Network Configuration Management Via Model Finding Sanjai Narain Senior Research Scientist Telcordia Technologies

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Advertisements

The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Guide to Network Defense and Countermeasures Second Edition
Scalable Configuration Management For Secure Web Services Infrastructure Sanjai Narain Senior Research Scientist Telcordia Technologies
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—3-1 Determining IP Routes Introducing Routing.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Middleware for Building Adaptive Systems Via Configuration An SAIC Company S. Narain R. Vaidyanathan S. Moyer A. Shareef K. Parmeswaran Internet Architecture.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—5-1 Implementing Path Control Assessing Path Control Network Performance Issues.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—4-1 Implement an IPv4-Based Redistribution Solution Assessing Network Routing Performance and.
Internet Protocol Security (IPSec)
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Module 3: Planning and Troubleshooting Routing and Switching.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—5-1 WAN Connections Enabling Static Routing.
RE © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Manipulating Routing Updates Controlling Routing Update Traffic.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
TCOM 515 Lecture 6.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Access Control List ACL. Access Control List ACL.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Introduction to Routing and Packet Forwarding Routing Protocols and.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Module 5: Designing Security for Internal Networks.
© 2002, Cisco Systems, Inc. All rights reserved. 1 Routing Overview.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Securing Access to Data Using IPsec Josh Jones Cosc352.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
100% Exam Passing Guarantee & Money Back Assurance
Module 4: Configuring Site to Site VPN with Pre-shared keys
Chapter 1 Introduction to Networking
Now you don’t need to take any stress about the Cisco Exam
100% Exam Passing Guarantee & Money Back Assurance
Planning and Troubleshooting Routing and Switching
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

Network Configuration Management Via Model Finding Sanjai Narain Senior Research Scientist Telcordia Technologies

2 Large, complex distributed systems are created via configuration  Every component has finite number of configuration parameters. Each is set to a definite value to satisfy systemwide requirements  System wide requirements are on e.g., functionality, security, fault- tolerance, performance  Configuration is “machine language” for logical, system integration  Relevance to self-managing systems: –Logically integrate self-managing systems into larger ones –Dynamically reconfigure systems to satisfy systemwide requirements

3 Yet, there is no “theory” of configuration System Requirements Components Configuration Synthesis Configuration Error Diagnosis Requirement Verification Configuration Error Fixing These reasoning tasks are all manually performed System requirements can’t even be precisely specified, hence automation of reasoning tasks is impossible Leads to high cost of infrastructure ownership Requirement Strengthening Component Adds & Deletes

4 Designing Requirements Language  Semantic aspect: What are intuitive abstractions (logical structures, relationships) used by system administrators? –FSM models of protocols are impractical  Syntactic aspect: How to combine abstractions into requirements? –Propositional logic, definite clauses, FOL, higher-order logic, temporal logic?  Progress to date: “Service Grammar”: –Semantic aspect: Formalize notion of “correct configuration” associated with protocols. –Syntactic aspect: Definite clauses –“Building Autonomic Systems via Configuration”, Proceedings of Autonomic Systems Workshop, 2003  However, FOL is often required –But theorem provers have not been very efficient –….until now, with advent of SAT solvers

5 System components, e.g., hosts, servers, routers, firewalls System Components System Requirements in FOL Configurations Requirement Solver New Concept: Requirement Solver Feedbac k System  components  requirements This is used in different ways to accomplish previous reasoning tasks With policy-based networking, this work has to be done by system designer.

6 Implementation in Alloy  Developed by Professor Daniel Jackson’s group at MIT  Allows specification of: –Objects types, parameters and value types –First-order logic constraints on values –Scope: number and type of each object  Given a specification, Alloy tries to find its “model”, i.e., assignment of parameters to values to satisfy constraints  Compiles specification into Boolean formula then uses SAT solvers

7 Fault-Tolerant VPN (Overlay) Phase II: Create several VPNs, one for each level of sensitivity Phase III: Merge collections of mobile VPNs

