Model-driven Extraction and Analysis of
Network Security Policies
MODELS 2013
Salvador Mart´ınez1
, Joaqu´ın Garc´ıa-Alfar...
Introduction
Security is a critical concern. . .
c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
c AtlanMod – atlanmod-cont...
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
c AtlanMod – atlan...
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement acc...
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement acc...
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement acc...
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement acc...
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filterin...
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filterin...
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filterin...
Motivation
Intranet: private hosts + administrator
DMZ providing: HTTP/HTTPS, FTP, SMTP and SSH
Public Hosts
2 firewalls co...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
FW1 Conf.
iptables −P INPUT DROP
iptables −P FORWARD DROP
iptables −P OUTPUT DROP
iptables −N Out_SMTP
iptables −A FORWARD...
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)
access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 ...
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)
access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 ...
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)
access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 ...
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)
access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 ...
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics...
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics...
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:
Its syntax
Its execution semantics...
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies ...
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies ...
Approach
c AtlanMod – atlanmod-contact@mines-nantes.fr 9/31
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
c AtlanMod – atl...
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: Fo...
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: Fo...
Implementation: XTEXT
Model:
rules += Rule∗;
Rule:
AccessGroup | AccessList;
AccessGroup:
’access−group’ id=ID ’in’ ’inter...
Implementation: XTEXT
Model:
rules += Rule∗;
Rule:
declaration=ChainDeclaration |
filter=FilterDeclaration;
FilterDeclarat...
Approach
c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies ...
Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf file
condition: a set of rule m...
Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf file
condition: a set of rule m...
Metamodel
Network Access-control Metamodel
Platform-independent
Supports the representation of exceptions
Supports the ide...
PSM2PIM
First step: Transform the PSM into the corresponding PIM
Rule shadowing: a rule R is shadowed when it never applie...
PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections
2: Caccept ← Ci ∈ C (Ci .decision = Accept)
3: for each Ci ∈...
PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections
2: Caccept ← Ci ∈ C (Ci .decision = Accept)
3: for each Ci ∈...
Implementation: ATL
r u l e deleteDeny{
from
s : NetworkAC ! Connection (
s . decision = #Deny and
thisModule .
→TotalExce...
Approach
c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies ...
PIM Aggregation
An individual firewall gives only a partial vision of the security enforced in the
whole network.
E.g., The...
Approach
c AtlanMod – atlanmod-contact@mines-nantes.fr 22/31
Applications: Refinement
Individual firewalls may contain only locally relevant information.
We need to discern between loca...
Applications:Metrics & queries
We query our model for the existence of any connection allowing the
administrator host (111...
Applications:Metrics & queries
We query our model for the existence of any connection allowing the
administrator host (111...
Applications:Visualization
Figure: Extracted network topology
c AtlanMod – atlanmod-contact@mines-nantes.fr 25/31
Approach
c AtlanMod – atlanmod-contact@mines-nantes.fr 26/31
Applications:PIM 2 XACML
XACML PIM Metamodel
PolicySet A PolicySet containing a Policy is created for each firewall
in the ...
Applications:PIM 2 XACML
<Rule Effect=”Deny” RuleId=”1”>
<Description />
<Target>
<Subjects>
<Subject>
<SubjectMatch Match...
Implementation
Eclipse-based implementation
c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
c AtlanMod – atlan...
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformat...
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformat...
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformat...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
c AtlanMod – atlanmod-contact@mi...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
c AtlanMod ...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to m...
Thank you!
Thank you!
Contact:
Salvador Mart´ınez
AtlanMod, INRIA and ´Ecole des Mines de Nantes
salvador.martinez perez@i...
