SLIDE 1
Management of Exceptions in Access Control Policies
- J. G. Alfaro, F. Cuppens, N. Cuppens
- 2 -
Management of Exceptions in Access Control Policies J. G. Alfaro, - - PowerPoint PPT Presentation
Management of Exceptions in Access Control Policies J. G. Alfaro, - - PowerPoint PPT Presentation
Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST Bretagne, Rennes RSM/SERES Outline - 2 - Problem domain Main strategies Use of full expressiveness Conclusions and Perspectives
SLIDE 2
SLIDE 3
- 3 -
Problem domain
- When specifying an access control policy …
… how can we properly specify exceptions to those general rules that almost always apply?
- Example: in a hospital
General rule:
All physicians are allowed to consult patient’s medical records
Exception 1 (exception to the general case):
Physicians on strike can’t access medical records
Exception 2 (exception to Exception 1):
For emergency purposes, even physicians going on strike can access patient’s medical records
SLIDE 4
- 4 -
Internet Firewall Private
- Management of exceptions on firewalls
Example:
Zone Private can access web resources of zone Internet
- Format of a filtering rule:
Condition → accept
- r
Condition → deny
Where condition is a conjunctive set of attributes in the form:
(s)ource ∧ (d)estination ∧ source-port(sport) ∧ destination-port (dport) ∧ (p)rotocole
- Possible rule for the example:
R: s ∈ ∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 →
→ → → accept
SLIDE 5
- 5 -
Management of exceptions on firewalls
Example (continuation):
- Exception 1: The interfaces of Firewall (Interf-fw) are not allowed to access
web resources on the zone Internet
Exclusion of address 111.222.1.1 from zone Private
- Exception 2: The hosts in Admin are not allowed to access web resources
Exclusion of zone Admin from zone Private
- Exception 3: The hosts in Corporate (111.222.*.*) are not considered a part
- f zone Internet
Exclusion of zone Corporate from zone Internet
- Internet
Firewall
- Corporate
Private Admin
SLIDE 6
- 6 -
Management of exceptions on firewalls
- Internet
Firewall
- Corporate
Private Admin
- Example (continuation):
- Problem: How to express the following rule?
Zone (Private — Admin — Interf-fw) has the permission of accessing web resources in zone (Internet — Corporate)?
SLIDE 7
- 7 -
Management of exceptions on firewalls
- Three main strategies:
1. First/Last Matching Algorithms
- Total ordering of rules
2. Segmentation of Rules
- Exclusion of condition attributes
3. Partial Ordering of Rules
- Use of Chains and Jumps
SLIDE 8
- 8 -
First Matching Strategy
- Principle:
- Ordering of permissions and prohibitions
- The firewall is parsing rules until one applies:
If the rule is a permission, traffic is accepted Otherwise, traffic is refused
- When no rule applies, the decision depends on the default
policy:
In the case of an open policy, traffic is accepted If the policy is closed, traffic is refused
- Example:
R: s ∈ ∈ ∈ ∈ (A ∧ ∧ ∧ ∧ ¬ ¬ ¬ ¬B) → → → → accept
R1: (s ∈ B) → deny R2: (s ∈ A) → accept
SLIDE 9
- 9 -
First Matching Strategy
- Internet
Firewall
- Corporate
Private Admin
- “Zone (Private — Admin — Interf-firewall) has the permission of accessing
web resources from zone (Internet — Corporate)”
- Possible set of rules:
R1: s ∈ 111.222.1.1 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → deny R2: s ∈ [111.222.1.13, 111.222.1.25] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → deny R3: s ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ 111.222.0.0/16 ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → deny R4: s ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → accept
- Motivation example:
SLIDE 10
- 10 -
First Matching Strategy
Advantages
Solution implemented in most existing firewalls
Drawbacks
Necessity of defining a total order between rules Transformation of local rule’s exceptions into global exceptions
Risk of interference between rules Administration of setups becomes error prone
- Adding/removing of general rules
- Adding/removing of exceptions
Combinations of rules not always possible to implement by simple
- rdering of rules
SLIDE 11
- 11 -
Drawbacks of first matching strategies
Example – Expression of the following two rules
R1,1: (s ∈ B) → deny R1,2: (s ∈ A) → accept R2,1: (s ∈ A) → deny R2,2: (s ∈ B) → accept
- We must first compute A ∩
∩ ∩ ∩ B and the following transformations:
R1,1: (s ∈ (A∩B)) → deny R1,2: (s ∈ A) → accept R2,1: (s ∈ (A∩B)) → deny R2,2: (s ∈ B) → accept
- We can finally deploy the following three rules:
R1: (s ∈ (A∩B)) → deny R2: (s ∈ A) → accept R3: (s ∈ B) → accept
SLIDE 12
- 12 -
Drawbacks of first matching strategies
Example – insertion of the following rule:
The hosts of Private can access to web resources in DMZ
- Internet
Firewall
- Corporate
Private Admin
- DMZ
- ∈
∈ ∈ ∈ ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ ∧ ∧ ∧ ∧ ∧ ∧ ∧ ∧ → → → →
SLIDE 13
- 13 -
Drawbacks of first matching strategies
Ordering of rules:
R1: s ∈ ∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ 111.222.2.0/24 ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept R2: s ∈ ∈ ∈ ∈ 111.222.1.1 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → deny R3: s ∈ ∈ ∈ ∈ [111.222.1.13, 111.222.1.25] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → deny R4: s ∈ ∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ 111.222.0.0/16 ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → deny R5: s ∈ ∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept
Only possibility!
