Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Lars Hupel
June 25, 2015
Science
4
150

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Cornelius Diekmann, Lars Hupel, Georg Carle: Semantics-Preserving Simplification of Real-World Firewall Rule Sets
Paper: https://lars.hupel.info/pub/iptables-simp.pdf
Presented at Formal Methods 2015, Oslo, Norway

The security provided by a firewall for a computer network almost completely depends on the rules it enforces. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. Therefore, there are many tools to analyze them. However, we found that none of the available tools could handle typical, real-world iptables rulesets. This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open source tools.

In this paper, we provide algorithms to transform firewall rulesets. We reduce the execution model to a simple list model and use ternary logic to abstract over all unknown match conditions. These transformations enable existing tools to understand real-world firewall rules, which we demonstrate on four decently-sized rulesets. Using the Isabelle theorem prover, we formally show that all our algorithms preserve the firewall's filtering behavior.

Lars Hupel

June 25, 2015
Tweet

More Decks by Lars Hupel

See All by Lars Hupel
Was Kubernetes-Ingress-Regeln mit der Chomsky-Hierarchie zu tun haben
larsrh
0
29
Mayday, we're syncing!
larsrh
0
11
Advanced Typing in TypeScript
larsrh
0
26
Was macht eigentlich ein Bundler?
larsrh
0
21
Hilfe, wir syncen!
larsrh
0
24
Typelevel: the past, the present, the future
larsrh
0
84
Was ist neu in Scala 3?
larsrh
0
210
A History of Enterprise Monads
larsrh
0
190
Das eierlegende Truffleschwein (DeafIT edition)
larsrh
0
21

Other Decks in Science

See All in Science
Pearl「入門統計的因果推論」の概要と活用イメージ
s1ok69oo
2
680
「俯瞰」可視化が情報探索・分析を変える
hayataka88
4
1k
ロボット研究のための脳と心のモデル
ykamit
7
5.1k
APAKAH KEMACETAN KOTA BISA DIATASI? Transfer Pengetahuan dan Kegagalan Kebijakan
dasaptaerwin
0
100
Successful social norms with ternary reputation for indirect reciprocity
yohm
0
140
iPhoneと一緒なら 一人でも頑張れる 野外調査の3次元記録
ishiijunpei
0
620
Open Software for Astrophysics, AAS241
dfm
2
220
NAKAMURA Takahiro
genomethica
0
410
SIGNATE  ソニーグループ合同データ分析コンペティション(for Recruiting)  3rd Place Solution
yayaya
1
290
古典的な時系列解析フレームワークの理論とその実装 / theory-and-implementation-of-classical-time-series-analysis-frameworks
saburoku
0
150
ソリトンとリー代数 / soliton history
usamik26
0
340
Retrofitting Concurrency -- Lessons from the engine room
kayceesrk
1
1.6k

Featured

See All Featured
Support Driven Design
roundedbygravity
88
8.9k
Designing the Hi-DPI Web
ddemaree
273
33k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
How GitHub (no longer) Works
holman
299
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
The Invisible Side of Design
smashingmag
292
49k
Embracing the Ebb and Flow
colly
76
3.6k
Faster Mobile Websites
deanohume
296
29k
A Philosophy of Restraint
colly
193
15k

Transcript

  1. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Semantics-Preserving Simplification of
    Real-World Firewall Rule Sets
    Formal Methods 2015
    Cornelius Diekmann* Lars Hupel‡ Georg Carle*
    *Chair for Network Architectures and Services ‡Chair for Logic and Verification
    Technische Universit¨
    at M¨
    unchen
    Munich, Germany
    With contributions by Lars Noschinski‡, Julius Michaelis*, Andreas Korsten*, Manuel Eberl‡,
    Lukas Schwaighofer*, and Fabian Immler‡.
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets 1