8 hostname SN1BS-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key PN1BS-RTR_key_with_SN1BS-RTR address crypto isakmp key AI-RTR_key_with_SN1BS-RTR address crypto isakmp key SN2-RTR_key_with_SN1BS-RTR address ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 interface Tunnel2 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address ! router rip version 2 network network network network ! ip classless ip route no ip http server ! access-list 142 permit gre host host access-list 143 permit gre host host access-list 144 permit gre host host ! end hostname SN2-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key PN1BS-RTR_key_with_SN2-RTR address crypto isakmp key AI-RTR_key_with_SN2-RTR address crypto isakmp key SN1BS-RTR_key_with_SN2-RTR address ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Tunnel2 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address ! router rip version 2 network network network network ! ip classless ip route no ip http server ! access-list 142 permit gre host host access-list 143 permit gre host host access-list 144 permit gre host host ! end ip classless ! interface Tunnel2 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address ! router rip version 2 network network network network ! ip classless ip route no ip http server ! access-list 142 permit gre host host access-list 143 permit gre host host access-list 144 permit gre host host ! end hostname PN1BS-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key SN1BS-RTR_key_with_PN1BS-RTR address crypto isakmp key A1-RTR_key_with_PN1BS-RTR address crypto isakmp key SN2-RTR_key_with_PN1BS-RTR address ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 Current VPN Configuration Process interface Tunnel2 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address ! router rip version 2 network network network network ! ip classless ip route no ip http server ! access-list 142 permit gre host host access-list 143 permit gre host host access-list 144 permit gre host host ! end New Cisco IOS configuration needs to be implemented at all VPN peer routers! For 4 node VPN that is more than 240 command lines. Realistic deployment: 240 sites Can take years VPN services market in 2003: $18 billion hostname AI-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key SN1BS-RTR_key_with_AI-RTR address crypto isakmp key PN1BS-RTR_key_with_AI-RTR address crypto isakmp key SN2-RTR_key_with_AI-RTR address ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address tunnel source tunnel destination crypto map vpn-map-Ethernet0/0

9 RIP Routing Domain OSPF Routing Domain Spoke Router WAN Router Hub Router Access Server (router subtype) Legacy Router Interface Physical Interface Internal Interface External Interface hubExternalInterface spokeExternalInterface Subnet Internal Subnet External Subnet Network Components Component Attributes  interface –chassis: router –network: subnet –routing: routingDomain  ipsecTunnel –local: externalInterface, –remote: externalInterface, –protocolToSecure: protocol  greTunnel –localPhysical: externalInterface –remotePhysical:externalInterface –routing:routingDomain  firewallPolicy – prot: protocol –action: permission –protectedInterface: physicalInterface  ipPacket –source:interface, –destination:interface, –prot:protocol Protocols ike esp gre IPSec Tunnel GRE Tunnel firewallPolicy Permissions permit deny ipPacket

10 List of Network Requirements Human administrators reason with these in different ways to synthesize initial network, then reconfigure it as operating conditions change. Can we automate this reasoning? AccessServerRequirements 15.There exists an access server and spoke router such that the server is attached in “parallel” to the router SecureGRERequirements 14.For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic GRERequirements 12.There is a GRE tunnel between each hub and spoke router 13.RIP is enabled on all GRE interfaces SubnettingRequirements 5.A router does not have more than one interface on a subnet 6.All internal interfaces are on internal subnets 7.All external interfaces are on external subnets 8.Every hub and spoke router is connected to a WAN router 9.No two non-WAN routers share a subnet RouterInterfaceRequirements 1.Each spoke router has internal and external interfaces 2.Each access server has internal and external interfaces 3.Each hub router has only external interfaces 4.Each WAN router has only external interfaces RoutingRequirements 10.RIP is enabled on all internal interfaces 11.OSPF is enabled on all external interfaces FirewallPolicyRequirements 16.Each hub and spoke external interface permits esp and ike packets

11 Configuration Synthesis: Physical Connectivity and Routing  To synthesize network, satisfy R1-R11 for –1 hub router, –1 WAN router, –1 spoke router, –1 internal subnet, –2 external subnets –1 internal interface, –4 external interfaces, – RIP domain, –1 OSPF domain Spoke Router WAN Router Hub Router OSPF Domain RIP Domain SubnettingRequirements 5.A router does not have more than one interface on a subnet 6.All internal interfaces are on internal subnets 7.All external interfaces are on external subnets 8.Every hub and spoke router is connected to a WAN router 9.No two non-WAN routers share a subnet RouterInterfaceRequirements 1.Each spoke router has internal and external interfaces 2.Each access server has internal and external interfaces 3.Each hub router has only external interfaces 4.Each WAN router has only external interfaces RoutingRequirements 10.RIP is enabled on all internal interfaces 11.OSPF is enabled on all external interfaces Requirement Solver generates solution. Note that Hub and Spoke routers are not directly connected, due to Requirement 9

