33 research outputs found
A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs
Developing and managing firewall Access Control
Lists (ACLs) are hard, time-consuming, and error-prone tasks
for a variety of reasons. Complexity of networks is constantly
increasing, as it is the size of firewall ACLs. Networks have
different access control requirements which must be translated
by a network administrator into firewall ACLs. During this task,
inconsistent rules can be introduced in the ACL. Furthermore,
each time a rule is modified (e.g. updated, corrected when a fault
is found, etc.) a new inconsistency with other rules can be
introduced. An inconsistent firewall ACL implies, in general, a
design or development fault, and indicates that the firewall is
accepting traffic that should be denied or vice versa. In this paper
we propose a complete and minimal consistency diagnosis process
which has worst-case quadratic time complexity with the number
of rules in a set of inconsistent rules. There are other proposals of
consistency diagnosis algorithms. However they have different
problems which can prevent their use with big, real-life, ACLs:
on the one hand, the minimal ones have exponential worst-case
time complexity; on the other hand, the polynomial ones are not
minimal.Ministerio de Eduación y Ciencia TIN2009-1371
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
The design and management of firewall rule sets is a very difficult and error-prone task because of the
difficulty of translating access control requirements into complex low-level firewall languages. Although
high-level languages have been proposed to model firewall access control lists, none has been widely
adopted by the industry. We think that the main reason is that their complexity is close to that of many
existing low-level languages. In addition, none of the high-level languages that automatically generate
firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early
stages of the development process is cheaper compared to the cost associated with correcting errors in
the production phase. In addition, errors generated in the production phase usually have a huge impact
on the reliability and robustness of the generated code and final system.
In this paper, we propose the application of the ideas of Model-Based Development to firewall access control
list modelling and automatic rule set generation. First, an analysis of the most widely used firewall
languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed.
This model is the result of exhaustive analysis and of a discussion of different alternatives for models
in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages
of the Model-Based Development methodology, and a polynomial time complexity process and algorithms
are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally,
a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove
the feasibility of our proposal in real environments
Monitoring and verifying network behavior using data-plane state
Modern computer networks are complex, incorporating hundreds or thousands of network devices from multiple vendors performing diverse functions such as routing, switching, and access control across physical and virtual networks (VPNs and VLANs). As in any complex computer system, these networks are prone to a wide range of errors such as misconfigurations, software bugs, or unexpected interactions across protocols. Previous tools to assist operators in debugging network anomalies primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, and is harder to generalize across protocols since it must model complex configuration languages and dynamic protocol behavior.
This thesis studies an alternate approach: diagnosing problems through static analysis of a network's data-plane state. We call it data-plane verification. This approach can catch bugs that are invisible at the level of configuration files, and simplifies unified analysis of a network across many protocols and implementations. To prove the applicability and usefulness of data-plane verification, we designed and implemented two tools to rigorously check important network invariants, such as absence of routing loops, routing consistency of replicated devices, and other reachability properties. Our first tool, called Anteater, translates a network's data-plane state and invariants into boolean satisfiability problems, and checks them using a SAT solver. Our second tool, called VeriFlow, creates a device independent graph model of the network state, and uses standard graph traversal algorithms to detect invariant violations.
