Towards a Unified Modeling and Verification of Network and System Security Configurations

Systems and networks access control configuration are usually analyzed independently although they are logically combined to define the end-to-end security property. While systems and applications security policies define access control based on user identity or group, request type and the requested resource, network security policies uses flow information such as host and service addresses for source and destination to define access control. Therefore, both network and systems access control have to be configured consistently in order to enforce end-to-end security policies. Many previous research attempt to verify either side separately, but it does not provide a unified approach to automatically validate the logical consistency between both of them. In this paper, we introduce a cross-layer modeling and verification system that can analyze the configurations and policies across both application and network components as a single unit. It combines policies from different devices as firewalls, NAT, routers and IPSec gateways as well as basic RBAC-based policies of higher service layers. This allows analyzing, for example, firewall polices in the context of application access control and vice versa providing a true end-to-end configuration verification tool. Our model represents the system as a state machine where packet header, service request and location determine the state and transitions that conform with the configuration, device operations, and packet values are established. We encode the model as Boolean functions using binary decision diagrams (BDDs). We used an extended version of computational tree logic (CTL) to provide more useful operators and then use it with symbolic model checking to prove or find counter examples to needed properties.

[1]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[3]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[5]  Ye Wang,et al.  Shadow configuration as a network management primitive , 2008, SIGCOMM '08.

[6]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[7]  Randy Bush,et al.  Integrity for virtual private routed networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[8]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[9]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[10]  Heiko Krumm,et al.  Model-Based Tool-Assistance for Packet-Filter Design , 2001, POLICY.

[11]  Charles U. Martel,et al.  On building the minimum number of tunnels: an ordered-split approach to manage IPSec/VPN policies , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[12]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[13]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[14]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[15]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[16]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[17]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[18]  Susan Hinrichs,et al.  Policy-based management: bridging the gap , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[19]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[20]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[21]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[22]  Gordon T. Wilfong,et al.  On the correctness of IBGP configuration , 2002, SIGCOMM.

[23]  Sanjai Narain,et al.  Network Configuration Management via Model Finding , 2005, LISA.

[24]  Paul Francis,et al.  CONMan: a step towards network manageability , 2007, SIGCOMM.