12 Spoke Router Hub Router OSPF Domain RIP Domain To synthesize network, satisfy R1-R13 for  previous list of components &  1 GRE tunnel NOTE: GRE tunnel set up and RIP domain extended to include GRE interfaces automatically! GRE Tunnel Strengthening Requirement: Adding Overlay Network WAN Router GRERequirements 12.There is a GRE tunnel between each hub and spoke router 13.RIP is enabled on all GRE interfaces SubnettingRequirements 5.A router does not have more than one interface on a subnet 6.All internal interfaces are on internal subnets 7.All external interfaces are on external subnets 8.Every hub and spoke router is connected to a WAN router 9.No two non-WAN routers share a subnet RouterInterfaceRequirements 1.Each spoke router has internal and external interfaces 2.Each access server has internal and external interfaces 3.Each hub router has only external interfaces 4.Each WAN router has only external interfaces RoutingRequirements 10.RIP is enabled on all internal interfaces 11.OSPF is enabled on all external interfaces

13 Spoke Router Hub Router OSPF Domain IPSec Tunnel To synthesize network, satisfy R1-R14 for  previous list of components &  1 IPSec tunnel NOTE: IPSec tunnel securing GRE tunnel set up automatically Strengthening Requirement: Adding Security For Overlay Network WAN Router GRERequirements 12.There is a GRE tunnel between each hub and spoke router 13.RIP is enabled on all GRE interfaces SubnettingRequirements 5.A router does not have more than one interface on a subnet 6.All internal interfaces are on internal subnets 7.All external interfaces are on external subnets 8.Every hub and spoke router is connected to a WAN router 9.No two non-WAN routers share a subnet RouterInterfaceRequirements 1.Each spoke router has internal and external interfaces 2.Each access server has internal and external interfaces 3.Each hub router has only external interfaces 4.Each WAN router has only external interfaces RoutingRequirements 10.RIP is enabled on all internal interfaces 11.OSPF is enabled on all external interfaces SecureGRERequirements 14.For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic

14 Spoke Router Hub Router Access Server  To synthesize network, satisfy R1-R15 for previous list of components and 1 additional access server.  Note: Access server interfaces placed on correct interfaces and RIP and OSPF domains correctly extended with internal and external interfaces, respectively Strengthening Requirement: Adding Remote Access Service WAN Router GRERequirements 12.There is a GRE tunnel between each hub and spoke router 13.RIP is enabled on all GRE interfaces SubnettingRequirements 5.A router does not have more than one interface on a subnet 6.All internal interfaces are on internal subnets 7.All external interfaces are on external subnets 8.Every hub and spoke router is connected to a WAN router 9.No two non-WAN routers share a subnet RouterInterfaceRequirements 1.Each spoke router has internal and external interfaces 2.Each access server has internal and external interfaces 3.Each hub router has only external interfaces 4.Each WAN router has only external interfaces RoutingRequirements 10.RIP is enabled on all internal interfaces 11.OSPF is enabled on all external interfaces SecureGRERequirements 14.For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic AccessServerRequirements 15.There exists an access server and spoke router such that the server is attached in “parallel” to the router

15 Spoke Router Spoke Router Access Server  To add another spoke router satisfy requirements R1-R16 for previous components and one additional spoke router and related components  Note: New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically Hub Router WAN Router Component Addition: Adding New Spoke Router

16 Spoke Router Hub Router Access Server OSPF Domain Spoke Router Hub Router  To add another hub router satisfy requirements R1-R16 for previous components and one additional hub router (and related com[ponents)  New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically WAN Router Component Addition: Adding New Hub Router

17 Spoke Router Hub Router Access Server OSPF Domain Spoke Router Hub Router  Symptom: Cannot ping from one internal interface to another  Define Bad = ip packet is blocked  Check if R1-R16 & Bad is satisfiable  Answer: WAN router firewalls block ike/ipsec traffic  Action: Create new policy that allows WAN router firewalls to pass esp/ike packets WAN Router Verification: Adding Firewall Requirements & Discovering Design Flaw

18 Summary And Future Directions  Summary –Proposed a theory of configuration –Designed requirements language + reasoning operations –Developed strategies for “efficient specification” –Showed implementation in Alloy in context of realistic VPN  Future directions –Close the loop to create self-managing systems –Incremental configuration –Scalabilty to thousands of nodes (efficient specification) –Distributed constraint solvers –Distributed self-management

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.