Upcoming SlideShare
Loading in …5
×

Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)

1,945 views

Published on

Model-based Reverse engineering approach for firewall configuration files (covering NetFilter IPTAbles and Cisco PIX). Goal: to obtain an easy to analyze RBAC model

Read more at: http://modeling-languages.com

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,945
On SlideShare
0
From Embeds
0
Number of Embeds
973
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)

  1. 1. Model-driven Extraction and Analysis of Network Security Policies MODELS 2013 Salvador Mart´ınez1 , Joaqu´ın Garc´ıa-Alfaro2 , Fr´ed´eric Cuppens2 , Nora Cuppens-Boulahia2 , Jordi Cabot1 1 AtlanMod, INRIA / Ecole de Mines de Nantes 2 T´el´ecom Bretagne ; LUSSI Department Universit´e Europ´eenne de Bretagne October, 2013
  2. 2. Introduction Security is a critical concern. . . c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  3. 3. Introduction Security is a critical concern. . . At the network level, firewalls play a key role c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  4. 4. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  5. 5. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  6. 6. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  7. 7. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol Confidentiality c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  8. 8. Introduction Security is a critical concern. . . At the network level, firewalls play a key role Why so? They implement access control policies in networks Subjects = Hosts (acting as message senders) Objects = Hosts (acting as message receivers) Actions = Message sending to hosts with certain characteristics: Port Protocol Confidentiality Integrity c AtlanMod – atlanmod-contact@mines-nantes.fr 2/31
  9. 9. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  10. 10. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. CONSEQUENCES: Knowing which policy is actually being enforced is a challenge Possible security flaws Hampers evolution c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  11. 11. Introduction Implementation of a network security policy: Done generally by hand Low-level and vendor-specific rule filtering languages Topology: Policy enforcement distributed. CONSEQUENCES: Knowing which policy is actually being enforced is a challenge Possible security flaws Hampers evolution Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 3/31
  12. 12. Motivation Intranet: private hosts + administrator DMZ providing: HTTP/HTTPS, FTP, SMTP and SSH Public Hosts 2 firewalls controlling: Firewall 1: traffic between public hosts and DMZ Firewall 2: traffic between intranet and DMZ c AtlanMod – atlanmod-contact@mines-nantes.fr 4/31
  13. 13. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  14. 14. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  15. 15. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  16. 16. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  17. 17. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server 4 Controls the HTTP requests from the public hosts c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  18. 18. FW1 Conf. iptables −P INPUT DROP iptables −P FORWARD DROP iptables −P OUTPUT DROP iptables −N Out_SMTP iptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −d 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N In_SMPT iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 25 −j Out_SMTP iptables −A Out_SMTP −s 111.222.0.0/16 −j RETURN iptables −A Out_SMTP −j ACCEPT iptables −N NetWeb_HTTP iptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp −−dport 80 −j NetWeb_HTTP iptables −A NetWeb_HTTP −s 111.222.0.0/16 −j RETURN iptables −A NetWeb_HTTP −j ACCEPT Netfilter iptables conf. file using custom chains 1 Default policy 2 Controls outcoming SMTP messages. 3 Controls incoming SMTP messages to the server 4 Controls the HTTP requests from the public hosts 5 Local hosts are not allowed to use services!!! c AtlanMod – atlanmod-contact@mines-nantes.fr 5/31
