1 Verification of Global Access Control in Large Scale Networks David M. Nicol University of Illinois at Urbana-Champaign CNLS 2010 Collaborators : Bill Sanders, Mouna Seri, Sankalp Singh, Ryan Kagin, Hamed Okhravi

2 Problem Process Control networks are connected in enterprise systems - Access controlled by configuring potentially many firewalls - Subtle errors are common - Best practices recommendations exist (e.g. NIST SP ) How can one express Best Practices as Global Access Policy in machine checkable form? How can one detect violations of Global Access Policy?

3 Global Policy Examples from NIST SP Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that’s assigned to the control network or DMZ devices. Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ. Any protocol allowed between the control network and DMZ should explicitly not be allowed between the DMZ and corporate networks (and vice versa). X May be installation specific rules, e.g., availability of services

4 Global Policy Define global names for sets of hosts, sets of subnets, sets of protocols, ports, etc. Define global policy like a system-wide firewall Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ. DMZ2 example PCS Src(PCS) allow Dst(DMZ2) Src(PCS) allow Dst(PCS) Corporate Src(Corporate) allow Dst(Corporate) Src(Corporate) allow Dst(DMZ2)

5 Global Policy Conflict Resolution DMZ2 Example : conflict resolution PCS Src(PCS) deny Dst(PCS) Src(EMS) allow Dst(data historian) Try to resolve conflicts using Rule of Greatest Specificity –Other conflicts reported to user conflict Corporate Src(Corporate) allow Dst(Corporate) Src(Corporate) allow Dst(DMZ2)

6 History The Network Access Policy Toolset (NetAPT) developed under I3P and DOE support –Started with focus on compliance checking –Transitioning to industry…hence best practices question NetAPT Architecture

7 Topology Inference Firewall configurations contain elements of connectivity info CIDR descriptions of sub-networks facing FW interfaces “route” statements VPN descriptions NetAPT topology inference engine based on SNL “Antfarm” tool Database-based approach that “grows” knowledge of topology out from the elemental connectivity data / /25

8 Topology Inference Firewall configurations contain elements of connectivity info CIDR descriptions of subnetworks facing FW interfaces “route” statements VPN descriptions NetAPT topology inference engine based on SNL “Antfarm” tool Database-based approach that “grows” knowledge of topology out from the elemental connectivity data / / / /25

9 Topology Inference Firewall configurations contain elements of connectivity info CIDR descriptions of subnetworks facing FW interfaces “route” statements VPN descriptions NetAPT topology inference engine based on SNL “Antfarm” tool Database-based approach that “grows” knowledge of topology out from the elemental connectivity data / / /25

10 Topology Inference Firewall configurations contain elements of connectivity info CIDR descriptions of subnetworks facing FW interfaces “route” statements VPN descriptions NetAPT topology inference engine based on SNL “Antfarm” tool Database-based approach that “grows” knowledge of topology out from the elemental connectivity data / /25 VPN tunnel

11 Topology Inference Firewall configurations contain elements of extant host IP addresses –“name” statements –ACL, object group, and other statements that refer directly to a host IP address Discovered networks populated with discovered host IDs

12 Network Architecture Possible Network Layer Rule Graph Proxy server Heart of Analysis : Rule Graph Analysis based on identifying paths through “rule graph” Each hop in path corresponds to “policy implementation ”

13 At the core : connectivity map NetAPT discovers every path possible between every pair of subnetworks (including every pair of devices in specific network of interest) –Graph edge labeling problem, multi-dimensional labels identify flows admitted by a firewall rule (source), and have policy applied by another firewall rule (destination) –Each execution of local policy at a FW checked against global policy Knowledge of all flows that can reach a critical asset extremely useful

14 NetAPT - Prototype

15 NetAPT - Prototype

16 NetAPT - Prototype

17 Validation in industrial setting We are working closely with an electric utility –Core network analyzed : 10 firewalls (thousands of rules each), 500 devices –VPN tunnels, hot backups –NetAPT topology discovery validated –Execution time : 30 mins topology discovery, 20 minutes connectivity map on ordinary PC Used in NERC-CIP compliance assessment, spring 2010 Transitioning to daily network observation / maintenance / training role “incremental” global policy development support

18 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

19 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

20 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

21 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

22 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

23 Network analysis is limited Network connectivity analysis considers only direct connections Attacks typically “hop” between compromised hosts

24 Refine the trust base Access control framework in hosts may mitigate attacker’s ability to hop –Separation kernel, strong host-based policies Example : SeLinux –Extensive control over processes’ abilities to read/write files –Extensive control over processes’ ability to connect to network Challenge : integrate host-based access control with network connectivity map –Find only possible pathways for potential attacks Assuming OS access control is uncompromised

25 SeLinux SeLinux – three layers of protection mechanisms –Type enforcement Objects have types (e.g., “port”), attributes, rules declared access rights as a function of these, e.g. allow httpd_t port_type : tcp_socket recv_msg ; Means http_t can receive messages on all TCP sockets that have attribute port_type Type transitions may be declared –Role-based Access Control Roles declared for processes, access declared as a function of role and types Role transitions may be declared –Users Mapped to roles

26 SELAC SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q? host p

27 SELAC SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q? host p

28 SELAC SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q? host p

29 SELAC SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q? host p

30 SELAC host p q SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?

31 SELAC host p q SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?

32 Integrated Host and Network Access Control On each SeLinux host compute accessibility sets Establishes connectivity between ports on the same host Compute network connectivity map Establishes connectivity between ports on different hosts Imagine a graph with two types of nodes : subject, port Edges : subject to port (on host), port to port (from above) Each subject has initial accessibility set Transitive closure of graph identifies for every subject, other subjects and objects it can reach through network

33 I’m crazy, right? Stock SeLinux configuration “out of the box” has 250,000 rules But (with optimizations) on-host accessibility sets were computed in approximately 5 minutes Network connectivity time depends on depth of network graph, for this example (10 switched hosts), 2 secs. Convolution algorithm ran in under 1 sec. Maybe I’m not crazy after all…. But I know my combinatorics, deep complex networks lead to very large run-times….intelligent sampling….

34 Summary NetAPT helps to address the problem of verifying that PCS systems adhere to global policy encoding best practices Being validated by, and is in transition for use by a major electric utility