Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Diekmann, Cornelius; Hupel, Lars; Carle, Georg

doi:10.1007/978-3-319-19249-9_13

Cited by 6 publications

(11 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…NetKAT [43]; VeriFlow [49]; FML [50] Firmato [38]; FLIP [3]; NetKAT [43]; Mignis [51]; Or-BAC [52]; topoS step C+D HSA [53]; Anteater [54]; Config-Checker [55] Fireman [2]; HSA [53]; Anteater [54]; ConfigChecker [55]; VeriFlow [49] Fireman [2]; ITVal [56]; fffuu Iptables Semantics [19] translates maps verifies Fig. 17.…”

Section: Box Semanticsmentioning

confidence: 99%

“…Horizontal Enhancements: Most analysis tools make simplifying assumptions about the underlying network boxes. Diekmann et al [19] present simplification of iptables firewalls. This makes complex real-world firewalls available for tools which were built with simplifying assumptions about rulesets.…”

Section: Box Semanticsmentioning

confidence: 99%

“…In contrast, tools such as model checkers, automated theorem provers (atp), or smt solvers are not sufficient for this task. Traditional model checkers are unsuitable since one cannot simply exhaust all the state space of our model (for example, our model includes an arbitrary function to model an oracle for iptables match conditions, thus also supporting match conditions which are not even developed yet [19]). In addition, atps and smt solvers usually fail or time out on the complicated arXiv:1903.00720v1 [cs.NI] 2 Mar 2019 Security Requirements (e. g., Figure 3) Security Policies (e. g., Figure 4) iptables (e. g., Figure 8) topoS Policy Construction topoS Serialize fffuu Policy Inference topoS Verification Fig.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Agile Network Access Control in the Container Age

Diekmann

Naab

Korsten

et al. 2019

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers.In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on.Our toolset is formally verified using Isabell/HOL and is available as Open Source.

show abstract

Section: Box Semanticsmentioning

confidence: 99%

Section: Box Semanticsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Agile Network Access Control in the Container Age

Diekmann

Naab

Korsten

et al. 2019

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Those express the connectivity between Network Components. The latter can be represented as raw dumps (Firewall Raw ) or in a simplified format (Firewall Rule) to ease transformation between different firewall applications as proposed in [10]. As a simplification is not free of information loss, the raw information is stored additionally.…”

Section: Description Of the Information Modelmentioning

confidence: 99%

Achieving Reproducible Network Environments with INSALATA

Herold

Wachs

Dorfhuber

et al. 2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Analyzing network environments for security flaws and assessing new service and infrastructure configurations in general are dangerous and error-prone when done in operational networks. Therefore, cloning such networks into a dedicated test environment is beneficial for comprehensive testing and analysis without impacting the operational network. To automate this reproduction of a network environment in a physical or virtualized testbed, several key features are required: (a) a suitable network model to describe network environments, (b) an automated acquisition process to instantiate this model for the respective network environment, and (c) an automated setup process to deploy the instance to the testbed.With this work, we present INSALATA, an automated and extensible framework to reproduce physical or virtualized network environments in network testbeds. INSALATA employs a modular approach for data acquisition and deployment, resolves interdependencies in the setup process, and supports just-in-time reproduction of network environments. INSALATA is open source and available on Github. To highlight its applicability, we present a real world case study utilizing INSALATA.

show abstract

“…Nor are the tools themselves formally verified, which limits confidence in their results. In addition, the tools only support a limited subset of real-world firewalls [19]. If the firewall under analysis exceeds this feature set, the tools either produce erroneous results or cannot continue [19].…”

Section: Related Workmentioning

confidence: 99%