SLIDE 14
- 14 -
Segmentation of condition attributes
Principle:
Expression of only permissions
– In case of an open policy
Expression of only prohibitions
– In case of a closed policy Transformation of general rules taking into account the set of exceptions
Example: R: s ∈ ∈ ∈ ∈ (A ∧ ∧ ∧ ∧ ¬ ¬ ¬ ¬B) → → → → accept
R: (s ∈ (A — B) → accept
SLIDE 15
- 15 -
Segmentation of condition attributes
- Expression of rule:
Zone (Private — Admin — Interf-firewall) has the permission of accessing web resources from zone (Internet — Corporate) Private = 111.222.1.* Admin = [111.222.1.13 , 111.222.1.25] Interf-firewall = { 111.222.1.1 , 111.222.100.1 } Private – Admin – Interf-firewall: [111.222.1.2 , 111.222.1.12] ∪ [111.222.1.26 , 111.222.1.255] Internet = *.*.*.* Corporate = 111.222.*.* Internet – Corporate: [1.1.1.1 , 111.221.255.255] ∪ [111.223.1.1, 255.255.255.255]
SLIDE 16
- 16 -
Segmentation of condition attributes
- Expression of rule:
Zone (Private — Admin — Interf-firewall) has the permission of accessing web resources from zone (Internet — Corporate)
R1: s ∈ ∈ ∈ ∈ [111.222.1.2 , 111.222.1.12] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ [1.1.1.1 , 111.221.255.255] \ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept R2: s ∈ ∈ ∈ ∈ [111.222.1.26 , 111.222.1.255] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ [1.1.1.1 , 111.221.255.255] \ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept R3: s ∈ ∈ ∈ ∈ [111.222.1.2 , 111.222.1.12] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ [1.223.1.1 , 255.255.255.255] \ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept R4: s ∈ ∈ ∈ ∈ [111.222.1.26 , 111.222.1.255] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ [1.223.1.1 , 255.255.255.255] \ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept
SLIDE 17
- 17 -
Segmentation of condition attributes
- Advantages:
The ordering of rules is not longer relevant
- Drawbacks:
It may lead to complex configurations
– Necessity of third party tools to manage intervals – The number of rules may significantly increase – Rule updates may require further segmentation processing
- Remarks:
Some firewalls do not manage intervals Necessity of network masks Example: [111.222.1.2 , 111.222.1.12]
111.222.1.2/31 ∪ 111.222.1.4/29 ∪ 111.222.1.12/32
SLIDE 18
- 18 -
Partial ordering of rules
Principle:
When a general rule applies, jump to verify its exceptions
If no exception applies, the traffic is accepted Otherwise, test of the following general rule
Example: R1: (s ∈
∈ ∈ ∈ (A ∧ ∧ ∧ ∧ ¬ ¬ ¬ ¬(B ∨ ∨ ∨ ∨ C)) → → → → accept
R1: (s ∈ A) → jump_to chainA R2: deny Rchain_A
1: (s ∈ B) → return
Rchain_A
2: (s ∈ C) → return
Rchain_A
3: accept
SLIDE 19
- 19 -
Partial ordering of rules
- Example:
- Rule 1: Zone (Private — Admin — Interf-firewall) has the permission of accessing web
resources from zone (Internet — Corporate)
- Rule 2 :Zone Private has the permission of accessing web from DMZ
Rmain
1: s ∈
∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → jump priv-to-int Rmain
2: s ∈
∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ 111.222.2.0/24 ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept Rmain
3: deny
Rpriv-to-int
1: s ∈
∈ ∈ ∈ 111.222.1.1 → → → → return Rpriv-to-int
2: s ∈