We tested our tools with real world network data-plane traces, and with large emulated networks. Both of our tools were able to detect real bugs that went unnoticed to network operators for more than a month. Our tools helped them to narrow down the faulty configurations, and resolve those quickly. Results from emulated larger networks showed that the running time performance of our tools, especially that of VeriFlow, is good enough to detect bugs quickly before they can be exploited by outside attackers. Due to the fast response time of VeriFlow, it can be used in the emerging Software-Defined Networking (SDN) setting as a proactive tool to detect and filter out faulty configurations before they reach network devices
A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research
With traditional networking, users can configure control plane protocols to
match the specific network configuration, but without the ability to
fundamentally change the underlying algorithms. With SDN, the users may provide
their own control plane, that can control network devices through their data
plane APIs. Programmable data planes allow users to define their own data plane
algorithms for network devices including appropriate data plane APIs which may
be leveraged by user-defined SDN control. Thus, programmable data planes and
SDN offer great flexibility for network customization, be it for specialized,
commercial appliances, e.g., in 5G or data center networks, or for rapid
prototyping in industrial and academic research. Programming
protocol-independent packet processors (P4) has emerged as the currently most
widespread abstraction, programming language, and concept for data plane
programming. It is developed and standardized by an open community and it is
supported by various software and hardware platforms. In this paper, we survey
the literature from 2015 to 2020 on data plane programming with P4. Our survey
covers 497 references of which 367 are scientific publications. We organize our
work into two parts. In the first part, we give an overview of data plane
programming models, the programming language, architectures, compilers,
targets, and data plane APIs. We also consider research efforts to advance P4
technology. In the second part, we analyze a large body of literature
considering P4-based applied research. We categorize 241 research papers into
different application domains, summarize their contributions, and extract
prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on
2021-01-2
Static Analysis of Computer Networks
Některé problémy v konfiguracích síťových zařízení jsou těžko identifikovatelné. Důležitou částí mnoha konfigurací jsou přístupové seznamy, ve kterých konflikty mezi pravidly mohou způsobit mezery v bezpečnostní politice nebo v kvalitě služeb. Tato práce je zaměřena právě na identifikaci a klasifikaci konfliktů mezi pravidly přístupového seznamu jednoho zařízení. Tento úkol není triviální, pokud chceme identifikovat všechny možné druhy konfliktů. V práci je uveden optimalizovaný algoritmus na kompletní analýzu přístupového seznamu s využitím binárních prefixových stromů, založený na existujícím výzkumu Baboescu a Varghese. S jeho použitím byl implementován nástroj schopný detekovat konflikty mezi pravidly přístupového seznamu zařízení Cisco, HP nebo Juniper. Kvůli menším paměťovým nárokům jsou bitové vektory v prefixových stromech komprimované WAH kompresní metodu. Implementovaný nástroj byl otestován s ohledem na správnost a výkonnost. Testy potvrdily potenciál použitého řešení výrazně urychlit analýzu přístupových seznamů.Some problems in configurations of network devices are difficult to identify. Access control lists present an important part of many configurations. Conflicts among rules of an access control list can cause holes in security policy or quality of service. In this paper we focus on identifying and classifying conflicts among rules of an access control list. Discovering all possible types of conflicts is not a trivial task. We present optimized algorithm for complete access control list analysis using tries, based on existing research by Baboescu and Varghese. The tool for detecting conflicts among access control list rules of one given Cisco, HP or Juniper device using tries based algorithm has been implemented. Bit vectors in tries use WAH compression method to reduce memory consumption. Implemented tool was tested for correctness and performance. The hypothesis that this solution would make the analysis of access lists significantly faster has been proven.
Aeronautical Engineering: A continuing bibliography, supplement 116
This bibliography lists 550 reports, articles, and other documents introduced into the NASA scientific and technical information system in November 1979
A Heuristic Process for Local Inconsistency Diagnosis in Firewall Rule Sets 1
Abstract — Writing and managing firewall ACLs are hard and error-prone tasks for a wide range of reasons. During these tasks, inconsistent rules can be introduced. An inconsistent firewall ACL implies in general a design error, and indicates that the firewall is accepting traffic that should be denied or vice versa. However, the administrator is who ultimately decides if an inconsistent rule is a fault or not. Although many algorithms to diagnose inconsistencies in firewall ACLs have been proposed, they have different drawbacks regarding many aspects of the consistency management problem, which can prevent their use in a wide range of real-life situations. The most important one is that they give complete and minimal results, but their algorithmic complexity is too high, making the problem intractable for even reasonably-sized ACLs. In this paper we present an analysis of the consistency diagnosis problem in firewall ACLs. Based on this analysis, we propose to split the process in several parts that can be solved sequentially: inconsistency detection and isolation, inconsistent rules identification, and inconsistency characterization. Our algorithms are the first which can solve the detection, isolation, and identification problems in quadratic time complexity, giving complete but not necessarily minimal results. A theoretical complexity analysis as well as experimental results with real ACLs is given. Index Terms — diagnosis, consistency, conflict, anomaly, firewall, acl, rulese
Computer Aided Verification
The open access two-volume set LNCS 11561 and 11562 constitutes the refereed proceedings of the 31st International Conference on Computer Aided Verification, CAV 2019, held in New York City, USA, in July 2019. The 52 full papers presented together with 13 tool papers and 2 case studies, were carefully reviewed and selected from 258 submissions. The papers were organized in the following topical sections: Part I: automata and timed systems; security and hyperproperties; synthesis; model checking; cyber-physical systems and machine learning; probabilistic systems, runtime techniques; dynamical, hybrid, and reactive systems; Part II: logics, decision procedures; and solvers; numerical programs; verification; distributed systems and networks; verification and invariants; and concurrency