design and implementation of a flow-level network security system

56
Towards a Flow-level Network Security System Tim Hinrichs University of Chicago

Upload: nguyendat

Post on 07-Jan-2017

222 views

Category:

Documents


5 download

TRANSCRIPT

Towards a Flow-level Network Security System

Tim HinrichsUniversity of Chicago

Local Area Networks

Network Policy Examples

“Every wireless guest user must send HTTP requests through an HTTP proxy.”

“No phone can communicate with any private computer.”

“Superusers have no communication restrictions.”

“Laptops cannot receive incoming connections.”

Traditional Network Management

Today networks are managed by low-level configuration of independent components, e.g. firewalls, proxies, routers.Dependent on underlying network.

Examples– Block user access by adding an ACL entry.

Requires knowing user’s IP address.

– Force guests port 80 traffic through a proxy.Requires knowing the network topology and the location of each guest.

Example

10.0.0.1

10.0.0.25

Src IP Port Forward10.0.0.1 80 10.0.0.25

Management by Component Configuration

Benefits

• Efficiency of operation.

• Administrative fiefdoms enjoy autonomy.

Drawbacks

• Inefficiencies of maintenance.

• Inconsistencies are likely.

Network Operating Systems

Provide a programmatic interface to observe and control the entire network.

Applications perform the actual management by making system calls.

Two paradigm shifts– Logical Centralization: Applications are written

as if network were present on single machine.– Abstraction: Applications are written in terms of

abstract entities, e.g. users and hosts.

Example

10.0.0.1

10.0.0.25

Src IP Port Forward10.0.0.1 80 10.0.0.25

Application:if (packet p originated from guest user &&

port is 80)then m := findproxy(); forward p to m on port 80

Management by Network Operating System

Potential Benefits

• Efficiency of maintenance.

• Inconsistencies are less likely.

Potential Drawbacks

• Inefficiencies of operation.

• Loss of autonomy.

Network Security

An authorization policy is implemented as an application in a network operating system.

The same is true for an authentication policy.

Focus for today: a language for expressing authorization policies over networks.

NOX: A Network Operating System

Natasha GudeTeemu KoponenJustin PettitBen PfaffMartìn CasadoNick McKeownScott Shenker

Nicira NetworksHIITNicira NetworksNicira NetworksNicira NetworksStanford UniversityUC Berkeley

NOX Architecture

NetworkView

App 1

App 2

App 3

OF Switch

OF SwitchWirelessOF Switch

NOX Controller

PC

Off-the-shelfhosts

Switch Abstraction

OpenFlow switch abstraction is a flow table.

Each flow table entry takes the form<header : counters, actions>

Switch executes the actions corresponding to the highest-priority matching header in table.

Operation

Switch1. Packet p reaches switch.2. If p matches a flow entry

Then apply the corresponding actionsElse forward to the controller

Controller• Packet p reaches controller.• Update view of network state.• Decide the route for the packet and inform

the relevant switches of that route.

Application I/O

Observation granularity: – Switch-level topology– Locations of users, hosts, middleboxes– Services offered, e.g. HTTP or NFS– Bindings between names and addresses– NOT the entire packet/flow state

Control granularity: flows.Decisions about one packet are applied to all

subsequent packets in the flow.

Programmatic Interface: Events

NOX exposes network events to applications– Switch join– Switch leave– User authenticated– Flow initiated– …

Applications consist of code fragments that respond to these events.

Example: Access Controlfunction handle_flow_initialize(packet)

usersrc = nox.resolve_user_src(packet)hostsrc = nox.resolve_host_src(packet)usertgt = nox.resolve_user_tgt(packet)hosttgt = nox.resolve_host_tgt(packet)prot = nox.resolve_ap_prot(packet)if deny(usersrc,hostsrc,usertgt,hosttgt,prot) then nox.drop(packet)else nox.installpath(p, nox.computepath(p))

function deny(usersrc, hostsrc, usertgt, hosttgt, prot)…

Scalability

Events (per second)– Packet arrivals (106): handled by switches– Flow initiations (105) : handled by controller– View change (10): handled by controller

Controller– Can be replicated.– Only global data structure: view.– One currently handles 105 flow initiations per

second.

