Policy Analysis Using Margrave

POLICY ANALYSISUSING MARGRAVE

Shriram KrishnamurthiBrown University

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise

int dmz dmz ext

employees

contractors

manager

blacklistblacklist

telnet

wwwtcp

smtptcp

wwwtcp

tcpwww

fw2_staticipsrc

smtptcp

Problem

The manager can’t connect to the Web.

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

p . p.dstprt = www p.proto = TCP

p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’

? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?

Always: Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Ext’s ACL denies the post-NAT packet

via rule 7.

MARGRAVE DESIGN PRINCIPLES

Property-Free Analysis(e.g., Change Impact)

P⊦Does

thepolicy

satisfyits

property?

P⊦Can people state them?

Are they good enough?

ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,

portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,

portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,

portdest=http, proto=tcp, ipsrc=managerfw2_static

7: DROP otherwise

p . Int.ACL accepts p p’ . Int.NAT translates p to p’

p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))

p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

Defining Difference

p.entry-interface = fw2_int

p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

packets

Deny to

Permit

Permit to Deny

A function mapping

requests tochanges in outcome

Change as a First-Class Entity

• Restrict changes to External FirewallView

• Which machines lost privileges?Query

• Confirm no machines gained privileges

Verification

Configuration checking

Upgrade checking Finding hotspots

“What if” questions

Mutationtesting

Refactoring testing

Scenario-Based Output

p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp

Exhaustive Answers (in Some (Useful) Cases)

Bernays-Schonfinkel-Ramsey + overloading (subtyping) and empty

Minimality

Multi-Lingual Support

Datalog-based intermediate language

Margrave Supports…

• Most of XACML 1.0 and 2.0• Cisco IOS:

– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN

endpoints

• Amazon Access Policy Language (in SQS)

• Hypervisor, based on sHype (IBM)

How SDNs Change Things

Global view of Configuration and State: Current networks: hard SDNs: easy(But you already know all that.)

Principles Recap

Property-free analysisChange-impact w/ first-class changes

Scenario-based outputExhaustive answers (where possible)

MinimalityMulti-lingual support

• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:

– Chris Barratt [Brown ScM BEA]– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]

http://www.margrave-tool.org/

Policy Analysis Using Margrave

Documents

Transcript of Policy Analysis Using Margrave

Security Policy Analysis using Deductive Spreadsheets1

Students with Emotional/Behavioral Disabilities in the Art Room Jennifer Margrave University of Central Florida.

Organization Alignment using Policy Deployment

1 Administering Group Policy Group Policy Concepts Group Policy Implementation Planning Implementing Group Policy Managing Software Using Group Policy.

Using Mailing Lists Track 2 : Using ICT for Policy Advocacy.

Malcolm B. Bertram and Gary F. Margrave...Malcolm B. Bertram and Gary F. Margrave ABSTRACT An analysis is made of the data from three different projects that provide the means to calibrate

Security Policy Analysis using Deductive Spreadsheets

Margrave: An Improved Analyzer for Access-Control and Con ...€¦ · Margrave: An Improved Analyzer for Access-Control and Con guration Policies by Tim Nelson A Thesis Submitted

A.Nassir Saeed, Gary Margrave, David Henley, Helen Isaac ...

mis policy (shared using ).

Measuring Uncertainty in Monetary Policy Using Implied ... · Using Implied Volatility and Realized Volatility . ... Measuring Uncertainty in Monetary Policy Using Implied Volatility

Application Policy Enforcement Using APIC

Using Data to Drive Policy Change

Policy for using

Using a Policy Index To - USDA

Troubleshooting Smart Licensing Using Policy

Making Smart Policy: Using Impact - World Banksiteresources.worldbank.org/INTISPMA/Resources/383704...Making Smart Policy: Using Impact Evaluation for Policy Making Case Studies on

Using Randomized Evaluations to Improve Policy

Using Economic Policy to Improve Environmental

The Margrave Mini History website: Home Mini British...met een Griekse eigenaar, die over een werkelijk schitterende Wood and Pickett Inno Cooper beschikt. Geen Margrave dus, maar