Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.

Published byShelby Lung Modified over 9 years ago

Similar presentations

Presentation on theme: "11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University."— Presentation transcript:

1 11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University

2 22

3 3 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

4 4 intdmz ext DMZ employees contractors manager

5 5 blacklist telnet www tcp smtp tcp www tcp

6 6 smtp tcp  www tcp fw2_staticipsrc smtp tcp

7 7 Problem The manager can’t connect to the Web.

8 8 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?

9 9  p.p.dstprt = www  p.proto = TCP  p.ipdest  outIPs  p.ipsrc = manager  Int.ACL denies p  p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  Ext.ACL denies p’

10 10 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?  Always:  Int’s ACL accepts the packet via rule 4.  Int’s NAT applies to the packet.  Ext’s ACL denies the post-NAT packet via rule 7.

11 M ARGRAVE D ESIGN P RINCIPLES 11

12 Property-Free Analysis (e.g., Change Impact) 12

13 13 P ⊦  Does the policy satisfy its property?

14 14 P ⊦  Can people state them? Are they good enough?

15 15 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

16 16  p.Int.ACL accepts p   p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  ((Ext.ACL denies p’  Ext.ACLNew accepts p’)  (Ext.ACL accepts p’  Ext.ACLNew denies p’))

17 17 p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

18 18 Defining Difference p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp packets  Deny to Permit Permit to Deny A function mapping requests to changes in outcome

19 19 Change as a First-Class Entity Restrict changes to External Firewall View Which machines lost privileges? Query Confirm no machines gained privileges Verification

20 20 Configuration checking Upgrade checkingFinding hotspots “What if” questions Mutation testing ? Refactoring testing

21 Scenario-Based Output 21 p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

22 Exhaustive Answers (in Some (Useful) Cases) Bernays-Scho ̈ nfinkel-Ramsey + overloading (subtyping) and empty sorts 22

23 Minimality 23

24 Multi-Lingual Support Datalog-based intermediate language 24

25 25 Margrave Supports… Most of XACML 1.0 and 2.0 Cisco IOS: –ACL: standard and extended –NAT: static; dynamic: ACL-based, map-based –routing: static and policy-based –limited: BGP announcements and VPN endpoints Amazon Access Policy Language (in SQS) Hypervisor, based on sHype (IBM)

26 How SDNs Change Things Global view of Configuration and State:  Current networks: hard  SDNs: easy (But you already know all that.) 26

27 27

28 Principles Recap Property-free analysis Change-impact w/ first-class changes Scenario-based output Exhaustive answers (where possible) Minimality Multi-lingual support 28

29 29 Dan Dougherty [WPI] Kathi Fisler [WPI] Tim Nelson [WPI] Alums: –Chris Barratt [Brown ScM  BEA] –Leo Meyerovich [Brown u.g.  Berkeley] –Michael Tschantz [Brown u.g.  CMU] http://www.margrave-tool.org/

Download ppt "11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University."

Similar presentations

1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.

1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.

Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor 660-3713

M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.

© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
Chapter 9 Caching, NAT Professor Rick Han University of Colorado at Boulder

Chapter 9 Caching, NAT Professor Rick Han University of Colorado at Boulder
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.

Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.
NAT (Network Address Translation) Natting means Translation of private IP address into public IP address . In order to communicate with internet we must.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

Similar presentations

Ads by Google