model-driven extraction and analysis of network security policies (at models'13)
DESCRIPTION
Model-based Reverse engineering approach for firewall configuration files (covering NetFilter IPTAbles and Cisco PIX). Goal: to obtain an easy to analyze RBAC modelTRANSCRIPT
Model-driven Extraction and Analysis ofNetwork Security Policies
MODELS 2013
Salvador Martınez1, Joaquın Garcıa-Alfaro2, Frederic Cuppens2,Nora Cuppens-Boulahia2, Jordi Cabot1
1AtlanMod, INRIA / Ecole de Mines de Nantes
2Telecom Bretagne ; LUSSI Department Universite Europeenne de Bretagne
October, 2013
Introduction
Security is a critical concern. . .
At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Security is a critical concern. . . At the network level, firewalls play a key role
Why so?
They implement access control policies in networks
Subjects = Hosts (acting as message senders)Objects = Hosts (acting as message receivers)Actions = Message sending to hosts with certain characteristics:
PortProtocol
Confidentiality
Integrity
c© AtlanMod – [email protected] 2/31
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
CONSEQUENCES:
Knowing which policy is actually being enforced is a challenge
Possible security flaws
Hampers evolution
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 3/31
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
CONSEQUENCES:
Knowing which policy is actually being enforced is a challenge
Possible security flaws
Hampers evolution
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 3/31
Introduction
Implementation of a network security policy:
Done generally by hand
Low-level and vendor-specific rule filtering languages
Topology: Policy enforcement distributed.
CONSEQUENCES:
Knowing which policy is actually being enforced is a challenge
Possible security flaws
Hampers evolution
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 3/31
Motivation
Intranet: private hosts + administrator
DMZ providing: HTTP/HTTPS, FTP, SMTP and SSH
Public Hosts
2 firewalls controlling:Firewall 1: traffic between public hosts and DMZFirewall 2: traffic between intranet and DMZ
c© AtlanMod – [email protected] 4/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
FW1 Conf.
iptables −P INPUT DROPiptables −P FORWARD DROPiptables −P OUTPUT DROP
iptables −N Out_SMTPiptables −A FORWARD −s 1 1 1 . 2 2 2 . 1 . 1 7 −d 0 . 0 . 0 . 0 / 0 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −d 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N In_SMPTiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 25 −j Out_SMTPiptables −A Out_SMTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A Out_SMTP −j ACCEPT
iptables −N NetWeb_HTTPiptables −A FORWARD −s 0 . 0 . 0 . 0 / 0 −d 1 1 1 . 2 2 2 . 1 . 1 7 −p tcp−−dport 80 −j NetWeb_HTTPiptables −A NetWeb_HTTP −s 1 1 1 . 2 2 2 . 0 . 0 / 1 6 −j RETURNiptables −A NetWeb_HTTP −j ACCEPT
Netfilter iptables conf. file using custom chains
1 Default policy
2 Controls outcoming SMTP messages.
3 Controls incoming SMTP messages to the server
4 Controls the HTTP requests from the public hosts
5 Local hosts are not allowed to use services!!!
c© AtlanMod – [email protected] 5/31
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 1 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 2 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 4 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 5 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 3 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−group eth1_acl_in in interface eth1
Cisco PIX conf. file
1 Controls incoming SMTP messages to the server
2 Controls the HTTP requests
3 Add rules to the interface
c© AtlanMod – [email protected] 6/31
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 1 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 2 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 4 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 5 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 3 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−group eth1_acl_in in interface eth1
Cisco PIX conf. file
1 Controls incoming SMTP messages to the server
2 Controls the HTTP requests
3 Add rules to the interface
c© AtlanMod – [email protected] 6/31
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 1 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 2 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 4 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 5 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 3 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−group eth1_acl_in in interface eth1
Cisco PIX conf. file
1 Controls incoming SMTP messages to the server
2 Controls the HTTP requests
3 Add rules to the interface
c© AtlanMod – [email protected] 6/31
Fw2. Conf
access−list eth1_acl_in remark Fw2Policy 0 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 1 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 2 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 25
access−list eth1_acl_in remark Fw2Policy 4 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 4 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 5 (global)access−list eth1_acl_in deny tcp host 1 1 1 . 2 2 2 . 2 . 5 3 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−list eth1_acl_in remark Fw2Policy 3 (global)access−list eth1_acl_in permit tcp 1 1 1 . 2 2 2 . 2 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 1 1 . 2 2 2 . 1 . 1 7 eq 80
access−group eth1_acl_in in interface eth1
Cisco PIX conf. file
1 Controls incoming SMTP messages to the server
2 Controls the HTTP requests
3 Add rules to the interface
c© AtlanMod – [email protected] 6/31
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:Its syntaxIts execution semantics
The topology has to be known to ease the understanding on the policy ofthe individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
Some numbers: M: Number of firewalls and N: Number of rulesBig companies M >> N example BNP network: M ≈ 1000,N ≈ 100Small companies N >> M
Manual approach?
