11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.

Slides:



Advertisements
Similar presentations
1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.
Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
Chapter 9 Caching, NAT Professor Rick Han University of Colorado at Boulder
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.
NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Introduction to Network Address Translation
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
Access Control List (ACL)
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Configuring the PIX Firewall Presented by Drew Spesard.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
ACCESS CONTROL LIST.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.
Chapter 4: Implementing Firewall Technologies
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
NAT & PAT Network Address Translation Port Address Translation.
SAT Applications Tutorial plus a pinch of Margrave Tim Nelson Shriram Krishnamurthi Brown University 1.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
NAT/PAT by S K SATAPATHY
Computer Networks & FirewallsUniversity IT Security Office - Tom Davis, CISSP University IT Security Officer Office of the Vice.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Chapter 26: Network Security Dr. Wayne Summers Department of Computer Science Columbus State University
TECH TIP – Videoconferencing settings for Apple AirPort Extreme wireless access point. SYMPTOM / ISSUE After connecting a set-top videoconferencing system.
Shriram Krishnamurthi Brown University
Instructor Materials Chapter 7: Access Control Lists
Only Two Ways through the PIX Firewall
Instructor Materials Chapter 9: NAT for IPv4
Routing and Switching Essentials v6.0
Chapter 4: Access Control Lists (ACLs)
Firewalls (March 2, 2016) © Abdou Illia – Spring 2016.
Chapter 26: Network Security
Access Control Lists CCNA 2 v3 – Module 11
CIS 82 Routing Protocols and Concepts Chapter 11 NAT
Routing and Switching Essentials v6.0
NAT / PAT.
Instructor Materials Chapter 9: NAT for IPv4
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Firewalls Chapter 8.
Chapter 11: Network Address Translation for IPv4
Chabot College ELEC Access Control Lists - Introduction.
ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
Presentation transcript:

11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University

22

3 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

4 intdmz ext DMZ employees contractors manager

5 blacklist telnet www tcp smtp tcp www tcp

6 smtp tcp  www tcp fw2_staticipsrc smtp tcp

7 Problem The manager can’t connect to the Web.

8 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?

9  p.p.dstprt = www  p.proto = TCP  p.ipdest  outIPs  p.ipsrc = manager  Int.ACL denies p  p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  Ext.ACL denies p’

10 ?When can a connection from the manager’s PC be denied if it’s  to port 80 (www)  over TCP  to any machine?  Always:  Int’s ACL accepts the packet via rule 4.  Int’s NAT applies to the packet.  Ext’s ACL denies the post-NAT packet via rule 7.

M ARGRAVE D ESIGN P RINCIPLES 11

Property-Free Analysis (e.g., Change Impact) 12

13 P ⊦  Does the policy satisfy its property?

14 P ⊦  Can people state them? Are they good enough?

15 ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

16  p.Int.ACL accepts p   p’. Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  ((Ext.ACL denies p’  Ext.ACLNew accepts p’)  (Ext.ACL accepts p’  Ext.ACLNew denies p’))

17 p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

18 Defining Difference p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp packets  Deny to Permit Permit to Deny A function mapping requests to changes in outcome

19 Change as a First-Class Entity Restrict changes to External Firewall View Which machines lost privileges? Query Confirm no machines gained privileges Verification

20 Configuration checking Upgrade checkingFinding hotspots “What if” questions Mutation testing ? Refactoring testing

Scenario-Based Output 21 p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

Exhaustive Answers (in Some (Useful) Cases) Bernays-Scho ̈ nfinkel-Ramsey + overloading (subtyping) and empty sorts 22

Minimality 23

Multi-Lingual Support Datalog-based intermediate language 24

25 Margrave Supports… Most of XACML 1.0 and 2.0 Cisco IOS: –ACL: standard and extended –NAT: static; dynamic: ACL-based, map-based –routing: static and policy-based –limited: BGP announcements and VPN endpoints Amazon Access Policy Language (in SQS) Hypervisor, based on sHype (IBM)

How SDNs Change Things Global view of Configuration and State:  Current networks: hard  SDNs: easy (But you already know all that.) 26

27

Principles Recap Property-free analysis Change-impact w/ first-class changes Scenario-based output Exhaustive answers (where possible) Minimality Multi-lingual support 28

29 Dan Dougherty [WPI] Kathi Fisler [WPI] Tim Nelson [WPI] Alums: –Chris Barratt [Brown ScM  BEA] –Leo Meyerovich [Brown u.g.  Berkeley] –Michael Tschantz [Brown u.g.  CMU]

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.