    View Slide

  2. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  3. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  4. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  5. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  6. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  7. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  8. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  9. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  10. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  11. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  12. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  13. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  14. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  15. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Chain INPUT (policy ACCEPT)
    target prot source destination
    DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0
    ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,. . .
    DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,. . .
    ACCEPT all 192.168.0.0/16 0.0.0.0/0
    DROP all 0.0.0.0/0 0.0.0.0/0
    Chain DOS_PROTECT (1 references)
    target prot source destination
    RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec . . .
    DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8
    RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: . . .
    DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    ...
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

    View Slide

  16. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Firewalls are usually managed manually
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

    View Slide

  17. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Firewalls are usually managed manually
    ... which is extremely error-prone
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

    View Slide

  18. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Introduction to Firewalls
    Firewalls are usually managed manually
    ... which is extremely error-prone
    There are tools to analyze rulesets and discover errors
    Margrave
    ITVal
    FIREMAN
    Firewall Builder
    Firewall Policy Advisor
    ConfigChecker
    . . .
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

    View Slide

  19. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Example: IPSpace Partition
    Ruleset from the introduction
    ... treats all packets equally
    ... except for the last two rules
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 4

    View Slide

  20. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Example: IPSpace Partition
    Ruleset from the introduction
    ... treats all packets equally
    ... except for the last two rules
    Expected output
    192.168.0.0/16 is accepted
    Everything else is dropped
    ITVal output
    There is 1 class: The Universe
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 4

    View Slide

  21. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Problems in Firewall Analysis Tools
    This talk is not about ITVal
    Many tools have similar problems
    1 Complex Chain model
    Calling to and returning from user-defined chains
    May lead to errors in tools
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 5

    View Slide

  22. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Problems in Firewall Analysis Tools
    This talk is not about ITVal
    Many tools have similar problems
    2 Vast amount of primitive matches
    Check man iptables
    Now check man iptables-extensions
    Now check if you have custom extensions running
    Now think about future features
    Supporting everything is infeasible
    Certain features cannot be supported by some tool’s algorithm
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 5

    View Slide

  23. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Summary
    Problem
    Tools cannot “understand” complex real-word rulesets
    Our Solution
    Semantics-preserving simplification
    α
    A
    β
    λ →
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 6

    View Slide

  24. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Agenda
    1 Semantics
    2 Simplification
    3 Evaluation
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Agenda 7

    View Slide

  25. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Agenda
    1 Semantics
    2 Simplification
    3 Evaluation
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 8

    View Slide

  26. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Syntax
    Rule: mexpr, action
    Example: icmp ∧ icmptype 8 ∧ limit : avg1/sec . . ., Return
    Ruleset: rule list
    Firewall state: ! , % , ?
    Primitive matcher: γ
    Primitive → Packet → Bool
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

    View Slide

  27. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Syntax
    Rule: mexpr, action
    Example: icmp ∧ icmptype 8 ∧ limit : avg1/sec . . ., Return
    Ruleset: rule list
    Firewall state: ! , % , ?
    Primitive matcher: γ
    Primitive → Packet → Bool
    Semantics:
    γ, p rs, s ⇒ t
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

    View Slide

  28. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Syntax
    Rule: mexpr, action
    Example: icmp ∧ icmptype 8 ∧ limit : avg1/sec . . ., Return
    Ruleset: rule list
    Firewall state: ! , % , ?
    Primitive matcher: γ
    Primitive → Packet → Bool
    Semantics:
    γ
    primitive matcher
    , p
    packet
    rs
    ruleset
    , s
    start state
    ⇒ t
    final state
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

    View Slide

  29. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Determinism
    If γ, p rs, s ⇒ t and γ, p rs, s ⇒ t then t = t
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 10

    View Slide

  30. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Agenda
    1 Semantics
    2 Simplification
    3 Evaluation
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 11

    View Slide

  31. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Rewriting simple actions
    Remove Log actions
    Unfolding custom chains
    Eliminates Call/Return
    Linux kernel only accepts acyclic call graphs
    unfolding terminates
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 12