  19. 19. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  20. 20. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  21. 21. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server 2 Controls the HTTP requests c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  22. 22. Fw2. Conf access−list eth1_acl_in remark Fw2Policy 0 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 1 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 2 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25 access−list eth1_acl_in remark Fw2Policy 4 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 5 (global) access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−list eth1_acl_in remark Fw2Policy 3 (global) access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 255.255.255.0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80 access−group eth1_acl_in in interface eth1 Cisco PIX conf. file 1 Controls incoming SMTP messages to the server 2 Controls the HTTP requests 3 Add rules to the interface c AtlanMod – atlanmod-contact@mines-nantes.fr 6/31
  23. 23. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  24. 24. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. Some numbers: M: Number of firewalls and N: Number of rules Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100 Small companies N >> M c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  25. 25. Example: Evaluation Expert knowledge about netfilter iptables and Cisco PIX is required: Its syntax Its execution semantics The topology has to be known to ease the understanding on the policy of the individual firewalls. All the firewalls have to be taken into account to derive a global policy. Some numbers: M: Number of firewalls and N: Number of rules Big companies M >> N example BNP network: M ≈ 1000, N ≈ 100 Small companies N >> M Manual approach? for corporate networks, M (potentially from different vendors) and N are big enough to make the task very hard. c AtlanMod – atlanmod-contact@mines-nantes.fr 7/31
  26. 26. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
  27. 27. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy Our proposal Model-driven extraction process towards a network access-control model representing the global policy of the system. c AtlanMod – atlanmod-contact@mines-nantes.fr 8/31
  28. 28. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 9/31
  29. 29. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  30. 30. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level Requirements: For each different rule-filtering language we need A PSM A parser An injector c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  31. 31. Approach: Injection Mere translation between technical spaces: No information-loss Same abstraction level Requirements: For each different rule-filtering language we need A PSM A parser An injector We can obtain this by providing the language grammar to XTEXT c AtlanMod – atlanmod-contact@mines-nantes.fr 10/31
  32. 32. Implementation: XTEXT Model: rules += Rule∗; Rule: AccessGroup | AccessList; AccessGroup: ’access−group’ id=ID ’in’ ’interface’ interface=Interface; Interface: id=ID; AccessList: ( ’no ’ ) ? ’access−list’ id=ID decision=( ’deny’ | ’permit ’ ) protocol=Protocol protocolObjectGroup=ProtocolObjectGroup serviceObjectGroup=ServiceObjectGroup networkObjectGroup=NetworkObjectGroup; ProtocolObjectGroup: (pogId=ID) ? sourceAddress=IPExpr sourceMask=MaskExpr; ServiceObjectGroup: targetAddress=IPExpr targetMask=IPExpr; NetworkObjectGroup: operator=Operator port=INT; Operator: name=( ’eq’ | ’lt’ | ’gt ’ ) ; Protocol: name= ( ’tcp’ | ’udp’ | ’ip ’ ) ; IPExpr: INT ’ . ’ INT ’ . Figure: Cisco Metamodel excerpt c AtlanMod – atlanmod-contact@mines-nantes.fr 11/31
  33. 33. Implementation: XTEXT Model: rules += Rule∗; Rule: declaration=ChainDeclaration | filter=FilterDeclaration; FilterDeclaration: filter=FilteringSpec; FilteringSpec: FilterSpec; FilterSpec: ’iptables’ option=(’−A’ | ’−D’ | ’−P ’ ) chain=Chain ((’−src’ | ’−s ’ ) ip=IPExpr) ? (’−i’ interface=Interface) ? (’−d’ ipDst=IPExpr) ? (’−p’ protocol=Protocol) ? (’−m’ matches=Protocol) ? (’−−sport’ sourcePort=INT) ? (’−−dport’ destinationPort=INT) ? (’−j ’ ) ? target=Target; Interface: name=ID; Protocol: Tcp | Udp | Icmp; Target: ID; Chain: chainName = ID; CustomChain: name=[ChainName ] ; ChainDeclaration: ’iptables’ ’−N’ ChainName; ChainName: name=ID; IPExpr: INT ’ . ’ INT ’ . Figure: Iptables Metamodel excerpt c AtlanMod – atlanmod-contact@mines-nantes.fr 12/31
  34. 34. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
  35. 35. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 13/31
  36. 36. Approach: PSM2PIM Simplest PIM: Ri : {conditions} → {decision} i: order within the the conf file condition: a set of rule matching attributes like ip source address decision: accept or deny c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
