SLIDE 1
Network services change and
- evolve. Therefore managing
Using Hierarchical Change Mining to Manage Network Security Policy - - PowerPoint PPT Presentation
Using Hierarchical Change Mining to Manage Network Security Policy - - PowerPoint PPT Presentation
Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith Presented by Gabriel A. Weaver Dartmouth College Network services change and evolve.
SLIDE 2
SLIDE 3
Case 1: If practitioners don't change policies as services change, systems are vulnerable.
SLIDE 4
Case 2: If practitioners make changes to the policy as services change, then errors may be accidentally introduced.
SLIDE 5
Before this paper, little research had been done on the general problem of security policy evolution.
SLIDE 6
04 07 03 05 06 08 09 10 11
SLIDE 7
04 07 03 05 06 08 09 10 11
McDaniel [20] Lim et al. [19] Tapiador et al. [30]
SLIDE 8
04 07 03 05 06 08 09 10 11
McDaniel [20] Lim et al. [19] Tapiador et al. [30] Benson et al. [1] Plonka et al. [24] Sun et al. [28] Sung et al. [29]
SLIDE 9
We recognize that security policies are hierarchically-structured texts. We propose a general method to mine changes within these structures.
SLIDE 10
Outline
Two real-world examples security policy evolution problem hierarchical policy structure current approach, our approach & initial results Conclude
SLIDE 11
Outline
Two real-world examples Conclude
Switch/Router Configuration Identity Management
SLIDE 12
Changelogs insufficient
Identity Management
SLIDE 13
Jan Jun Dec
The Security Policy Evolution Problem
SLIDE 14
Jan Jun Dec
The Security Policy Evolution Problem
SLIDE 15
Jan Jun Dec
The Security Policy Evolution Problem
SLIDE 16
3 3 1 2 3
Hierarchical Policy Structure: RFC 3647
3 Identification and Authentication SDG version 1.5.1
1 2 3 1 2
SLIDE 17
3 3 1 2 3
Hierarchical Policy Structure: RFC 3647
3 Identification and Authentication 3.1 Initial Registration SDG version 1.5.1
1 2 3 1 2
SLIDE 18
3 3 1 2 3
Hierarchical Policy Structure: RFC 3647
3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... SDG version 1.5.1
1 2 3 1 2
SLIDE 19
3 3 1 2 3
Hierarchical Policy Structure: RFC 3647
3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... 3.1.2 Name Meanings The subject name... SDG version 1.5.1
1 2 3 1 2
SLIDE 20
3 3 1 2 3
Hierarchical Policy Structure: RFC 3647
3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... 3.1.2 Name Meanings The subject name... 3.1.3 Rules for Interpreting Name Forms SDG version 1.5.1
1 2 3 1 2
SLIDE 21
Current Solution: Changelogs
0%,(! 1(.2! 340! #-55(&,+! "66728297! 926! 92"2:;"266"669<92929 4&*,*%=!>(.+*-&! "6672;2"8! 92629! !! ?..%,@5!A-..(A,*-&! "66B2C2"<! 9262"! !! #$%&'(D! #(.,*E*A%,(! @+(.! 5@+,! F(! %GG.->(H!F/!@+(.!%H5*&*+,.%,-.2! "66B2828! "26! 92"2:;"266"669<9292" I-=*A/!40!%&H!3J!K%5(!A-..(A,*-&! "6682C2"! "29! !! 0(=(,("# L$(! .@=(! -E! %AA-@&,! .('*+,.%,*-&! %GG=*A%,*-&2! M00"# L$(! .@=(! -E! G(.+-&%=! *&E-.5%,*-&! @+(!G@.G-+(2! ! #$%&'("# J+(.!A(.,*E*A%,(!>%=*H*,/!G(.*-H2! "66<2"2"9! :26! 92"2:;"266"669<9292: N(5(H*%=!%A,*-&!F%+(H!-&!(O,(.&%=!%@H*,2! "66<2;29B! C26! 92"2:;"266"669<9292C #$%&'(D! 3.'%&*P%,*-&+! ,-! Q$*A$! ,$(! KMN?R4!#M!*++@(+!A(.,*E*A%,(+! #$%&'(D!M,,.*F@,(+!*&!%!A(.,*E*A%,(! M00D!I.%A,*A(+!-E!,$(!SNM! "66;2B298! C29! !! #$%&'(D! L$(! .@=(! -E! ,$(! %GG=*A%,*-&! E-.! A(.,*E*A%,(!.(&(Q%=T!.(>*+*-&!-E!,/G-+! "66;2<29;! C2"! !! #$%&'(D! M&! (U@*G5(&,! E-.! G.-,(A,*-&! E.-5!E*.(!H%5%'(! !