    View Slide

  32. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Rewriting simple actions – Unfolding custom chains
    Example
    Chain INPUT
    X a
    Chain X
    Return b
    Accept c
    Result
    a ∧ (¬b) ∧ c, Accept
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 13

    View Slide

  33. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Simplification – Summary
    Actions left: Accept, Drop
    Semantics are preserved
    γ, p simplify rs, t ⇒ t iff γ, p rs, t ⇒ t
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 14

    View Slide

  34. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Simplification – Summary
    Actions left: Accept, Drop
    Semantics are preserved
    γ, p simplify rs, t ⇒ t iff γ, p rs, t ⇒ t
    Remaining problems
    1 Unknown primitives matches
    2 Complex nested match-expressions after unfolding unsupported by
    iptables
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 14

    View Slide

  35. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Unknown primitives
    Lifting to ternary logic
    Kleene’s 3-valued logic
    Primitive matcher may now return unknown
    Default decision strategy: in-doubt-allow or in-doubt-deny
    γ, p rs, s ⇒allow
    t
    γ, p rs, s ⇒deny
    t
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 15

    View Slide

  36. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Unknown primitives
    Let mu
    be an unknown match.
    in-doubt-allow
    (mu, Accept) → (True, Accept)
    (mu, Drop) → (False, Drop)
    more permissive ruleset
    Example
    icmp ∧ icmptype 8 ∧ limit : avg1/sec . . ., Drop →
    icmp ∧ icmptype 8 ∧ False, Drop
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 16

    View Slide

  37. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Closure Property
    p | γ, p rs, ? ⇒deny
    !

    p | γ, p rs, ? ⇒ !

    p | γ, p rs, ? ⇒allow
    !
    We continue with one of the approximations
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 17

    View Slide

  38. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Normalization
    Impossible: # iptables (tcp ∨ udp) -j ACCEPT
    Impossible: # iptables ¬ (src ip ∧ tcp) -j ACCEPT
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 18

    View Slide

  39. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Normalization
    Problem
    iptables supports only negation-normal form with the ∧ connective
    Solution
    normalize: rule → rule list
    where all rules share the same action
    Example (exclude ip from accessing an HTTP server)
    src ip ∧ ¬ (tcp ∧ port 80), Accept ≡
    src ip ∧ (¬ tcp ∨ ¬ port 80), Accept ≡
    src ip ∧ ¬ tcp, Accept , src ip ∧ ¬ port 80, Accept
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 19

    View Slide

  40. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Agenda
    1 Semantics
    2 Simplification
    3 Evaluation
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 20

    View Slide

  41. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Evaluation
    Ruleset 1
    Shorewall firewall on a home router; ∼ 500 rules.
    Unfolding: firewall does not unconditionally drop packets from
    private IP ranges
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

    View Slide

  42. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Evaluation
    Ruleset 1
    Shorewall firewall on a home router; ∼ 500 rules.
    Unfolding: firewall does not unconditionally drop packets from
    private IP ranges
    Ruleset 2
    Small firewall script found online (networking.ringofsaturn.com)
    Most rules are dead; contrary to documented behavior
    Author probably confused: -I (insert at top) and -A (append at tail)
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

    View Slide

  43. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Evaluation
    Ruleset 1
    Shorewall firewall on a home router; ∼ 500 rules.
    Unfolding: firewall does not unconditionally drop packets from
    private IP ranges
    Ruleset 2
    Small firewall script found online (networking.ringofsaturn.com)
    Most rules are dead; contrary to documented behavior
    Author probably confused: -I (insert at top) and -A (append at tail)
    Ruleset 3 & 4 & 5
    Main firewall of our lab
    Snapshot 2013: ∼ 2800 rules
    Firewall Builder: import errors
    ITVal: erroneous results
    After simplification: success
    Upper closure: ∼ 1000 rules
    Lower closure: ∼ 500 rules
    Snapshot 2014: ∼ 4000 rules
    Snapshot 2015: almost 5000 rules
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

