190 likes | 326 Views
Jiajie Xu Hyeon Cha Daniel San Martin Lens. Policy Based Security Analysis in Enterprise Networks: A Formal Approach. Overview. Introduction Related work and formal approaches Motivating example Security Policy Specification Model Security Implementation Model
E N D
JiajieXu Hyeon Cha Daniel San Martin Lens Policy Based Security Analysis in Enterprise Networks: A Formal Approach
Overview • Introduction • Related work and formal approaches • Motivating example • Security Policy Specification Model • Security Implementation Model • SAT Based Verification Procedure • Conclusion
Introduction …..
Introduction • Two major challenges: • To check whether the security policy specification contains any conflicting rules. • To verify whether the security implementations conform to the enterprise-wide security policy.
Related work • The research work: • Firewall analysis algorithms and tools. • Security policy specification languages. • Network security analysis using formal approaches. • Formal approaches: • The FIREMAN Toolkit (e.g. Network Policy Enforcement tool) • SAT based approach
Motivating example • The distributed ACL implementation may not satisfy the policy due to 2 reasons: • Unlocked hidden service access paths • Combined ACL rules may not conform to the policy • Measures: A correct ACL implementation should restrict hidden access paths consistently to satisfy the security policy.
Motivating example P.Bera, S.K.G, Pallab D, “Policy Based Security Analysis in Enterprise Networks: A Formal Approach”, IEEE, pp.231-243 A typical enterprise network
Security Policy Specification Model • Security Policy Specification Language(SPSL) • Has been proposed to model the network topology and the policy rules in an enterprise. • Can be classified as: • Network Topology specification • Network Service and Policy rule specification • The specification generated from this phase denies the enterprise-wide security policy model, GP.
Security Policy Specification Model • Security Policy Specification Language(SPSL) • Network Topology specification Zone ZONE_11 [10.0.0.0-10.0.255.255]; Interface int_R12 [172.16.0.13]; Router R1 [int_R12, int_R13, int_R14]; • Network Service and Policy rule specification Network Service service http = TCP [port = 80]; service ssh = TCP [port>20 AND port<23]; Static and Temporal Policy Rules deny ssh(ZONE_1, ZONE_2); permit telnet([ZONE_11,ZONE_2], ZONE_12); deny http(ZONE_1, PROXY)[const = week_day(0800-1700)];
Security Policy Specification Model • Hidden Access Path Analysis • To resolve the hidden access paths from the security policy model, GP, the above formulas need to be represented in terms of ‘deny’ rules. Taking negation of each of the formulas in the hidden access path model.
Security Implementation Model • Translating ACL Rules into Service Flow Rule Base • Rule header • Holds binding information of the rule to an ACL group and the associated network interface • Functional clause • Holds the functional components of each ACL rule.
Security Implementation Model • Generating Conflict-free Topology-independent Implementation Model The ACL rule base may have various inter-rule conflicts due to rule component dependencies • Rule subsuming conflict • P1 : permit TCP X1, Y1 eqssh; • P2 : deny TCP X, Y eqssh; • To make these rules conflict-free it requirestwoadditional rules: P′2 : deny TCP (X-X1), Y eqssh; P′′2 : deny TCP X, (Y-Y1) eqssh;
Security Implementation Model • Generating Conflict-free Topology-independent Implementation Model The ACL rule base may have various inter-rule conflicts due to rule component dependencies • Rule over-riding conflict • P3 : permit TCP X, Y eq http; • P4 : deny TCP X, Y eq http; • Tomakethese rules conflict-free it requires deletion of P4 from the rule base
SAT Based Verification Procedure • Reduces the verification problem into a Boolean function 𝑓 and checks its satisfiability. • Boolean Reduction of Models • The Boolean reduction of these models requires functional mapping the rule components into Boolean variables. • The rule components include service(protocol, port number), source zone, destination zone, time-constraints and action. • The policy and ACL implementation rule bases are separately reduced to corresponding Boolean models, 𝑀𝑃 and 𝑀𝐼 respectively
SAT Based Verification Procedure • SAT solver and SAT query formation • The zChaff SAT solver takes a Boolean formula in standard conjunctive normal form (CNF) as query and checks the satisfiability of that formula. • It is sufficient to check the un-satisfiability of the expression: 𝑀𝐼 ⊕𝑀𝑃 .
SAT Based Verification Procedure • Implementation and Verification Results P.Bera, S.K.G, Pallab D, “Policy Based Security Analysis in Enterprise Networks: A Formal Approach”, IEEE, pp.231-243
Conclusions • High level modeling of enterprise-wide security policy (𝐺𝑃 ) using a policy specification language, SPSL. • Formalizing the hidden access rules and resolving such conflicts from 𝐺 to generate a conflict-free policy model 𝑀𝑃 • Formal modeling of the network topology and distributed ACL implementations which is represented as 𝑀𝐼 . • Boolean reduction of the policy and implementation models, 𝑀𝑃 and 𝑀𝐼 ; verifying their exact matching using a SAT solver.
Opinions • Good research of previous related work. • Simple, easy to follow example to explain key concepts of the approach. • The time complexity of the algorithm scales to n^2 making it hard to replicate in bigger enterprise environments. • The amount of rules tested do not seem to be sufficient to be compared to an enterprise network.