SLIDE 22
Current Solution: Changelogs
0%,(! 1(.2! 340! #-55(&,+! "66728297! 926! 92"2:;"266"669<92929 4&*,*%=!>(.+*-&! "6672;2"8! 92629! !! ?..%,@5!A-..(A,*-&! "66B2C2"<! 9262"! !! #$%&'(D! #(.,*E*A%,(! @+(.! 5@+,! F(! %GG.->(H!F/!@+(.!%H5*&*+,.%,-.2! "66B2828! "26! 92"2:;"266"669<9292" I-=*A/!40!%&H!3J!K%5(!A-..(A,*-&! "6682C2"! "29! !! 0(=(,("# L$(! .@=(! -E! %AA-@&,! .('*+,.%,*-&! %GG=*A%,*-&2! M00"# L$(! .@=(! -E! G(.+-&%=! *&E-.5%,*-&! @+(!G@.G-+(2! ! #$%&'("# J+(.!A(.,*E*A%,(!>%=*H*,/!G(.*-H2! "66<2"2"9! :26! 92"2:;"266"669<9292: N(5(H*%=!%A,*-&!F%+(H!-&!(O,(.&%=!%@H*,2! "66<2;29B! C26! 92"2:;"266"669<9292C #$%&'(D! 3.'%&*P%,*-&+! ,-! Q$*A$! ,$(! KMN?R4!#M!*++@(+!A(.,*E*A%,(+! #$%&'(D!M,,.*F@,(+!*&!%!A(.,*E*A%,(! M00D!I.%A,*A(+!-E!,$(!SNM! "66;2B298! C29! !! #$%&'(D! L$(! .@=(! -E! ,$(! %GG=*A%,*-&! E-.! A(.,*E*A%,(!.(&(Q%=T!.(>*+*-&!-E!,/G-+! "66;2<29;! C2"! !! #$%&'(D! M&! (U@*G5(&,! E-.! G.-,(A,*-&! E.-5!E*.(!H%5%'(! !
Delete ADD Change
SLIDE 23
Our Approach: Edit Distance
1 1 2 3 1 2 3 1 1 2 3 1 2
Tree Edit Distance = 1 "Added Section 1.3.3"
SLIDE 24
1 1 2 3 1 2 3 1 1 2 3 1 2 1 1 2 3 1 2 3
Word Edit Distance > 0 "Added description to Section 1.3.2"
Our Approach: Edit Distance
SLIDE 25
Reference
Initial Results
Description wordED treeED SDG. 1_5_1:6.1.1 AIST. 1_1:1.4.3 IUCC. 1_5:4.6.1
In Sec 6.1.1, added more description Added Section 1.4.3 Changed 4.6.1 to add logging of ...
12 21 1
SLIDE 26
Reference
Initial Results: Changelogs are Insufficient
Description wordED treeED SDG. 1_5_1:6.1.1 AIST. 1_1:1.4.3 IUCC. 1_5:4.6.1
In Sec 6.1.1, added more description Added Section 1.4.3 Changed 4.6.1 to add logging of ...
12 21 1
Out of 178 reported changes, 9 never actually occurred!
SLIDE 27
Changelogs insufficient
Identity Management
SLIDE 28
Switch/Router Configuration
Hierarchical Diffing Change Querying
SLIDE 29
The Security Policy Evolution Problem
VOIP
SLIDE 30
The Security Policy Evolution Problem
VOIP
911
SLIDE 31
The Security Policy Evolution Problem
VOIP
911
SLIDE 32
Hierarchical Policy Structure: Cisco IOS
! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1
kappa-theta version 1.3
vlan_820 name_VOIP_Phones _FratRow interface FastEthernet0/1 switchport_voice _vlan_820 auto_qos_voip _cisco-phone
SLIDE 33
Hierarchical Policy Structure: Cisco IOS
! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1 switchport voice vlan 820
kappa-theta version 1.3
vlan_820 name_VOIP_Phones _FratRow interface FastEthernet0/1 switchport_voice _vlan_820 auto_qos_voip _cisco-phone
SLIDE 34
Hierarchical Policy Structure: Cisco IOS
! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1 switchport voice vlan 820 auto qos voip cisco-phone !
kappa-theta version 1.3
vlan_820 name_VOIP_Phones _FratRow interface FastEthernet0/1 switchport_voice _vlan_820 auto_qos_voip _cisco-phone
SLIDE 35
Current Practitioner Solution: Really Awesome New Cisco Config Differ (RANCID)
diff -u kappa-theta1.3 kappa-theta1.4 @@ -107,6 +109,13 @@ switchport voice vlan 820 + switchport port-security maximum 1 vlan voice + switchport port-security mac-address beef.feed.face vlan voice auto qos voip cisco-phone
SLIDE 36
Current Solutions Don't Leverage Hierarchical Structure of CiscoIOS
diff -u kappa-theta1.3 kappa-theta1.4 @@ -107,6 +109,13 @@
RANCID: Plonka et al.: LOC, file counts, stanzas Sung et al.: superblocks
SLIDE 37
Our Approach: Edit Distance
Tree Edit Distance = 2
interface FastEthernet0/1 switchport_voice _vlan_820 auto_qos_voip _cisco-phone interface FastEthernet0/1 switchport_voice _vlan_820 auto_qos_voip _cisco-phone switchport_port _security_max... switchport_port _security_mac...
SLIDE 38
Initial Results
Total treeED Hits 1542 80 Reference /root/interface* global /root/vlan* /root/ip* /root/logging* /root/bridge* 304 278 28 25 18 18
SLIDE 39
Reference /root/interface* /root/interface*/switchport* /root/interface_FastEthernet0_8 /switchport*
Hierarchical Querying
Total treeED Hits 1542/628 80/628 247 247 17 17 2 2 /root/interface_FastEthernet0_8 /switchport_voice*
SLIDE 40
Switch/Router Configuration
Hierarchical Diffing Change Querying
SLIDE 41
Outline
Two real-world examples Conclude
Switch/Router Configuration Identity Management
SLIDE 42
We can model many of policies as hierarchically-structured texts. Security policies must be changed and synchronized in order to maintain security. We propose a unified methodology to detect and manage change. 1 2 3
SLIDE 43