for corporate networks, M (potentially from different vendors) and N are bigenough to make the task very hard.
c© AtlanMod – [email protected] 7/31
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:Its syntaxIts execution semantics
The topology has to be known to ease the understanding on the policy ofthe individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
Some numbers: M: Number of firewalls and N: Number of rulesBig companies M >> N example BNP network: M ≈ 1000,N ≈ 100Small companies N >> M
Manual approach?
for corporate networks, M (potentially from different vendors) and N are bigenough to make the task very hard.
c© AtlanMod – [email protected] 7/31
Example: Evaluation
Expert knowledge about netfilter iptables and Cisco PIX is required:Its syntaxIts execution semantics
The topology has to be known to ease the understanding on the policy ofthe individual firewalls.
All the firewalls have to be taken into account to derive a global policy.
Some numbers: M: Number of firewalls and N: Number of rulesBig companies M >> N example BNP network: M ≈ 1000,N ≈ 100Small companies N >> M
Manual approach?
for corporate networks, M (potentially from different vendors) and N are bigenough to make the task very hard.
c© AtlanMod – [email protected] 7/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
Our proposal
Model-driven extraction process towards a network access-control modelrepresenting the global policy of the system.
c© AtlanMod – [email protected] 8/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
Our proposal
Model-driven extraction process towards a network access-control modelrepresenting the global policy of the system.
c© AtlanMod – [email protected] 8/31
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: For each different rule-filtering language we need
A PSM
A parser
An injector
We can obtain this by providing the language grammar to XTEXT
c© AtlanMod – [email protected] 10/31
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: For each different rule-filtering language we need
A PSM
A parser
An injector
We can obtain this by providing the language grammar to XTEXT
c© AtlanMod – [email protected] 10/31
Approach: Injection
Mere translation between technical spaces:
No information-loss
Same abstraction level
Requirements: For each different rule-filtering language we need
A PSM
A parser
An injector
We can obtain this by providing the language grammar to XTEXT
c© AtlanMod – [email protected] 10/31
Implementation: XTEXT
Model :rules += Rule∗;
Rule :AccessGroup | AccessList ;
AccessGroup :’access−group ’ id=ID ’in ’ ’interface ’interface=Interface ;
Interface :id=ID ;
AccessList :( ’no ’ ) ? ’access−list ’ id=IDdecision=( ’deny ’ | ’permit ’ )protocol=ProtocolprotocolObjectGroup=ProtocolObjectGroupserviceObjectGroup=ServiceObjectGroupnetworkObjectGroup=NetworkObjectGroup ;
ProtocolObjectGroup :(pogId=ID) ? sourceAddress=IPExprsourceMask=MaskExpr ;
ServiceObjectGroup :targetAddress=IPExpr targetMask=IPExpr ;
NetworkObjectGroup :operator=Operator port=INT ;
Operator :name=( ’eq ’ | ’lt ’ | ’gt ’ ) ;
Protocol :name= ( ’tcp ’ | ’udp ’ | ’ip ’ ) ;
IPExpr :INT ’ . ’ INT ’ .
Figure: Cisco Metamodel excerpt
c© AtlanMod – [email protected] 11/31
Implementation: XTEXTModel :
rules += Rule∗;Rule :
declaration=ChainDeclaration |filter=FilterDeclaration ;
FilterDeclaration :filter=FilteringSpec ;
FilteringSpec :FilterSpec ;
FilterSpec :’iptables ’ option=(’−A ’ | ’−D ’ | ’−P ’ )chain=Chain ((’−src ’ | ’−s ’ ) ip=IPExpr) ?(’−i ’ interface=Interface) ?(’−d ’ ipDst=IPExpr) ?(’−p ’ protocol=Protocol) ?(’−m ’ matches=Protocol) ?(’−−sport ’ sourcePort=INT) ?(’−−dport ’ destinationPort=INT) ?(’−j ’ ) ? target=Target ;
Interface :name=ID ;
Protocol :Tcp | Udp | Icmp ;
Target :ID ;
Chain :chainName = ID ;
CustomChain :name=[ChainName ] ;
ChainDeclaration :’iptables ’ ’−N ’ ChainName ;
ChainName :name=ID ;
IPExpr :INT ’ . ’ INT ’ .