  37. 37. Approach: PSM2PIM Simplest PIM: Ri : {conditions} → {decision} i: order within the the conf file condition: a set of rule matching attributes like ip source address decision: accept or deny Problems? Highly redundant and disperse Not suited to represent exception oriented access-control Anomalies (positive-negative logic conflicts + execution algorithm) c AtlanMod – atlanmod-contact@mines-nantes.fr 14/31
  38. 38. Metamodel Network Access-control Metamodel Platform-independent Supports the representation of exceptions Supports the identification of anomalies c AtlanMod – atlanmod-contact@mines-nantes.fr 15/31
  39. 39. PSM2PIM First step: Transform the PSM into the corresponding PIM Rule shadowing: a rule R is shadowed when it never applies because another rule with higher priority matches all the packets it may match. Rule redundancy: a rule R is redundant when it is not shadowed and removing it from the rule set does not change the security policy. Rule irrelevance: a rule R is irrelevant when it is meant to match packets that does not pass by a given firewall. Second step: PIM refinement Improves internal organization: Representation of exceptions Detection of anomalies c AtlanMod – atlanmod-contact@mines-nantes.fr 16/31
  40. 40. PSM2PIM refining algorithm 1 Algorithm 1 1: C← All Connections 2: Caccept ← Ci ∈ C (Ci .decision = Accept) 3: for each Ci ∈ Caccept do 4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci ) 5: for each Cj ∈ Cdeny do 6: if Cj .order < Ci .order then 7: Create Exception 8: Remove Cj 9: else 10: Cj .IsShadowed ← true 11: end if 12: end for 13: end for 14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false) 15: for each Ci ∈ Cdeny do 16: Cj .IsRedundant ← true 17: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 17/31
  41. 41. PSM2PIM refining algorithm 1 Algorithm 1 1: C← All Connections 2: Caccept ← Ci ∈ C (Ci .decision = Accept) 3: for each Ci ∈ Caccept do 4: Cdeny ← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci ) 5: for each Cj ∈ Cdeny do 6: if Cj .order < Ci .order then 7: Create Exception 8: Remove Cj 9: else 10: Cj .IsShadowed ← true 11: end if 12: end for 13: end for 14: Cdeny ← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false) 15: for each Ci ∈ Cdeny do 16: Cj .IsRedundant ← true 17: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 18/31
  42. 42. Implementation: ATL r u l e deleteDeny{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . →TotalExceptionRules → . includes ( s ) ) to drop t : NetworkAC ! Exception ( decision <− s . decision , dstPort <− s . dstPort , firewall <− s . firewall , order <− s . order , protocol <− s . protocol , source <− s . source , srcPort <− s . srcPort , target <− s . target ) } r u l e MarkShadowed{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . ShadowedRules . →includes ( s ) ) to t : NetworkAC ! Connection ( isShadowed <− true ) } r u l e MarkRedundant{ from s : NetworkAC ! Connection ( s . decision = #Deny and thisModule . ShadowedRules . →excludes ( s ) and thisModule . →TotalExceptionRules → . excludes ( s ) ) to t : NetworkAC ! Connection ( isRedundant <− true ) } c AtlanMod – atlanmod-contact@mines-nantes.fr 19/31
  43. 43. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
  44. 44. Approach Solution? Raise abstraction level Abstracts from low-level system specificities Abstracts from topology Simplifies management of the policy c AtlanMod – atlanmod-contact@mines-nantes.fr 20/31
  45. 45. PIM Aggregation An individual firewall gives only a partial vision of the security enforced in the whole network. E.g., The access to the SMTP service is managed by both firewalls, one allowing the access from the public host and one allowing the access from the intranet. We need to aggregate the individual models!! REVERSIBLE: Each Connection keeps original firewall and rule ordering. GlobalModel = Mi ∪ Mj . . . ∪ Mn Refinement to assign types to Network Elements c AtlanMod – atlanmod-contact@mines-nantes.fr 21/31
  46. 46. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 22/31
  47. 47. Applications: Refinement Individual firewalls may contain only locally relevant information. We need to discern between locally and globally relevant information!! The global model is easier to understand Isolate the policy from the enforcement topology Algorithm 2 1: C← All Connections 2: E← All Exceptions 3: for each Ei ∈ E do 4: L← Ci ∈ C (Ci .firewall = Ei .firewall and Matched of Ci ⊆ matched Ei ) 5: if L = ∅ then 6: Ei .IsLocal ← true 7: for each Ci ∈ L do 8: Ci .IsLocal ← true 9: end for 10: end if 11: end for c AtlanMod – atlanmod-contact@mines-nantes.fr 23/31
