1 verification of global access control in large scale networks david m. nicol university of...

1

Verification of Global Access Control

in Large Scale Networks

David M. NicolUniversity of Illinois at Urbana-Champaign

CNLS 2010

Collaborators : Bill Sanders, Mouna Seri, Sankalp Singh, Ryan Kagin, Hamed Okhravi

2

Problem

Process Control networks are connected in enterprise systems

- Access controlled by configuring potentially many firewalls- Subtle errors are common- Best practices recommendations exist (e.g. NIST SP 800-82)

How can one express Best Practices as Global Access Policy in machine checkable form?

How can one detect violations of Global Access Policy?

3

Global Policy

Examples from NIST SP 800-82

Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that’s assigned to the control network or DMZ devices.

Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ.

Any protocol allowed between the control network and DMZ should explicitly not be allowed between the DMZ and corporate networks (and vice versa).

X

May be installation specific rules, e.g., availability of services

4

Global PolicyDefine global names for sets of hosts, sets of subnets, sets of

protocols, ports, etc. Define global policy like a system-wide firewall

Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ.

DMZ2

example

PCS

Src(PCS) allow Dst(DMZ2)Src(PCS) allow Dst(PCS)

Corporate

Src(Corporate) allow Dst(Corporate)Src(Corporate) allow Dst(DMZ2)

5

Global Policy Conflict Resolution

DMZ2

Example : conflict resolution

PCS

Src(PCS) deny Dst(PCS)

Src(EMS) allow Dst(data historian)

Try to resolve conflicts using Rule of Greatest Specificity– Other conflicts reported to user

conflict

Corporate

Src(Corporate) allow Dst(Corporate)Src(Corporate) allow Dst(DMZ2)

6

History

The Network Access Policy Toolset (NetAPT) developed under I3P and DOE support

– Started with focus on compliance checking– Transitioning to industry…hence best practices question

NetAPTArchitecture

7

Topology Inference

Firewall configurations contain elements of connectivity info• CIDR descriptions of sub-networks facing FW interfaces• “route” statements• VPN descriptions

NetAPT topology inference engine based on SNL “Antfarm” tool

Database-based approach that “grows” knowledge of topology out from the elemental connectivity data

126.18.36.80/25 126.18.00.80/25

8

Topology Inference

Firewall configurations contain elements of connectivity info• CIDR descriptions of subnetworks facing FW interfaces• “route” statements• VPN descriptions



126.18.00.80/25

126.18.02.80/25

126.18.36.80/25 126.18.00.80/25

9

Topology Inference




126.18.02.80/25126.18.36.80/25 126.18.00.80/25

10

Topology Inference




126.2.48.80/25 126.18.02.80/25

VPN tunnel 126.2.48.95.0

11

Topology Inference

Firewall configurations contain elements of extant host IP addresses

– “name” statements– ACL, object group, and other statements that refer

directly to a host IP address

Discovered networks populated with discovered host IDs

1212

Network Architecture Possible Network Layer Rule Graph

Proxy server

Heart of Analysis : Rule Graph

Analysis based on identifying paths through “rule graph”• Each hop in path corresponds to “policy implementation”

13

At the core : connectivity map

NetAPT discovers every path possible between every pair of subnetworks (including every pair of devices in specific network of interest)

– Graph edge labeling problem, multi-dimensional labels identify flows admitted by a firewall rule (source), and have policy applied by another firewall rule (destination)

– Each execution of local policy at a FW checked against global policy

Knowledge of all flows that can reach a critical asset extremely useful

14

NetAPT - Prototype

15

NetAPT - Prototype

16

NetAPT - Prototype

17

Validation in industrial setting

We are working closely with an electric utility– Core network analyzed : 10 firewalls (thousands of rules

each), 500 devices– VPN tunnels, hot backups– NetAPT topology discovery validated– Execution time : 30 mins topology discovery, 20 minutes

connectivity map on ordinary PC

Used in NERC-CIP compliance assessment, spring 2010

Transitioning to daily network observation / maintenance / training role

“incremental” global policy development support

18

Network analysis is limited

Network connectivity analysis considers only direct connections

Attacks typically “hop” between compromised hosts

19




20




21




22




23




24

Refine the trust base

Access control framework in hosts may mitigate attacker’s ability to hop– Separation kernel, strong host-based policies

Example : SeLinux– Extensive control over processes’ abilities to

read/write files– Extensive control over processes’ ability to

connect to network

Challenge : integrate host-based access control with network connectivity map– Find only possible pathways for potential attacks

• Assuming OS access control is uncompromised

25

SeLinux

SeLinux – three layers of protection mechanisms– Type enforcement

• Objects have types (e.g., “port”), attributes, rules declared access rights as a function of these, e.g.

allow httpd_t port_type : tcp_socket recv_msg;Means http_t can receive messages on all TCP sockets

that have attribute port_type• Type transitions may be declared

– Role-based Access Control• Roles declared for processes, access declared as a

function of role and types• Role transitions may be declared

– Users• Mapped to roles

26

SELAC

SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets

Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions

We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?

host

p

27

SELAC




host

p

28

SELAC




host

p

29

SELAC




host

p

30

SELAC

host

p

q




31

SELAC

host

p

q




32

Integrated Host and Network Access Control

On each SeLinux host compute accessibility sets• Establishes connectivity between ports on the

same hostCompute network connectivity map

• Establishes connectivity between ports on different hosts

Imagine a graph with two types of nodes : subject, port

Edges : subject to port (on host), port to port (from above)

• Each subject has initial accessibility set

Transitive closure of graph identifies for every subject, other subjects and objects it can reach through network

33

I’m crazy, right?

Stock SeLinux configuration “out of the box” has 250,000 rules

But (with optimizations) on-host accessibility sets were computed in approximately 5 minutes

Network connectivity time depends on depth of network graph, for this example (10 switched hosts), 2 secs.

Convolution algorithm ran in under 1 sec.

Maybe I’m not crazy after all….

But I know my combinatorics, deep complex networks lead to very large run-times….intelligent sampling….

34

Summary

NetAPT helps to address the problem of verifying that PCS systems adhere to global policy encoding best practices

Being validated by, and is in transition for use by a major electric utility

1 verification of global access control in large scale networks david m. nicol university of...

Documents

dstdmz2 slide

global policy examples

knowledge of topology

global names

corporate networks

dstpcs corporate srccorporate

hamed okhravi slide

dmz devices