Figure: Iptables Metamodel excerpt
c© AtlanMod – [email protected] 12/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 13/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 13/31
Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf filecondition: a set of rule matching attributes like ip source addressdecision: accept or deny
Problems?
Highly redundant and disperse
Not suited to represent exception oriented access-control
Anomalies (positive-negative logic conflicts + execution algorithm)
c© AtlanMod – [email protected] 14/31
Approach: PSM2PIM
Simplest PIM: Ri : {conditions} → {decision}
i: order within the the conf filecondition: a set of rule matching attributes like ip source addressdecision: accept or deny
Problems?
Highly redundant and disperse
Not suited to represent exception oriented access-control
Anomalies (positive-negative logic conflicts + execution algorithm)
c© AtlanMod – [email protected] 14/31
Metamodel
Network Access-control Metamodel
Platform-independent
Supports the representation of exceptions
Supports the identification of anomalies
c© AtlanMod – [email protected] 15/31
PSM2PIM
First step: Transform the PSM into the corresponding PIM
Rule shadowing: a rule R is shadowed when it never applies because anotherrule with higher priority matches all the packets it may match.
Rule redundancy: a rule R is redundant when it is not shadowed and removingit from the rule set does not change the security policy.
Rule irrelevance: a rule R is irrelevant when it is meant to match packets thatdoes not pass by a given firewall.
Second step: PIM refinement
Improves internal organization: Representation of exceptions
Detection of anomalies
c© AtlanMod – [email protected] 16/31
PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections2: Caccept← Ci ∈ C (Ci .decision = Accept)3: for each Ci ∈ Caccept do4: Cdeny← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci )5: for each Cj ∈ Cdeny do6: if Cj .order < Ci .order then7: Create Exception8: Remove Cj
9: else10: Cj .IsShadowed ← true11: end if12: end for13: end for14: Cdeny← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false)15: for each Ci ∈ Cdeny do16: Cj .IsRedundant ← true17: end for
c© AtlanMod – [email protected] 17/31
PSM2PIM refining algorithm 1
Algorithm 1
1: C← All Connections2: Caccept← Ci ∈ C (Ci .decision = Accept)
3: for each Ci ∈ Caccept do
4: Cdeny← CJ ∈ C (Cj .decision = Deny and Matched of Cj ⊆ matched Ci )
5: for each Cj ∈ Cdeny do6: if Cj .order < Ci .order then
7: Create Exception
8: Remove Cj
9: else10: Cj .IsShadowed ← true
11: end if12: end for13: end for14: Cdeny← Cj ∈ C (Cj .decision=Deny and Cj .isShadowed=false)15: for each Ci ∈ Cdeny do
16: Cj .IsRedundant ← true
17: end for
c© AtlanMod – [email protected] 18/31
Implementation: ATL
r u l e deleteDeny{from
s : NetworkAC ! Connection (s . decision = #Deny andthisModule .
↪→TotalExceptionRules
↪→ . includes ( s ) )to
drop
t : NetworkAC ! Exception (decision <− s . decision ,dstPort <− s . dstPort ,firewall <− s . firewall ,order <− s . order ,protocol <− s . protocol ,source <− s . source ,srcPort <− s . srcPort ,target <− s . target
)}
r u l e MarkShadowed{from
s : NetworkAC ! Connection (s . decision = #Deny andthisModule . ShadowedRules .
↪→includes ( s ) )to
t : NetworkAC ! Connection (isShadowed <− true
)}
r u l e MarkRedundant{from
s : NetworkAC ! Connection (s . decision = #Deny andthisModule . ShadowedRules .
↪→excludes ( s )andthisModule .
↪→TotalExceptionRules
↪→ . excludes ( s ) )to
t : NetworkAC ! Connection (isRedundant <− true
)}
c© AtlanMod – [email protected] 19/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 20/31
Approach
Solution? Raise abstraction level
Abstracts from low-level system specificities
Abstracts from topology
Simplifies management of the policy
c© AtlanMod – [email protected] 20/31
PIM Aggregation
An individual firewall gives only a partial vision of the security enforced in thewhole network.E.g., The access to the SMTP service is managed by both firewalls, oneallowing the access from the public host and one allowing the access from theintranet.