Related Work4D project (2005): provide global view of network via

centralized controller.SANE/Ethane (2007): extends 4D by adding

users/nodes to the namespace and captures flow-initiation.

NOX (2008): extends SANE/Ethane– Scaling for large networks.– General programmatic control of network.

Maestro (2008): “network OS” focused on controlling interactions between applications.

Industry: deep-packet inspection, firewalls, etc. are appliances--can be leveraged by NOX. Also, functionality similar to Ethane.

For citations, see [Gude2008].

FSL:A Flow-based Security Language

Tim HinrichsNatasha GudeMartìn CasadoJohn MitchellScott Shenker

University of ChicagoNicira NetworksNicira NetworksStanford UniversityUC Berkeley

NOX Operation

NOX Operation

SECURITYPOLICY

NOX Operation

FSL

FSL: Flow Security Language [Hinrichs2009]Balances the desires to make expressing policies natural and implementing policies efficient.

•User source•Host source•Access point source

•User target•Host target•Access point target

•Protocol

Features• Distributed policy authorship• External references• Conflicts, conflict detection, conflict resolution• Incremental policy authorship via priorities• Analyzability• High Performance: 104 queries/second

Layered language:

Logic DataKeywords

Conflict ResolutionPrioritization

Datalog with AttachmentsSyntax

h :- b1,…,bn,c1,…,cm• h must exist.• Every variable in the body must appear in h. • No external reference occurs in h. • Nonrecursive sentence sets.

Semantics– Statement order is irrelevant.– Every sentence set is satisfied by exactly one model.

Keyword: allow

“Superusers have no communication restrictions.”

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-superuser(Usrc)

superuser(bob)superuser(alice)

Keyword: deny

“No phone can communicate with any private computer.”

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)

private(X) :- laptop(X)private(X) :- desktop(X)

Keyword: visit

“Every wireless guest user must send HTTP requests through a proxy.”

visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-guest(Usrc) , wireless(Asrc) , Prot=http

Current Keyword List

• allow: allow the flow

• deny: deny the flow

• visit: force the flow to pass through an intermediary

• avoid: forbid the flow from passing through an intermediary

• ratelimit: limit on Mb/second

Negation

“Every user except a guest can ssh into any server.”

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :-guest(Usrc) , server(Htgt)

Traditional Security MechanismsNAT: disable incoming connections for laptops

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-laptop(Htgt)

VLAN: isolate machines a,b,cvlan(a), vlan(b), vlan(c)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-vlan(Hsrc), vlan(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-vlan(Hsrc), vlan(Htgt)

Conflicts

Conflicts are vital in collaborative settings because they allow administrators to express their true intentions.

Authorization systems cannot enforce conflicting security policies.

denyavoid

visitallow

ratelimit

denyavoidvisitallowratelimit

FSL Usage Overview

CombinedPolicy

AnalysisEngine

AuthorizationSystem

Policy1

Policyn

Conflict Resolution• No conflicts: conflicts are errors.

• Most restrictive: choose instructions that give users the least rights.

• Most permissive: choose policy instructions that give users the most rights.

• Cancellation: a flow with conflicting constraints has no constraints.

Conflict Resolution as a Tool

Fixing the conflict resolution mechanism allows certain policies to be expressed very simply.

Example (Open Policy): allow everything not explicitly denied.

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)

Incremental Policy Authoring

To tighten a FSL policy, one needs only to add statements to it.

The conflict resolution strategy ensures that the most restrictive constraints are used.

To relax a FSL policy, it is therefore insufficient to simply add statements.

Prioritized Policies

Borrow a mechanism from Cascading Style Sheets (CSS).

To relax security incrementally, FSL allows one policy to be overridden by another policy.

P1 < P2

A request constrained by P2 is only constrained by P2.

