Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.

Similar presentations


Presentation on theme: "11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University."— Presentation transcript:

1 11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University

2 22

3 3 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

4 4 intdmz ext DMZ employees contractors manager

5 5 blacklist telnet www tcp smtp tcp www tcp

6 6 smtp tcp  www tcp fw2_staticipsrc smtp tcp

7 7 Problem The manager can’t connect to the Web.

8 8 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?

9 9  p.p.dstprt = www  p.proto = TCP  p.ipdest  outIPs  p.ipsrc = manager  Int.ACL denies p  p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  Ext.ACL denies p’

10 10 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?  Always:  Int’s ACL accepts the packet via rule 4.  Int’s NAT applies to the packet.  Ext’s ACL denies the post-NAT packet via rule 7.

11 M ARGRAVE D ESIGN P RINCIPLES 11

12 Property-Free Analysis (e.g., Change Impact) 12

13 13 P ⊦  Does the policy satisfy its property?

14 14 P ⊦  Can people state them? Are they good enough?

15 15 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

16 16  p.Int.ACL accepts p   p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  ((Ext.ACL denies p’  Ext.ACLNew accepts p’)  (Ext.ACL accepts p’  Ext.ACLNew denies p’))

17 17 p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

18 18 Defining Difference p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp packets  Deny to Permit Permit to Deny A function mapping requests to changes in outcome

19 19 Change as a First-Class Entity Restrict changes to External Firewall View Which machines lost privileges? Query Confirm no machines gained privileges Verification

20 20 Configuration checking Upgrade checkingFinding hotspots “What if” questions Mutation testing ? Refactoring testing

21 Scenario-Based Output 21 p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

22 Exhaustive Answers (in Some (Useful) Cases) Bernays-Scho ̈ nfinkel-Ramsey + overloading (subtyping) and empty sorts 22

23 Minimality 23

24 Multi-Lingual Support Datalog-based intermediate language 24

25 25 Margrave Supports… Most of XACML 1.0 and 2.0 Cisco IOS: –ACL: standard and extended –NAT: static; dynamic: ACL-based, map-based –routing: static and policy-based –limited: BGP announcements and VPN endpoints Amazon Access Policy Language (in SQS) Hypervisor, based on sHype (IBM)

26 How SDNs Change Things Global view of Configuration and State:  Current networks: hard  SDNs: easy (But you already know all that.) 26

27 27

28 Principles Recap Property-free analysis Change-impact w/ first-class changes Scenario-based output Exhaustive answers (where possible) Minimality Multi-lingual support 28

29 29 Dan Dougherty [WPI] Kathi Fisler [WPI] Tim Nelson [WPI] Alums: –Chris Barratt [Brown ScM  BEA] –Leo Meyerovich [Brown u.g.  Berkeley] –Michael Tschantz [Brown u.g.  CMU]


Download ppt "11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University."

Similar presentations


Ads by Google