Directed Security Policies: A Stateful Network Implementation

IEEE Trans. Netw. Serv. Manage.

Naab

Korsten

et al. 2019

Self Cite

Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers.In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on.Our toolset is formally verified using Isabell/HOL and is available as Open Source.

Section: B Policy Construction With Toposmentioning

confidence: 99%

“…Their core functionality can also be reused as a library in further projects. In this article, we will not present the formal background [7], [12], [14], [15], [17], instead, we demonstrate applicability from an operator's point of view; not requiring a single formula.…”

Section: Introductionmentioning

confidence: 99%

Agile Network Access Control in the Container Age

IEEE Trans. Netw. Serv. Manage.

Naab

Korsten

et al. 2019

Self Cite

“…Unfolded Synology Firewall allows non-terminating rulesets; however, the only rulesets that are interesting for analysis are the ones actually accepted by the Linux kernel. 6 Since it rejects rulesets with loops, both our algorithm and the resulting ruleset are guaranteed to terminate. Corollary 1.…”

Section: Custom Chain Unfoldingmentioning

confidence: 99%

“…The ESTABLISHED rule essentially allows packet flows in the opposite direction of all subsequent rules [6]. Unless there are special security requirements (which is not the case in any of our analyzed scenarios), the ESTABLISHED rule can be excluded when analyzing the connection setup [6, Corollary 1].…”

Section: The Relatedestablished Rulementioning

confidence: 99%

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

FM 2015: Formal Methods

Hupel

Carle

2015

Self Cite

The security provided by a firewall for a computer network almost completely depends on the rules it enforces. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. Therefore, there are many tools to analyze them. However, we found that none of the available tools could handle typical, real-world iptables rulesets. This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open source tools. In this paper, we provide algorithms to transform firewall rulesets. We reduce the execution model to a simple list model and use ternary logic to abstract over all unknown match conditions. These transformations enable existing tools to understand real-world firewall rules, which we demonstrate on four decently-sized rulesets. Using the Isabelle theorem prover, we formally show that all our algorithms preserve the firewall's filtering behavior.

“…Note that a flow with the stateful attribute might allow packets in the opposite direction of the policy rule and thus potentially violate security invariants. Defining the following two consistency criteria, the stateful attributes can be computed automatically [9]: 1) No information flow violation must occur 2) No access control side effects must be introduced To compute the stateful policy, not only a single rule but a set S is to be upgraded to stateful rules. However, the interaction of the rules and answer paths of S must not introduce negative implications.…”

Section: Constructing the Stateful Policymentioning

confidence: 99%

Demonstrating topoS: Theorem-prover-based synthesis of secure network configurations

2015 11th International Conference on Network and Service Management (CNSM)

Korsten

Carle

2015

Self Cite

Abstract-In network management, when it comes to security breaches, human error constitutes a dominant factor. We present our tool topoS which automatically synthesizes low-level network configurations from high-level security goals. The automation and a feedback loop help to prevent human errors. Except for a last serialization step, topoS is formally verified with Isabelle/HOL, which prevents implementation errors. In a case study, we demonstrate topoS by example. For the first time, the complete transition from high-level security goals to both firewall and SDN configurations is presented.