A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs

Developing and managing firewall Access Control Lists (ACLs) are hard, time-consuming, and error-prone tasks for a variety of reasons. Complexity of networks is constantly increasing, as it is the size of firewall ACLs. Networks have different access control requirements which must be translated by a network administrator into firewall ACLs. During this task, inconsistent rules can be introduced in the ACL. Furthermore, each time a rule is modified (e.g. updated, corrected when a fault is found, etc.) a new inconsistency with other rules can be introduced. An inconsistent firewall ACL implies, in general, a design or development fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. In this paper we propose a complete and minimal consistency diagnosis process which has worst-case quadratic time complexity with the number of rules in a set of inconsistent rules. There are other proposals of consistency diagnosis algorithms. However they have different problems which can prevent their use with big, real-life, ACLs: on the one hand, the minimal ones have exponential worst-case time complexity; on the other hand, the polynomial ones are not minimal.Ministerio de Eduación y Ciencia TIN2009-1371

Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

The design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments

Monitoring and verifying network behavior using data-plane state

Modern computer networks are complex, incorporating hundreds or thousands of network devices from multiple vendors performing diverse functions such as routing, switching, and access control across physical and virtual networks (VPNs and VLANs). As in any complex computer system, these networks are prone to a wide range of errors such as misconfigurations, software bugs, or unexpected interactions across protocols. Previous tools to assist operators in debugging network anomalies primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, and is harder to generalize across protocols since it must model complex configuration languages and dynamic protocol behavior. This thesis studies an alternate approach: diagnosing problems through static analysis of a network's data-plane state. We call it data-plane verification. This approach can catch bugs that are invisible at the level of configuration files, and simplifies unified analysis of a network across many protocols and implementations. To prove the applicability and usefulness of data-plane verification, we designed and implemented two tools to rigorously check important network invariants, such as absence of routing loops, routing consistency of replicated devices, and other reachability properties. Our first tool, called Anteater, translates a network's data-plane state and invariants into boolean satisfiability problems, and checks them using a SAT solver. Our second tool, called VeriFlow, creates a device independent graph model of the network state, and uses standard graph traversal algorithms to detect invariant violations. We tested our tools with real world network data-plane traces, and with large emulated networks. Both of our tools were able to detect real bugs that went unnoticed to network operators for more than a month. Our tools helped them to narrow down the faulty configurations, and resolve those quickly. Results from emulated larger networks showed that the running time performance of our tools, especially that of VeriFlow, is good enough to detect bugs quickly before they can be exploited by outside attackers. Due to the fast response time of VeriFlow, it can be used in the emerging Software-Defined Networking (SDN) setting as a proactive tool to detect and filter out faulty configurations before they reach network devices

A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on 2021-01-2

Static Analysis of Computer Networks

Některé problémy v konfiguracích síťových zařízení jsou těžko identifikovatelné. Důležitou částí mnoha konfigurací jsou přístupové seznamy, ve kterých konflikty mezi pravidly mohou způsobit mezery v bezpečnostní politice nebo v kvalitě služeb. Tato práce je zaměřena právě na identifikaci a klasifikaci konfliktů mezi pravidly přístupového seznamu jednoho zařízení. Tento úkol není triviální, pokud chceme identifikovat všechny možné druhy konfliktů. V práci je uveden optimalizovaný algoritmus na kompletní analýzu přístupového seznamu s využitím binárních prefixových stromů, založený na existujícím výzkumu Baboescu a Varghese. S jeho použitím byl implementován nástroj schopný detekovat konflikty mezi pravidly přístupového seznamu zařízení Cisco, HP nebo Juniper. Kvůli menším paměťovým nárokům jsou bitové vektory v prefixových stromech komprimované WAH kompresní metodu. Implementovaný nástroj byl otestován s ohledem na správnost a výkonnost. Testy potvrdily potenciál použitého řešení výrazně urychlit analýzu přístupových seznamů.Some problems in configurations of network devices are difficult to identify. Access control lists present an important part of many configurations. Conflicts among rules of an access control list can cause holes in security policy or quality of service. In this paper we focus on identifying and classifying conflicts among rules of an access control list. Discovering all possible types of conflicts is not a trivial task. We present optimized algorithm for complete access control list analysis using tries, based on existing research by Baboescu and Varghese. The tool for detecting conflicts among access control list rules of one given Cisco, HP or Juniper device using tries based algorithm has been implemented. Bit vectors in tries use WAH compression method to reduce memory consumption. Implemented tool was tested for correctness and performance. The hypothesis that this solution would make the analysis of access lists significantly faster has been proven.

Aeronautical Engineering: A continuing bibliography, supplement 116

This bibliography lists 550 reports, articles, and other documents introduced into the NASA scientific and technical information system in November 1979

A Heuristic Process for Local Inconsistency Diagnosis in Firewall Rule Sets 1

Abstract — Writing and managing firewall ACLs are hard and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design error, and indicates that the firewall is accepting traffic that should be denied or vice versa. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to diagnose inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding many aspects of the consistency management problem, which can prevent their use in a wide range of real-life situations. The most important one is that they give complete and minimal results, but their algorithmic complexity is too high, making the problem intractable for even reasonably-sized ACLs. In this paper we present an analysis of the consistency diagnosis problem in firewall ACLs. Based on this analysis, we propose to split the process in several parts that can be solved sequentially: inconsistency detection and isolation, inconsistent rules identification, and inconsistency characterization. Our algorithms are the first which can solve the detection, isolation, and identification problems in quadratic time complexity, giving complete but not necessarily minimal results. A theoretical complexity analysis as well as experimental results with real ACLs is given. Index Terms — diagnosis, consistency, conflict, anomaly, firewall, acl, rulese

Computer Aided Verification

The open access two-volume set LNCS 11561 and 11562 constitutes the refereed proceedings of the 31st International Conference on Computer Aided Verification, CAV 2019, held in New York City, USA, in July 2019. The 52 full papers presented together with 13 tool papers and 2 case studies, were carefully reviewed and selected from 258 submissions. The papers were organized in the following topical sections: Part I: automata and timed systems; security and hyperproperties; synthesis; model checking; cyber-physical systems and machine learning; probabilistic systems, runtime techniques; dynamical, hybrid, and reactive systems; Part II: logics, decision procedures; and solvers; numerical programs; verification; distributed systems and networks; verification and invariants; and concurrency