Your SlideShare is downloading. ×
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)

966
views

Published on

Model-based Reverse engineering approach for firewall configuration files (covering NetFilter IPTAbles and Cisco PIX). Goal: to obtain an easy to analyze RBAC model

Model-based Reverse engineering approach for firewall configuration files (covering NetFilter IPTAbles and Cisco PIX). Goal: to obtain an easy to analyze RBAC model

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
966
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Model-driven Extraction and Analysis of Network Security Policies MODELS 2013 Salvador Mart´ınez1 , Joaqu´ın Garc´ıa-Alfaro2 , Fr´ed´eric Cuppens2 , Nora Cuppens-Boulahia2 , Jordi Cabot1 1 AtlanMod, INRIA / Ecole de Mines de Nantes 2 T´el´ecom Bretagne ; LUSSI Department Universit´e Europ´eenne de Bretagne October, 2013
  • 2. Introduction Security is a critical concern. . . c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 3. Introduction Security is a critical concern. . . At the network level, firewalls play a key role c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 4. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 5. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 6. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 7. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol Confidentiality c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 8. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol Confidentiality Integrity c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  • 9. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  • 10. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. CONSEQUENCES: Knowing which policy is actually being enforced is a challenge Possible security flaws Hampers evolution c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  • 11. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. CONSEQUENCES: Knowing which policy is actually being enforced is a challenge Possible security flaws Hampers evolution Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  • 12. Motivation Intranet: private hosts + administrator DMZ providing: HTTP/HTTPS, FTP, SMTP and SSH Public Hosts 2 firewalls controlling: Firewall 1: traffic between public hosts and DMZ Firewall 2: traffic between intranet and DMZ c AtlanMod – atlanmod-contact@mines-nantes.fr 4/31
  • 13. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 14. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 15. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 16. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 17. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server 4 Controls the HTTP requests from the public hosts c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 18. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server 4 Controls the HTTP requests from the public hosts 5 Local hosts are not allowed to use services!!! c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  • 19. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  • 20. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  • 21. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server 2 Controls the HTTP requests c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  • 22. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server 2 Controls the HTTP requests 3 Add rules to the interface c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  • 23. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  • 24. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. Some numbers: M: Number of firewalls and N: Number of rules Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100 Small companies N >> M c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  • 25. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. Some numbers: M: Number of firewalls and N: Number of rules Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100 Small companies N >> M Manual approach? for corporate networks, M (potentially from different vendors) and N are big enough to make the task very hard. c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  • 26. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
  • 27. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy Our proposal Model-driven extraction process towards a network access-control model representing the global policy of the system. c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
  • 28. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 9/31
