11

POLICY ANALYSISUSING MARGRAVE

Shriram KrishnamurthiBrown University

22

3

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise

4

int dmz dmz ext

DMZ

employees

contractors

manager

5

blacklistblacklist

telnet

wwwtcp

smtptcp

wwwtcp

6

smtp

tcpwww

tcp

fw2_staticipsrc

smtptcp

7

Problem

The manager can’t connect to the Web.

8

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

9

p . p.dstprt = www p.proto = TCP

p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’

10

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

Always: Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Ext’s ACL denies the post-NAT packet

via rule 7.

MARGRAVE DESIGN PRINCIPLES

11

Property-Free Analysis(e.g., Change Impact)

12

13

P⊦Does

thepolicy

satisfyits

property?

1414

P⊦Can people state them?

Are they good enough?

15

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=managerfw2_static

7: DROP otherwise

16

p . Int.ACL accepts p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))

17

p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

18

Defining Difference

p.entry-interface = fw2_int

p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_int

p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

packets

Deny to

Permit

Permit to Deny

A function mapping

requests tochanges in outcome

19

Change as a First-Class Entity

• Restrict changes to External FirewallView

• Which machines lost privileges?Query

• Confirm no machines gained privileges

Verification

2020

Configuration checking

Upgrade checking Finding hotspots

“What if” questions

Mutationtesting

?

Refactoring testing

Scenario-Based Output

21

p.entry-interface = fw2_int

p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_int

p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

Exhaustive Answers (in Some (Useful) Cases)

Bernays-Schonfinkel-Ramsey  + overloading (subtyping) and empty

sorts

22

Minimality

23

Multi-Lingual Support

Datalog-based intermediate language

24

25

Margrave Supports…

• Most of XACML 1.0 and 2.0• Cisco IOS:

– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN

endpoints

• Amazon Access Policy Language (in SQS)

• Hypervisor, based on sHype (IBM)

How SDNs Change Things

Global view of Configuration and State: Current networks: hard SDNs: easy(But you already know all that.)

26

27

Principles Recap

Property-free analysisChange-impact w/ first-class changes

Scenario-based outputExhaustive answers (where possible)

MinimalityMulti-lingual support

28

29

• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:

– Chris Barratt [Brown ScM BEA]– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]

http://www.margrave-tool.org/