  48. 48. Applications:Metrics & queries We query our model for the existence of any connection allowing the administrator host (111.222.2.54) to connect to the server (111.222.1.17): c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
  49. 49. Applications:Metrics & queries We query our model for the existence of any connection allowing the administrator host (111.222.2.54) to connect to the server (111.222.1.17): E v a l u a t i n g : s e l f . c o n n e c t i o n s −>e x i s t s ( e | e . s o u r c e . i p A d d r = ’111.222.2.54 ’ a n d e . t a r g e t . i p A d d r = ’111.222.1.17 ’) R e s u l t s : f a l s e c AtlanMod – atlanmod-contact@mines-nantes.fr 24/31
  50. 50. Applications:Visualization Figure: Extracted network topology c AtlanMod – atlanmod-contact@mines-nantes.fr 25/31
  51. 51. Approach c AtlanMod – atlanmod-contact@mines-nantes.fr 26/31
  52. 52. Applications:PIM 2 XACML XACML PIM Metamodel PolicySet A PolicySet containing a Policy is created for each firewall in the PIM Policy All the Connections and Exceptions belonging to a given firewall Rule A single connection or Exception Subject Source NetworkElement address and source port of a given Connection or Exception Resource Target NetworkElement address and target port a given Connection or Exception Action Not mapped. The action is always the ability of sending a message. Condition Protocol field Table: PIM to XACML Mappings c AtlanMod – atlanmod-contact@mines-nantes.fr 27/31
  53. 53. Applications:PIM 2 XACML <Rule Effect=”Deny” RuleId=”1”> <Description /> <Target> <Subjects> <Subject> <SubjectMatch MatchId=””> <AttributeValue DataType=”http://www. w3. org/2001/XMLSchema#string”> 111.222.2.54 </AttributeValue> <SubjectAttributeDesignator /> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId=”urn: oasis: names: tc: xacml : 1 . 0 : function: string−equal”> <AttributeValue DataType=”http://www. w3. org/2001/XMLSchema#string”> 111.222.1.17 </AttributeValue> <ResourceAttributeDesignator /> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <SubjectAttributeDesignator AttributeId=”protocol” DataType=”http://www. w3. org/2001/XMLSchema#string” /> </Condition> </Rule> c AtlanMod – atlanmod-contact@mines-nantes.fr 28/31
  54. 54. Implementation Eclipse-based implementation c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  55. 55. Implementation Eclipse-based implementation EMF as modelling framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  56. 56. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  57. 57. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  58. 58. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework XPAND as Model to Text framework c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  59. 59. Implementation Eclipse-based implementation EMF as modelling framework XTEXT as DSL definition framework ATL as transformation framework XPAND as Model to Text framework http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_ Engineering c AtlanMod – atlanmod-contact@mines-nantes.fr 29/31
  60. 60. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  61. 61. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  62. 62. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  63. 63. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  64. 64. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  65. 65. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  66. 66. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc Extend XACML with network-specific attributes c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  67. 67. Conclusions & Future Works MDE succeeds to isolate the policy from low-level specificities Easier to understand Easier to manipulate (reusability of proved MDE tools) Enables migration and evolution. Future Works Extend to other network components such as MPLS routers, IDS, etc Extend XACML with network-specific attributes Apply our approach to real corporation networks c AtlanMod – atlanmod-contact@mines-nantes.fr 30/31
  68. 68. Thank you! Thank you! Contact: Salvador Mart´ınez AtlanMod, INRIA and ´Ecole des Mines de Nantes salvador.martinez perez@inria.fr c AtlanMod – atlanmod-contact@mines-nantes.fr 31/31

×