Verified iptables firewall analysis

Diekmann, Cornelius; Michaelis, Julius; Haslbeck, Max W.; Carle, Georg

doi:10.1109/ifipnetworking.2016.7497196

Cited by 25 publications

(47 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…That is, 1 matches only non-UDP packet headers whose source and destination IP address match 0.0.0.4/30 and 0.0.0.0/28, respectively. However, the PEC-construction schemes in Veriflow and ddNF are not designed for multi-dimensional match conditions with arbitrary ranges, sets of values, or their complements (all of which can be found in iptables rule-sets [33]).…”

Section: B Challenge: Expressivenessmentioning

confidence: 99%

“…By construction, every child c in C x is a strict subset of x, i.e., c ⊂ x. We emphasize that, for efficiency reasons, we only consider the direct children of x, so DATASET SHORT DESCRIPTION REANNZ-IP [37], [38] 1,159 distinct IP prefixes REANNZ-Full [37], [38] 1,170 OpenFlow rules Azure-DC [25] 2,942 ternary 128-bit vectors Berkeley-IP [14], [39] 584,944 distinct IP prefixes Stanford-IP [11] 197,828 distinct IP prefixes Stanford-Full [11] 2,732 ternary 128-bit vectors Diekmann [33] Thousands of 8-tuples Fig. 9: Summary of datasets all children in C x are mutually incomparable, i.e., for any child c and c ′ in C x , neither c ⊂ c ′ nor c ′ ⊂ c. To implement the propositional logic PEC-emptiness solutions, we construct the following Boolean formula: x ∧ ¬ c∈Cx c -equivalently, x ∧ ¬c 1 ∧ ¬c 2 ∧ .…”

Section: A Implementationsmentioning

confidence: 99%

“…As a result, our Stanford-IP datasets are significantly larger than the datasets used in the evaluation of HSA [11] and ddNF [28]. e) Diekmann: The Diekmann datasets contains match conditions from real-world Linux iptables rule-sets [33]. We parse the following packet header matching fields: source and destination IP prefix, source and destination port, protocol, connection state, input and output interface.…”

Section: B Datasetsmentioning

confidence: 99%

See 2 more Smart Citations

A Precise and Expressive Lattice-theoretical Framework for Efficient Network Verification

Horn

Kheradmand

Prasad

2019

2019 IEEE 27th International Conference on Network Protocols (ICNP)

View full text Add to dashboard Cite

Network verification promises to detect errors, such as black holes and forwarding loops, by logically analyzing the control or data plane. To do so efficiently, the state-of-the-art (e.g., Veriflow) partitions packet headers with identical forwarding behavior into the same packet equivalence class (PEC).Recently, Yang and Lam showed how to construct the minimal set of PECs, called atomic predicates. Their construction uses Binary Decision Diagrams (BDDs). However, BDDs have been shown to incur significant overhead per packet header bit, performing poorly when analyzing large-scale data centers. The overhead of atomic predicates prompted ddNF to devise a specialized data structure of Ternary Bit Vectors (TBV) instead.However, TBVs are strictly less expressive than BDDs. Moreover, unlike atomic predicates, ddNF's set of PECs is not minimal. We show that ddNF's non-minimality is due to empty PECs. In addition, empty PECs are shown to trigger wrong analysis results. This reveals an inherent tension between precision, expressiveness and performance in formal network verification.Our paper resolves this tension through a new latticetheoretical PEC-construction algorithm, #PEC, that advances the field as follows: (i) #PEC can encode more kinds of forwarding rules (e.g., ip-tables) than ddNF and Veriflow, (ii) #PEC verifies a wider class of errors (e.g., shadowed rules) than ddNF, and (iii) on a broad range of real-world datasets, #PEC is 10× faster than atomic predicates. By achieving precision, expressiveness and performance, this paper answers a longstanding quest that has spanned three generations of formal network analysis techniques.

show abstract

Section: B Challenge: Expressivenessmentioning

confidence: 99%

Section: A Implementationsmentioning

confidence: 99%

Section: B Datasetsmentioning

confidence: 99%

See 1 more Smart Citation

A Precise and Expressive Lattice-theoretical Framework for Efficient Network Verification

Horn

Kheradmand

Prasad

2019

2019 IEEE 27th International Conference on Network Protocols (ICNP)

View full text Add to dashboard Cite

show abstract

“…For an deeper look into operating principles and implementation of fffuu we refer to the original publication [12].…”

Section: Operationsmentioning

confidence: 99%

“…Their core functionality can also be reused as a library in further projects. In this article, we will not present the formal background [7], [12], [14], [15], [17], instead, we demonstrate applicability from an operator's point of view; not requiring a single formula.…”

Section: Introductionmentioning

confidence: 99%

Agile Network Access Control in the Container Age

Diekmann

Naab

Korsten

et al. 2019

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers.In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on.Our toolset is formally verified using Isabell/HOL and is available as Open Source.

show abstract

A Bottom-Up Approach for Extracting Network Intents

Ribeiro

Jacobs

Parizotto

et al. 2020

Advanced Information Networking and Applications

View full text Add to dashboard Cite

Intent-Based Networking (IBN) is showing significant improvements in network management, especially by reducing the complexity by using intent-level languages. However, IBN is not yet integrated and widely deployed in most of the large-scale networks. Network operators may still encounter several issues deploying new intents, such as reasoning about complex configurations to understand previously deployed rules before writing an intent to update the network state. Large-scale networks may include several devices distributed in multiple hierarchical levels of its topology; each of these devices is configured using low-level, vendor-specific languages. Thus, inferring intents from these low-level configuration files can be an arduous and time-consuming task. Current solutions that derive high-level representations from bottom-up configuration analysis can not represent configurations in an intent-level. Moreover, they fail by not aggregating essential details to enhance the representation. In this work, we present a bottom-up process to extract intents from network configurations. To validate our approach, we develop a system called SCRIBE (SeCuRity Intent-Based Extractor), which decompiles security configurations from different network devices and translates them to an intent-level language called Nile. To demonstrate the feasibility of SCRIBE, we outline two case studies and evaluate our approach with dumps of real-world firewall configurations containing rules from various servers and institutions. Results show that our solution can represent configurations in intent-level and also maintain a high accuracy representing aspects of low-level configurations.

show abstract

Verified iptables firewall analysis

Cited by 25 publications

References 8 publications

A Precise and Expressive Lattice-theoretical Framework for Efficient Network Verification

A Precise and Expressive Lattice-theoretical Framework for Efficient Network Verification

Agile Network Access Control in the Container Age

A Bottom-Up Approach for Extracting Network Intents

Contact Info

Product

Resources

About