Example

P1

P2

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) Usrc=ceo

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- superuser(Usrc)superuser(bob)superuser(alice)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)private(X) :- laptop(X)private(X) :- desktop(X)visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :- guest(Usrc) , wireless(Asrc) , Prot=httpallow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :- guest(Usrc) , server(Htgt)

Cascaded Policy Combination

Combined Policy

Policy1,1

Policy1,2

Policy1,m1…

Policyn,1

Policyn,2

Policyn,mn…

Cascaded Policy Combination

Combined Policy

Policy1

Policyn

1. Flatten cascades.2. Combine results.

Features• Distributed policy authorship• External references• Conflict detection/resolution• Incremental policy authorship via priorities• Analyzability• High Performance: 104 queries/second

Layered language:

Logic DataKeywords

Conflict ResolutionPrioritization

Analysis Algorithms

Flattened Cascade: a policy cascade expressed as a flat policy.

Group Normal Form: every rule body consists only of external references (and =).

Conflict Conditions: conditions on external references under which there will be a conflict.

Conflict-free Normal Form: equivalent policy (under conflict resolution) without conflicts.

Performance Example“No phone can communicate with any private

computer.”

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)

private(X) :- laptop(X)private(X) :- desktop(X)

Performance Example Compiledbool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) { return (phone(Hsrc) && private(Htgt)) || (private(Hsrc) && phone(Htgt));}

bool private(X) {return laptop(X) || desktop(X);

}

Assume the existence of functions for phone, laptop, desktop.

FSL Complexity

Query processing is PSPACE-complete in the size of the policy.

If the number of arguments are bounded by a constant, query processing takes polynomial time in the size of the policy.

If the tallest possible call stack is 1 (ignoring external references), then query processing takes linear time in the size of the policy.

Implementation Tests

Flows/s Mem (MB)

Rule Matches

0 rules 103,699 0 0100 rules 100,942 1 2500 rules 85,373 1 41,000 rules 76,336 2 105,000 rules 54,416 9 3010,000 rules 46,956 38 52

Deployment Experiences

• On a small internal network (about 50 host), NOX has been in use over a year, and FSL has been in use for 10 months.

• We are preparing for two larger deployments (of hundreds and thousands of hosts).

• So far, policies are expressed over just a few classes of objects. Thus, we expect policies to grow slowly with the

number of principals.

Ongoing Work

Currently, each flow initiation requires contacting a central controller.

The route for that flow is cached at the router.

Working to generalize this caching scheme. Each trip to the central controller caches more than

just the route for one flow.

Related Work ComparisonLimitations• Not using FOL, Modal logic, Linear logic• No existential variables• No recursion• Fixed conflict resolution scheme• No delegation• No history/future-dependent policies• Centralized enforcement• Limited metalevel operations

Novel language features• Access control decisions are constraints.• Conflict resolution produces constraint set

For citations, see [Hinrichs2009].

[Gude2008] N. Gude, et. al. NOX: Towards an Operating System for Networks. Computer Communications Review 2008.

[Hinrichs2009] T. Hinrichs, et. al. Design and Implementation of a Flow-based Security Language. Under review. Available upon request.

References

Questions

NetworkView

App 1

App 2

App 3

OF Switch

OF SwitchWirelessOF Switch

NOX Controller

PC

Off-the-shelfhosts

Backup

NOX Security Issues

• Switch communication with Controller. Preconfigure switches with Controller credentials.

• Hosts, users must authenticate.

• Spoofing Ethernet addresses. Options: (1) Physically connect one switch port to one host. (2) Use link-level encryption.

Examples Combined

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- superuser(Usrc)superuser(bob)superuser(alice)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- phone(Hsrc) , private(Htgt)deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :- private(Hsrc) , phone(Htgt)private(X) :- laptop(X)private(X) :- desktop(X)visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :- guest(Usrc) ,

wireless(Asrc) , Prot=httpallow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :- guest(Usrc) , server(Htgt)

Statement order is irrelevant.

Cascade Properties• Every Cascade can be expressed as a non-cascaded

policy.P1: A :- BP2: C :- D P1 < P2:

A :- B , DC :- D

• Flattening a cascade requires time linear in the size of the cascade:

O(|P1 < … < Pn|)