We need to aggregate the individual models!!
REVERSIBLE: Each Connection keeps original firewall and rule ordering.
GlobalModel = Mi ∪Mj . . . ∪Mn
Refinement to assign types to Network Elements
c© AtlanMod – [email protected] 21/31
Applications: Refinement
Individual firewalls may contain only locally relevant information.
We need to discern between locally and globally relevant information!!
The global model is easier to understand
Isolate the policy from the enforcement topology
Algorithm 2
1: C← All Connections2: E← All Exceptions3: for each Ei ∈ E do4: L← Ci ∈ C (Ci .firewall 6= Ei .firewall and Matched of Ci ⊆ matched Ei )5: if L 6= ∅ then6: Ei .IsLocal ← true7: for each Ci ∈ L do8: Ci .IsLocal ← true9: end for
10: end if11: end for
c© AtlanMod – [email protected] 23/31
Applications:Metrics & queries
We query our model for the existence of any connection allowing theadministrator host (111.222.2.54) to connect to the server (111.222.1.17):
E v a l u a t i n g :
s e l f . c o n n e c t i o n s −>e x i s t s (e | e . s o u r c e . i p A d d r = ’ 1 1 1 . 2 2 2 . 2 . 5 4 ’a n d e . t a r g e t . i p A d d r = ’ 1 1 1 . 2 2 2 . 1 . 1 7 ’ )
R e s u l t s :f a l s e
c© AtlanMod – [email protected] 24/31
Applications:Metrics & queries
We query our model for the existence of any connection allowing theadministrator host (111.222.2.54) to connect to the server (111.222.1.17):
E v a l u a t i n g :
s e l f . c o n n e c t i o n s −>e x i s t s (e | e . s o u r c e . i p A d d r = ’ 1 1 1 . 2 2 2 . 2 . 5 4 ’a n d e . t a r g e t . i p A d d r = ’ 1 1 1 . 2 2 2 . 1 . 1 7 ’ )
R e s u l t s :f a l s e
c© AtlanMod – [email protected] 24/31
Applications:PIM 2 XACML
XACML PIM MetamodelPolicySet A PolicySet containing a Policy is created for each firewall
in the PIMPolicy All the Connections and Exceptions belonging to a given
firewallRule A single connection or ExceptionSubject Source NetworkElement address and source port of a given
Connection or ExceptionResource Target NetworkElement address and target port a given
Connection or ExceptionAction Not mapped. The action is always the ability of sending a
message.Condition Protocol field
Table: PIM to XACML Mappings
c© AtlanMod – [email protected] 27/31
Applications:PIM 2 XACML
<Rule Effect=”Deny” RuleId=”1”><Description /><Target>
<Subjects><Subject>
<SubjectMatch MatchId=””><AttributeValue DataType=”http : / /www .w3 .org/2001/XMLSchema#string”>111.222.2.54 </AttributeValue><SubjectAttributeDesignator />
</SubjectMatch></Subject>
</Subjects><Resources>
<Resource><ResourceMatch MatchId=”urn :oasis :names :tc :xacml : 1 . 0 : function :string−equal”>
<AttributeValue DataType=”http : / /www .w3 .org/2001/XMLSchema#string”>111.222.1.17 </AttributeValue><ResourceAttributeDesignator />
</ResourceMatch></Resource>
</Resources></Target><Condition>
<SubjectAttributeDesignator AttributeId=”protocol”DataType=”http : / /www .w3 .org/2001/XMLSchema#string” />
</Condition></Rule>
c© AtlanMod – [email protected] 28/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Implementation
Eclipse-based implementation
EMF as modelling framework
XTEXT as DSL definition framework
ATL as transformation framework
XPAND as Model to Text framework
http://www.emn.fr/z-info/atlanmod/index.php/Firewall_Reverse_
Engineering
c© AtlanMod – [email protected] 29/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Conclusions & Future Works
MDE succeeds to isolate the policy from low-level specificities
Easier to understand
Easier to manipulate (reusability of proved MDE tools)
Enables migration and evolution.
Future Works
Extend to other network components such as MPLS routers, IDS, etc
Extend XACML with network-specific attributes
Apply our approach to real corporation networks
c© AtlanMod – [email protected] 30/31
Thank you!
Thank you!
Contact:
Salvador MartınezAtlanMod, INRIA and Ecole des Mines de Nantes
salvador.martinez [email protected]
c© AtlanMod – [email protected] 31/31