’s NAT applies to the packet.
 Ext’s ACL denies the post-NAT packet via
rule 7.
10
MARGRAVE DESIGN PRINCIPLES
11
Property-Free Analysis
(e.g., Change Impact)
12
the
policy
satisfy
Does
its
property?
13
Can people state them?
Are they good enough?
14
ACL for External firewall:
1: DENY if: ifc=fw1_dmz, ipdest in blacklist
2: DENY if: ifc=fw1_ext, ipsrc in blacklist
3: DENY if: ifc=fw1_dmz, portdest=telnet
4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp
5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp
6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=managerfw2_static
7: DROP otherwise
15
 p . Int.ACL accepts p 
 p’ . Int.NAT translates p to p’
 p’.dstprt = p.dstprt
 p’.proto = p.proto
 p’.ipdest = p.ipdest
 ((Ext.ACL denies p’ 
Ext.ACLNew accepts p’) 
(Ext.ACL accepts p’ 
Ext.ACLNew denies p’))
16
p.entry-interface = fw2_int
p.ipsrc = manager
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = employee
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractor
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
17
Defining Difference
p.entry-interface = fw2_int
p.ipsrc = contractor
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = employee
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
packets
A function mapping
requests to
changes in outcome

Deny to Permit
Permit to Deny
18
Change as a First-Class Entity
• Restrict changes to External Firewall
View
• Which machines lost privileges?
Query
• Confirm no machines gained privileges
Verification
19
Configuration checking
Refactoring testing
?
“What if” questions
Upgrade checking
Finding hotspots
Mutation
testing
20
Scenario-Based Output
p.entry-interface = fw2_int
p.ipsrc = contractor
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = employee
p.ipdest in outIPs
p.srcprt = any
p.dstprt = www
p.protocol = tcp
21
Exhaustive Answers
(in Some (Useful) Cases)
Bernays-Schönfinkel-Ramsey +
overloading (subtyping) and empty sorts
22
Minimality
23
Multi-Lingual Support
Datalog-based intermediate language
24
Margrave Supports…
• Most of XACML 1.0 and 2.0
• Cisco IOS:
–
–
–
–
ACL: standard and extended
NAT: static; dynamic: ACL-based, map-based
routing: static and policy-based
limited: BGP announcements and VPN endpoints
• Amazon Access Policy Language (in SQS)
• Hypervisor, based on sHype (IBM)
25
How SDNs Change Things
Global view of Configuration and State:
 Current networks: hard
 SDNs: easy
(But you already know all that.)
26
27
Principles Recap
Property-free analysis
Change-impact w/ first-class changes
Scenario-based output
Exhaustive answers (where possible)
Minimality
Multi-lingual support
28
• Dan Dougherty [WPI]
• Kathi Fisler [WPI]
• Tim Nelson [WPI]
• Alums:
– Chris Barratt [Brown ScM  BEA]
– Leo Meyerovich [Brown u.g.  Berkeley]
– Michael Tschantz [Brown u.g.  CMU]
http://www.margrave-tool.org/
29
Related documents
Policy-Informed Program Analyses
Policy-Informed Program Analyses
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
Introduction-to-tcp-ip
Introduction-to-tcp-ip
REFERENCE MODELS FOR COMPUTER NETWORKS
REFERENCE MODELS FOR COMPUTER NETWORKS
1. Which of the following refers to the internetworking... and routers to interconnect a number of packet networks?
1. Which of the following refers to the internetworking... and routers to interconnect a number of packet networks?
Overview Web Session 3 Matakuliah : Web Database Tahun
Overview Web Session 3 Matakuliah : Web Database Tahun
C H A B O T O L L E G E
C H A B O T O L L E G E
6.3.3.4 Worksheet - Protocol Definitions and Default Ports IT Essentials 5.0
6.3.3.4 Worksheet - Protocol Definitions and Default Ports IT Essentials 5.0
Preview - Reid Writers
Preview - Reid Writers
Download
advertisement