  • 29. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  • 30. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level Requirements: For each different rule-filtering language we need A PSM A parser An injector c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  • 31. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level Requirements: For each different rule-filtering language we need A PSM A parser An injector We can obtain this by providing the language grammar to XTEXT c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  • 32. Implementation: XTEXT Model: rules += Rule∗; Rule: AccessGroup | AccessList; AccessGroup: ’access−group’ id=ID ’in’ ’interface’ interface=Interface; Interface: id=ID; AccessList: ( ’no ’ ) ? ’access−list’ id=ID decision=( ’deny’ | ’permit ’ ) protocol=Protocol protocolObjectGroup=ProtocolObjectGroup serviceObjectGroup=ServiceObjectGroup networkObjectGroup=NetworkObjectGroup; ProtocolObjectGroup: (pogId=ID) ? sourceAddress=IPExpr sourceMask=MaskExpr; ServiceObjectGroup: targetAddress=IPExpr targetMask=IPExpr; NetworkObjectGroup: operator=Operator port=INT; Operator: name=( ’eq’ | ’lt’ | ’gt ’ ) ; Protocol: name= ( ’tcp’ | ’udp’ | ’ip ’ ) ; IPExpr: INT ’ . ’ INT ’ . Figure: Cisco Metamodel excerpt c AtlanMod – atlanmod-contact@mines-nantes.fr 11/31
  • 33. Implementation: XTEXT Model: rules += Rule∗; Rule: declaration=ChainDeclaration | filter=FilterDeclaration; FilterDeclaration: filter=FilteringSpec; FilteringSpec: FilterSpec; FilterSpec: ’iptables’ option=(’−A’ | ’−D’ | ’−P ’ ) chain=Chain ((’−src’ | ’−s ’ ) ip=IPExpr) ? (’−i’ interface=Interface) ? (’−d’ ipDst=IPExpr) ? (’−p’ protocol=Protocol) ? (’−m’ matches=Protocol) ? (’−−sport’ sourcePort=INT) ? (’−−dport’ destinationPort=INT) ? (’−j ’ ) ? target=Target; Interface: name=ID; Protocol: Tcp | Udp | Icmp; Target: ID; Chain: chainName = ID; CustomChain: name=[ChainName ] ; ChainDeclaration: ’iptables’ ’−N’ ChainName; ChainName: name=ID; IPExpr: INT ’ . ’ INT ’ . Figure: Iptables Metamodel excerpt c AtlanMod – atlanmod-contact@mines-nantes.fr 12/31
  • 34. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
  • 35. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
  • 36. Approach: PSM2PIM Simplest PIM: Ri : {conditions} → {decision} i: order within the the conf file condition: a set of rule matching attributes like ip source address decision: accept or deny c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
  • 37. Approach: PSM2PIM Simplest PIM: Ri : {conditions} → {decision} i: order within the the conf file condition: a set of rule matching attributes like ip source address decision: accept or deny Problems? Highly redundant and disperse Not suited to represent exception oriented access-control Anomalies (positive-negative logic conflicts + execution algorithm) c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
  • 38. Metamodel Network Access-control Metamodel Platform-independent Supports the representation of exceptions Supports the identification of anomalies c AtlanMod – atlanmod-contact@mines-nantes.fr 15/31
  • 39. PSM2PIM First step: Transform the PSM into the corresponding PIM Rule shadowing: a rule R is shadowed when it never applies because another rule with higher priority matches all the packets it may match. Rule redundancy: a rule R is redundant when it is not shadowed and removing it from the rule set does not change the security policy. Rule irrelevance: a rule R is irrelevant when it is meant to match packets that does not pass by a given firewall. Second step: PIM refinement Improves internal organization: Representation of exceptions Detection of anomalies c AtlanMod – atlanmod-contact@mines-nantes.fr 16/31
  • 40. PSM2PIM refining algorithm 1 Algorithm 1 1: C← All Connections 2: Caccept ← Ci ∈ C (Ci .decision = Accept) 3: for each Ci ∈ Caccept do 4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci ) 5: for each Cj ∈ Cdeny do 6: if Cj .order < Ci .order then 7: Create Exception 8: Remove Cj 9: else 10: Cj .IsShadowed ← true 11: end if 12: end for 13: end for 14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false) 15: for each Ci ∈ Cdeny do 16: Cj .IsRedundant ← true 17: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 17/31
  • 41. PSM2PIM refining algorithm 1 Algorithm 1 1: C← All Connections 2: Caccept ← Ci ∈ C (Ci .decision = Accept) 3: for each Ci ∈ Caccept do 4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci ) 5: for each Cj ∈ Cdeny do 6: if Cj .order < Ci .order then 7: Create Exception 8: Remove Cj 9: else 10: Cj .IsShadowed ← true 11: end if 12: end for 13: end for 14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false) 15: for each Ci ∈ Cdeny do 16: Cj .IsRedundant ← true 17: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 18/31
  • 42. Implementation: ATL r u l e deleteDeny{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . →TotalExceptionRules → . includes ( s ) ) to drop t : NetworkAC ! Exception ( decision <− s . decision , dstPort <− s . dstPort , firewall <− s . firewall , order <− s . order , protocol <− s . protocol , source <− s . source , srcPort <− s . srcPort , target <− s . target ) } r u l e MarkShadowed{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . ShadowedRules . →includes ( s ) ) to t : NetworkAC ! Connection ( isShadowed <− true ) } r u l e MarkRedundant{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . ShadowedRules . →excludes ( s ) and thisModule . →TotalExceptionRules → . excludes ( s ) ) to t : NetworkAC ! Connection ( isRedundant <− true ) } c AtlanMod – atlanmod-contact@mines-nantes.fr 19/31
  • 43. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
