11
POLICY ANALYSISUSING MARGRAVE
Shriram KrishnamurthiBrown University
22
3
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise
4
int dmz dmz ext
DMZ
employees
contractors
manager
5
blacklistblacklist
telnet
wwwtcp
smtptcp
wwwtcp
6
smtp
tcpwww
tcp
fw2_staticipsrc
smtptcp
7
Problem
The manager can’t connect to the Web.
8
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
9
p . p.dstprt = www p.proto = TCP
p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’
10
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
Always: Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Ext’s ACL denies the post-NAT packet
via rule 7.
MARGRAVE DESIGN PRINCIPLES
11
Property-Free Analysis(e.g., Change Impact)
12
13
P⊦Does
thepolicy
satisfyits
property?
1414
P⊦Can people state them?
Are they good enough?
15
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=managerfw2_static
7: DROP otherwise
16
p . Int.ACL accepts p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))
17
p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
18
Defining Difference
p.entry-interface = fw2_int
p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
packets
Deny to
Permit
Permit to Deny
A function mapping
requests tochanges in outcome
19
Change as a First-Class Entity
• Restrict changes to External FirewallView
• Which machines lost privileges?Query
• Confirm no machines gained privileges
Verification
2020
Configuration checking
Upgrade checking Finding hotspots
“What if” questions
Mutationtesting
?
Refactoring testing
Scenario-Based Output
21
p.entry-interface = fw2_int
p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
Exhaustive Answers (in Some (Useful) Cases)
Bernays-Schonfinkel-Ramsey + overloading (subtyping) and empty
sorts
22
Minimality
23
Multi-Lingual Support
Datalog-based intermediate language
24
25
Margrave Supports…
• Most of XACML 1.0 and 2.0• Cisco IOS:
– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN
endpoints
• Amazon Access Policy Language (in SQS)
• Hypervisor, based on sHype (IBM)
How SDNs Change Things
Global view of Configuration and State: Current networks: hard SDNs: easy(But you already know all that.)
26
27
Principles Recap
Property-free analysisChange-impact w/ first-class changes
Scenario-based outputExhaustive answers (where possible)
MinimalityMulti-lingual support
28
29
• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:
– Chris Barratt [Brown ScM BEA]– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]
http://www.margrave-tool.org/