∈ ∈ ∈ [111.222.1.13, 111.222.1.25] → → → → : return Rpriv-to-int
3: s ∈
∈ ∈ ∈ 111.222.1.0/24 d 111.222.0.0/16 → → → → return Rpriv-to-int
4: accept
SLIDE 20
- 20 -
Partial ordering of rules
- NetFilter rules:
iptables -N Priv_To_Internet iptables -A FORWARD -s $PRIVATE -p tcp --dport 80 -j Priv_To_Internet iptables -A FORWARD -s $PRIVATE –d $DMZ -p tcp --dport 80 -j ACCEPT iptables -A FORWARD –j DROP iptables -A Priv_To_Internet -s $ADMIN -j RETURN iptables -A Priv_To_Internet -s $FW-INT1 -j RETURN iptables -A Priv_To_Internet -d $CORPORATE -j RETURN iptables -A Priv_To_Internet -j ACCEPT
- Remarks:
NetFilter must be patched in order to manage ranges Definition of variables such as $PRIVATE, $ADMIN, etc.
SLIDE 21
- 21 -
Partial ordering of rules
Advantages
Complete separation between exceptions and general rules The ordering of general rules is no longer relevant The insertion and elimination of rules is much easier
Drawbacks
Number of rules may increase Performance issues
SLIDE 22
- 22 -
Use of full expressiveness
Principle:
Combination of both positive and negative statements (e.g., A ∧ ¬B) for a single attribute at the same time
Example:
Use of a SQL-like language may allow us to express the rule R: (s ∈ (A ∧ ¬B)) → accept in the form
select decision from firewall where (s ∈ A) ∧ (s ∉ B)
SLIDE 23
- 23 -
Use of full expressiveness
- Proposal:
- Implementation of a NetFilter module to extend its matching algorithm to
specify exceptions in the form R: (s ∈ (A ∧ ¬B)) → accept as follows:
iptables --s[+] $A --s[–] $B -j ACCEPT
- Example — Expression of rules:
(1) All hosts in (Private – Admin) are allowed to access web resources on (Internet – Corporate); (2) All the hosts in (Private – Admin) are allowed to access web resources on the zone DMZ.
iptables --s[+] $PRIV --s[–] $ADMIN --d[+] $INTERNET --d[–] $CORP -p tcp --dport 80 -j ACCEPT iptables --s[+] $PRIV --s[–] $ADMIN --d[+] $DMZ -p tcp --dport 80 -j ACCEPT iptables -j DROP
SLIDE 24
- 24 -
Use of full expressiveness
- Implementation of a first prototype:
- New matching strategy implemented as a NetFilter extension
- Extending NetFilter involved two parts:
Extension of kernel’s code, by writing a new module (ipt_fex.ko) Extension of user space’s program iptables, by writing a new shared library (iptables_fex.so)
- Initial evaluation of our prototype:
- Based on the use of NetPerf, to observe bandwith’s overhead
vs number of iptables rules
SLIDE 25
- 25 -
Evaluation
IPTables Performance
(netperf --m 65535; MTU: 1500)
SLIDE 26
- 26 -
Evaluation
Matching process of IPTables
(pseudocode)
protocol, source, destination, in-interface,
- ut-interface,
fragment i.e,--sport,
- -dport, --syn,
- m limit, …
Overhead!!
SLIDE 27
- 27 -
Conclusions/Perspectives
- Conclusions:
- Survey of main strategies to manage and deploy filtering rules exceptions
- Advantages and drawbacks of each stratedy
- Proposal of a new strategy based on the use of full expressiveness
- Implementation and evaluation of a first prototype
- Work in progress:
- A more in-depth evaluation of our first prototype
- Implementation of a new netfilter prototype based on a improved
matching process
SLIDE 28
Management of Exceptions
- n Access Control Policies
- J. G. Alfaro, F. Cuppens, N. Cuppens