  • 44. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
  • 45. PIM Aggregation An individual firewall gives only a partial vision of the security enforced in the whole network. E.g., The access to the SMTP service is managed by both firewalls, one allowing the access from the public host and one allowing the access from the intranet. We need to aggregate the individual models!! REVERSIBLE: Each Connection keeps original firewall and rule ordering. GlobalModel = Mi ∪ Mj . . . ∪ Mn Refinement to assign types to Network Elements c AtlanMod – atlanmod-contact@mines-nantes.fr 21/31
  • 46. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 22/31
  • 47. Applications: Refinement Individual firewalls may contain only locally relevant information. We need to discern between locally and globally relevant information!! The global model is easier to understand Isolate the policy from the enforcement topology Algorithm 2 1: C← All Connections 2: E← All Exceptions 3: for each Ei ∈ E do 4: L← Ci ∈ C (Ci .firewall = Ei .firewall and Matched of Ci ⊆ matched Ei ) 5: if L = ∅ then 6: Ei .IsLocal ← true 7: for each Ci ∈ L do 8: Ci .IsLocal ← true 9: end for 10: end if 11: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 23/31
  • 48. Applications:Metrics & queries We query our model for the existence of any connection allowing the administrator host (111.222.2.54) to connect to the server (111.222.1.17): c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
  • 49. Applications:Metrics & queries We query our model for the existence of any connection allowing the administrator host (111.222.2.54) to connect to the server (111.222.1.17): E v a l u a t i n g : s e l f . c o n n e c t i o n s −>e x i s t s ( e | e . s o u r c e . i p A d d r = ’111.222.2.54 ’ a n d e . t a r g e t . i p A d d r = ’111.222.1.17 ’) R e s u l t s : f a l s e c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
  • 50. Applications:Visualization Figure: Extracted network topology c AtlanMod – atlanmod-contact@mines-nantes.fr 25/31
  • 51. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 26/31
  • 52. Applications:PIM 2 XACML XACML PIM Metamodel PolicySet A PolicySet containing a Policy is created for each firewall in the PIM Policy All the Connections and Exceptions belonging to a given firewall Rule A single connection or Exception Subject Source NetworkElement address and source port of a given Connection or Exception Resource Target NetworkElement address and target port a given Connection or Exception Action Not mapped. The action is always the ability of sending a message. Condition Protocol field Table: PIM to XACML Mappings c AtlanMod – atlanmod-contact@mines-nantes.fr 27/31
  • 53. Applications:PIM 2 XACML <Rule Effect=”Deny” RuleId=”1”> <Description /> <Target> <Subjects> <Subject> <SubjectMatch MatchId=””> <AttributeValue DataType=”http://www. w3. org/2001/XMLSchema#string”> 111.222.2.54 </AttributeValue> <SubjectAttributeDesignator /> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId=”urn: oasis: names: tc: xacml : 1 . 0 : function: string−equal”> <AttributeValue DataType=”http://www. w3. org/2001/XMLSchema#string”> 111.222.1.17 </AttributeValue> <ResourceAttributeDesignator /> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <SubjectAttributeDesignator AttributeId=”protocol” DataType=”http://www. w3. org/2001/XMLSchema#string” /> </Condition> </Rule> c AtlanMod – atlanmod-contact@mines-nantes.fr 28/31
  • 54. Implementation Eclipse-based implementation c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 55. Implementation Eclipse-based implementation EMF as modelling framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 56. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 57. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 58. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework XPAND as Model to Text framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 59. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework XPAND as Model to Text framework http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_ Engineering c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  • 60. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 61. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 62. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 63. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 64. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 65. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 66. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc Extend XACML with network-specific attributes c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 67. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc Extend XACML with network-specific attributes Apply our approach to real corporation networks c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  • 68. Thank you! Thank you! Contact: Salvador Mart´ınez AtlanMod, INRIA and ´Ecole des Mines de Nantes salvador.martinez perez@inria.fr c AtlanMod – atlanmod-contact@mines-nantes.fr 31/31

×