design and implementation of a flow-level network security system
TRANSCRIPT
Network Policy Examples
“Every wireless guest user must send HTTP requests through an HTTP proxy.”
“No phone can communicate with any private computer.”
“Superusers have no communication restrictions.”
“Laptops cannot receive incoming connections.”
Traditional Network Management
Today networks are managed by low-level configuration of independent components, e.g. firewalls, proxies, routers.Dependent on underlying network.
Examples– Block user access by adding an ACL entry.
Requires knowing user’s IP address.
– Force guests port 80 traffic through a proxy.Requires knowing the network topology and the location of each guest.
Management by Component Configuration
Benefits
• Efficiency of operation.
• Administrative fiefdoms enjoy autonomy.
Drawbacks
• Inefficiencies of maintenance.
• Inconsistencies are likely.
Network Operating Systems
Provide a programmatic interface to observe and control the entire network.
Applications perform the actual management by making system calls.
Two paradigm shifts– Logical Centralization: Applications are written
as if network were present on single machine.– Abstraction: Applications are written in terms of
abstract entities, e.g. users and hosts.
Example
10.0.0.1
10.0.0.25
Src IP Port Forward10.0.0.1 80 10.0.0.25
Application:if (packet p originated from guest user &&
port is 80)then m := findproxy(); forward p to m on port 80
Management by Network Operating System
Potential Benefits
• Efficiency of maintenance.
• Inconsistencies are less likely.
Potential Drawbacks
• Inefficiencies of operation.
• Loss of autonomy.
Network Security
An authorization policy is implemented as an application in a network operating system.
The same is true for an authentication policy.
Focus for today: a language for expressing authorization policies over networks.
NOX: A Network Operating System
Natasha GudeTeemu KoponenJustin PettitBen PfaffMartìn CasadoNick McKeownScott Shenker
Nicira NetworksHIITNicira NetworksNicira NetworksNicira NetworksStanford UniversityUC Berkeley
NOX Architecture
NetworkView
App 1
App 2
App 3
OF Switch
OF SwitchWirelessOF Switch
NOX Controller
PC
Off-the-shelfhosts
Switch Abstraction
OpenFlow switch abstraction is a flow table.
Each flow table entry takes the form<header : counters, actions>
Switch executes the actions corresponding to the highest-priority matching header in table.
Operation
Switch1. Packet p reaches switch.2. If p matches a flow entry
Then apply the corresponding actionsElse forward to the controller
Controller• Packet p reaches controller.• Update view of network state.• Decide the route for the packet and inform
the relevant switches of that route.
Application I/O
Observation granularity: – Switch-level topology– Locations of users, hosts, middleboxes– Services offered, e.g. HTTP or NFS– Bindings between names and addresses– NOT the entire packet/flow state
Control granularity: flows.Decisions about one packet are applied to all
subsequent packets in the flow.
Programmatic Interface: Events
NOX exposes network events to applications– Switch join– Switch leave– User authenticated– Flow initiated– …
Applications consist of code fragments that respond to these events.
Example: Access Controlfunction handle_flow_initialize(packet)
usersrc = nox.resolve_user_src(packet)hostsrc = nox.resolve_host_src(packet)usertgt = nox.resolve_user_tgt(packet)hosttgt = nox.resolve_host_tgt(packet)prot = nox.resolve_ap_prot(packet)if deny(usersrc,hostsrc,usertgt,hosttgt,prot) then nox.drop(packet)else nox.installpath(p, nox.computepath(p))
function deny(usersrc, hostsrc, usertgt, hosttgt, prot)…
Scalability
Events (per second)– Packet arrivals (106): handled by switches– Flow initiations (105) : handled by controller– View change (10): handled by controller
Controller– Can be replicated.– Only global data structure: view.– One currently handles 105 flow initiations per
second.
Related Work4D project (2005): provide global view of network via
centralized controller.SANE/Ethane (2007): extends 4D by adding
users/nodes to the namespace and captures flow-initiation.
NOX (2008): extends SANE/Ethane– Scaling for large networks.– General programmatic control of network.
Maestro (2008): “network OS” focused on controlling interactions between applications.
Industry: deep-packet inspection, firewalls, etc. are appliances--can be leveraged by NOX. Also, functionality similar to Ethane.
For citations, see [Gude2008].
FSL:A Flow-based Security Language
Tim HinrichsNatasha GudeMartìn CasadoJohn MitchellScott Shenker
University of ChicagoNicira NetworksNicira NetworksStanford UniversityUC Berkeley
FSL
FSL: Flow Security Language [Hinrichs2009]Balances the desires to make expressing policies natural and implementing policies efficient.
•User source•Host source•Access point source
•User target•Host target•Access point target
•Protocol
Features• Distributed policy authorship• External references• Conflicts, conflict detection, conflict resolution• Incremental policy authorship via priorities• Analyzability• High Performance: 104 queries/second
Layered language:
Logic DataKeywords
Conflict ResolutionPrioritization
Datalog with AttachmentsSyntax
h :- b1,…,bn,c1,…,cm• h must exist.• Every variable in the body must appear in h. • No external reference occurs in h. • Nonrecursive sentence sets.
Semantics– Statement order is irrelevant.– Every sentence set is satisfied by exactly one model.
Keyword: allow
“Superusers have no communication restrictions.”
