lancom language for network configuration and management chitra s agastya (csa2111@columbia.edu)...
Post on 13-Dec-2015
219 Views
Preview:
TRANSCRIPT
LANCOMLAnguage for Network COnfiguration
and Management
Chitra S Agastya (csa2111@columbia.edu)Nipun Arora (na2271@columbia.edu)
Sambuddho Chakravarty (sc2516@columbia.edu)Milind Nimesh (mn2353@columbia.edu)
Ashish Singh Tomar (ast2124@columbia.edu)
Meet the System Administrator
Implement security / access policies on various of routers and firewalls
Proficient in esoteric configuration languages
Configure complex security strategies using low level firewall rules
The End Result….
Affects scalability of the network
No reusability of code
Conflicts arise due to use of different router configuration languages in the same network
“Misconfigurations are source of most network vulnerabilities”
The Business Angle…
“Security managers need a single place to look for the corporate policies on who gets in and who doesn’t”
-Forrester report
The Solution: LANCOM
An out of the box solution to configure routers in a network, manufactured by different vendors
Device Independent Configuration Language
Domain Specific
User Focus: Network Administrator
LEXER
PARSER
SYNTAX DIRECTED
TRANSLATION
CONFIGURATION ACTIONS
SYMBOL TABLE
COMMAND CLASSES
ROUTING/ FIREWALLING
COMMANDS FOR LINUX
TRANSLATOR ARCHITECTURE OF LANCOM
INPUT SOURCE
PROGRAM
OUTPUT CONFIG.
FILE
ROUTING/ FIREWALLING
COMMANDS FOR FREE BSD
LANCOM COMPILER
Program Structure
prog
Declarative Statements
Assignment Statements
Configuration Statements
endprog
policy_type_t pol;
pol = inbound deny tcp dst 1.1.1.1 netmask 255.255.255.0 8088;
apply policy pol;
Separation of Network Topology and Security Policy Description
prog
ipaddr_t ip1,ip2;
ip1=1.1.1.1;
ip2=4.4.4.4;
policy_type_t p1;
p1= inbound deny tcp src 2.2.2.2
netmask 255.255.255.0 all;
role_type_t r1;
r1=role { p1, outbound deny dst ip2 netmask 255.255.255.255 all};
host_type_t h1;
h1=ip_addr 6.6.6.6 netmask 255.255.255.0;
host_group_type_t hg1;
hg1=host_group {h1, ip_addr 5.5.5.5 netmask 255.255.255.0};
topology_type_t t1;
t1=hg1 r1;
apply topology t1;
endprog
POLICY
ROLE
HOST
HOST GROUP
TOPOLOGY
FreeBSD (IPFW)
Linux (IPTABLES)
Webserver
Webserver
Test-Bed to Test Basic FirewallPolicy Description Using
LANCOM
Test-Bed Designed and Implemented on deterlab
Device Independent Configuration
prog
policy_type_t p;
p=inbound deny tcp dst 10.3.0.6 netmask 255.255.255.0 8088;
apply policy p;
endprog
Linux (iptables)
/sbin/iptables -I FORWARD -p tcp -d 10.3.0.6/255.255.255.0 -s 0.0.0.0/0.0.0.0 --destination-port 8088 -j DROP
FreeBSD(ipfw)
/sbin/ipfw add deny tcp from 0.0.0.0:0.0.0.0 to 10.3.0.6:255.255.255.0 8088
What we learned
AntlrWorks – an easy to use GUI interface for writing your own language
Networking Concepts
Team Work
Not all team members were conversant with networking
top related