Policy Analysis Using Margrave
description
Transcript of Policy Analysis Using Margrave
![Page 1: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/1.jpg)
11
POLICY ANALYSISUSING MARGRAVE
Shriram KrishnamurthiBrown University
![Page 2: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/2.jpg)
22
![Page 3: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/3.jpg)
3
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=manager7: DROP otherwise
![Page 4: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/4.jpg)
4
int dmz dmz ext
DMZ
employees
contractors
manager
![Page 5: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/5.jpg)
5
blacklistblacklist
telnet
wwwtcp
smtptcp
wwwtcp
![Page 6: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/6.jpg)
6
smtp
tcpwww
tcp
fw2_staticipsrc
smtptcp
![Page 7: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/7.jpg)
7
Problem
The manager can’t connect to the Web.
![Page 8: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/8.jpg)
8
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
![Page 9: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/9.jpg)
9
p . p.dstprt = www p.proto = TCP
p.ipdest outIPs p.ipsrc = manager Int.ACL denies p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest Ext.ACL denies p’
![Page 10: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/10.jpg)
10
? When can a connection from the manager’s PC be denied if it’s to port 80 (www) over TCP to any machine?
Always: Int’s ACL accepts the packet via rule 4. Int’s NAT applies to the packet. Ext’s ACL denies the post-NAT packet
via rule 7.
![Page 11: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/11.jpg)
MARGRAVE DESIGN PRINCIPLES
11
![Page 12: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/12.jpg)
Property-Free Analysis(e.g., Change Impact)
12
![Page 13: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/13.jpg)
13
P⊦Does
thepolicy
satisfyits
property?
![Page 14: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/14.jpg)
1414
P⊦Can people state them?
Are they good enough?
![Page 15: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/15.jpg)
15
ACL for External firewall:1: DENY if: ifc=fw1_dmz, ipdest in blacklist2: DENY if: ifc=fw1_ext, ipsrc in blacklist3: DENY if: ifc=fw1_dmz, portdest=telnet4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver,
portdest=smtp, proto=tcp5: ACCEPT if: ifc=fw1_ext, ipdest=webserver,
portdest=http, proto=tcp6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside,
portdest=http, proto=tcp, ipsrc=managerfw2_static
7: DROP otherwise
![Page 16: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/16.jpg)
16
p . Int.ACL accepts p p’ . Int.NAT translates p to p’
p’.dstprt = p.dstprt p’.proto = p.proto p’.ipdest = p.ipdest ((Ext.ACL denies p’ Ext.ACLNew accepts p’) (Ext.ACL accepts p’ Ext.ACLNew denies p’))
![Page 17: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/17.jpg)
17
p.entry-interface = fw2_intp.ipsrc = managerp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_intp.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
![Page 18: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/18.jpg)
18
Defining Difference
p.entry-interface = fw2_int
p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
packets
Deny to
Permit
Permit to Deny
A function mapping
requests tochanges in outcome
![Page 19: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/19.jpg)
19
Change as a First-Class Entity
• Restrict changes to External FirewallView
• Which machines lost privileges?Query
• Confirm no machines gained privileges
Verification
![Page 20: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/20.jpg)
2020
Configuration checking
Upgrade checking Finding hotspots
“What if” questions
Mutationtesting
?
Refactoring testing
![Page 21: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/21.jpg)
Scenario-Based Output
21
p.entry-interface = fw2_int
p.ipsrc = employeep.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
p.entry-interface = fw2_int
p.ipsrc = contractorp.ipdest in outIPsp.srcprt = anyp.dstprt = wwwp.protocol = tcp
![Page 22: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/22.jpg)
Exhaustive Answers (in Some (Useful) Cases)
Bernays-Schonfinkel-Ramsey + overloading (subtyping) and empty
sorts
22
![Page 23: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/23.jpg)
Minimality
23
![Page 24: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/24.jpg)
Multi-Lingual Support
Datalog-based intermediate language
24
![Page 25: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/25.jpg)
25
Margrave Supports…
• Most of XACML 1.0 and 2.0• Cisco IOS:
– ACL: standard and extended– NAT: static; dynamic: ACL-based, map-based– routing: static and policy-based– limited: BGP announcements and VPN
endpoints
• Amazon Access Policy Language (in SQS)
• Hypervisor, based on sHype (IBM)
![Page 26: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/26.jpg)
How SDNs Change Things
Global view of Configuration and State: Current networks: hard SDNs: easy(But you already know all that.)
26
![Page 27: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/27.jpg)
27
![Page 28: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/28.jpg)
Principles Recap
Property-free analysisChange-impact w/ first-class changes
Scenario-based outputExhaustive answers (where possible)
MinimalityMulti-lingual support
28
![Page 29: Policy Analysis Using Margrave](https://reader034.fdocuments.net/reader034/viewer/2022051516/568131c8550346895d982e17/html5/thumbnails/29.jpg)
29
• Dan Dougherty [WPI]• Kathi Fisler [WPI]• Tim Nelson [WPI]• Alums:
– Chris Barratt [Brown ScM BEA]– Leo Meyerovich [Brown u.g. Berkeley]– Michael Tschantz [Brown u.g. CMU]
http://www.margrave-tool.org/