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-superuser(Usrc)
superuser(bob)superuser(alice)
Keyword: deny
“No phone can communicate with any private computer.”
deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)
deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)
private(X) :- laptop(X)private(X) :- desktop(X)
Keyword: visit
“Every wireless guest user must send HTTP requests through a proxy.”
visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-guest(Usrc) , wireless(Asrc) , Prot=http
Current Keyword List
• allow: allow the flow
• deny: deny the flow
• visit: force the flow to pass through an intermediary
• avoid: forbid the flow from passing through an intermediary
• ratelimit: limit on Mb/second
Negation
“Every user except a guest can ssh into any server.”
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :-guest(Usrc) , server(Htgt)
Traditional Security MechanismsNAT: disable incoming connections for laptops
deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-laptop(Htgt)
VLAN: isolate machines a,b,cvlan(a), vlan(b), vlan(c)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-vlan(Hsrc), vlan(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-vlan(Hsrc), vlan(Htgt)
Conflicts
Conflicts are vital in collaborative settings because they allow administrators to express their true intentions.
Authorization systems cannot enforce conflicting security policies.
denyavoid
visitallow
ratelimit
denyavoidvisitallowratelimit
Conflict Resolution• No conflicts: conflicts are errors.
• Most restrictive: choose instructions that give users the least rights.
• Most permissive: choose policy instructions that give users the most rights.
• Cancellation: a flow with conflicting constraints has no constraints.
Conflict Resolution as a Tool
Fixing the conflict resolution mechanism allows certain policies to be expressed very simply.
Example (Open Policy): allow everything not explicitly denied.
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)
Incremental Policy Authoring
To tighten a FSL policy, one needs only to add statements to it.
The conflict resolution strategy ensures that the most restrictive constraints are used.
To relax a FSL policy, it is therefore insufficient to simply add statements.
Prioritized Policies
Borrow a mechanism from Cascading Style Sheets (CSS).
To relax security incrementally, FSL allows one policy to be overridden by another policy.
P1 < P2
A request constrained by P2 is only constrained by P2.
Example
P1
P2
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) Usrc=ceo
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- superuser(Usrc)superuser(bob)superuser(alice)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)private(X) :- laptop(X)private(X) :- desktop(X)visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :- guest(Usrc) , wireless(Asrc) , Prot=httpallow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :- guest(Usrc) , server(Htgt)
Cascaded Policy Combination
Combined Policy
Policy1,1
Policy1,2
Policy1,m1…
Policyn,1
Policyn,2
Policyn,mn…
…
Cascaded Policy Combination
Combined Policy
Policy1
Policyn
…
1. Flatten cascades.2. Combine results.
Features• Distributed policy authorship• External references• Conflict detection/resolution• Incremental policy authorship via priorities• Analyzability• High Performance: 104 queries/second
Layered language:
Logic DataKeywords
Conflict ResolutionPrioritization
Analysis Algorithms
Flattened Cascade: a policy cascade expressed as a flat policy.
Group Normal Form: every rule body consists only of external references (and =).
Conflict Conditions: conditions on external references under which there will be a conflict.
Conflict-free Normal Form: equivalent policy (under conflict resolution) without conflicts.
Performance Example“No phone can communicate with any private
computer.”
deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)
deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)
private(X) :- laptop(X)private(X) :- desktop(X)
Performance Example Compiledbool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) { return (phone(Hsrc) && private(Htgt)) || (private(Hsrc) && phone(Htgt));}
bool private(X) {return laptop(X) || desktop(X);
}
Assume the existence of functions for phone, laptop, desktop.
FSL Complexity
Query processing is PSPACE-complete in the size of the policy.
If the number of arguments are bounded by a constant, query processing takes polynomial time in the size of the policy.
If the tallest possible call stack is 1 (ignoring external references), then query processing takes linear time in the size of the policy.
Implementation Tests
Flows/s Mem (MB)
Rule Matches
0 rules 103,699 0 0100 rules 100,942 1 2500 rules 85,373 1 41,000 rules 76,336 2 105,000 rules 54,416 9 3010,000 rules 46,956 38 52
Deployment Experiences
• On a small internal network (about 50 host), NOX has been in use over a year, and FSL has been in use for 10 months.
• We are preparing for two larger deployments (of hundreds and thousands of hosts).
• So far, policies are expressed over just a few classes of objects. Thus, we expect policies to grow slowly with the
number of principals.
Ongoing Work
Currently, each flow initiation requires contacting a central controller.
The route for that flow is cached at the router.
Working to generalize this caching scheme. Each trip to the central controller caches more than
just the route for one flow.
Related Work ComparisonLimitations• Not using FOL, Modal logic, Linear logic• No existential variables• No recursion• Fixed conflict resolution scheme• No delegation• No history/future-dependent policies• Centralized enforcement• Limited metalevel operations
Novel language features• Access control decisions are constraints.• Conflict resolution produces constraint set
For citations, see [Hinrichs2009].
[Gude2008] N. Gude, et. al. NOX: Towards an Operating System for Networks. Computer Communications Review 2008.
[Hinrichs2009] T. Hinrichs, et. al. Design and Implementation of a Flow-based Security Language. Under review. Available upon request.
References
Questions
NetworkView
App 1
App 2
App 3
OF Switch
OF SwitchWirelessOF Switch
NOX Controller
PC
Off-the-shelfhosts
NOX Security Issues
• Switch communication with Controller. Preconfigure switches with Controller credentials.
• Hosts, users must authenticate.
• Spoofing Ethernet addresses. Options: (1) Physically connect one switch port to one host. (2) Use link-level encryption.
Examples Combined
allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- superuser(Usrc)superuser(bob)superuser(alice)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)private(X) :- laptop(X)private(X) :- desktop(X)visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :- guest(Usrc) ,
wireless(Asrc) , Prot=httpallow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :- guest(Usrc) , server(Htgt)
Statement order is irrelevant.