    View Slide

  44. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Future Work
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Future Work 22

    View Slide

  45. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Q & A
    Firewall Rulesets:
    https://github.com/diekmann/net-network
    Isabelle Theories:
    https://github.com/diekmann/Iptables_Semantics
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Future Work 23

    View Slide

  46. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Backup Slides
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 24

    View Slide

  47. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Specifying Primitive Matchers in Ternary Logic
    Very easy: Specify what you know/want, the rest in unknown
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 23

    View Slide

  48. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Semantics (1)
    SKIP
    γ, p [], t ⇒ t
    ACCEPT
    match m p
    γ, p [(m, Accept)], ? ⇒ !
    DROP
    match m p
    γ, p [(m, Drop)], ? ⇒ %
    REJECT
    match m p
    γ, p [(m, Reject)], ? ⇒ %
    NOMATCH
    ¬ match m p
    γ, p [(m, a)], ? ⇒ ?
    DECISION
    t = ?
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 24

    View Slide

  49. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Semantics (2)
    SEQ
    γ, p rs1, ? ⇒ t γ, p rs2, t ⇒ t
    γ, p rs1 ::: rs2, ? ⇒ t
    LOG
    match m p
    γ, p [(m, Log)], ? ⇒ ?
    EMPTY
    match m p
    γ, p [(m, Empty)], ? ⇒ ?
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 25

    View Slide

  50. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Semantics (3)
    Background ruleset Γ : chain name → rule list
    CALLRESULT
    match m p γ, p Γ c, ? ⇒ t
    γ, p [(m, Call c)], ? ⇒ t
    CALLRETURN
    match m p Γ c = rs1 ::: (m , Return) :: rs2
    match m p γ, p rs1, ? ⇒ ?
    γ, p [(m, Call c)], ? ⇒ ?
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 26

    View Slide

  51. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Ruleset 3 (excerpt, 22 of 2800 rules displayed)
    1 Chain FORWARD (policy ACCEPT)
    2 target prot opt source destination
    3 LOG_DROP all -- 127.0.0.0/8 0.0.0.0/0
    4 ACCEPT tcp -- 131.159.14.206 0.0.0.0/0 multiport sports 389,636
    5 ACCEPT tcp -- 131.159.14.208 0.0.0.0/0 multiport sports 389,636
    6 ACCEPT udp -- 131.159.14.206 0.0.0.0/0 udp spt:88
    7 ACCEPT udp -- 131.159.14.208 0.0.0.0/0 udp spt:88
    8 ACCEPT tcp -- 131.159.14.192/27 0.0.0.0/0 tcp spt:3260
    9 ACCEPT tcp -- 131.159.14.0/23 131.159.14.192/27 tcp dpt:3260
    10 ACCEPT tcp -- 131.159.20.0/24 131.159.14.192/27 tcp dpt:3260
    11 ACCEPT udp -- 131.159.15.252 0.0.0.0/0
    12 ACCEPT udp -- 0.0.0.0/0 131.159.15.252 multiport dports 4569,5000:65535
    13 ACCEPT all -- 131.159.15.247 0.0.0.0/0
    14 ACCEPT all -- 0.0.0.0/0 131.159.15.247
    15 ACCEPT all -- 131.159.15.248 0.0.0.0/0
    16 ACCEPT all -- 0.0.0.0/0 131.159.15.248
    17 tcp -- 0.0.0.0/0 131.159.14.0/23 state NEW tcp dpt:22flags: 0x17/0x02
    recent: SET name: ratessh side: source
    18 tcp -- 0.0.0.0/0 131.159.20.0/23 state NEW tcp dpt:22flags: 0x17/0x02
    recent: SET name: ratessh side: source
    19 mac_96 all -- 131.159.14.0/25 0.0.0.0/0
    20 LOG_DROP all -- !131.159.14.0/25 0.0.0.0/0
    21
    22 Chain LOG_DROP (21 references)
    23 target prot opt source destination
    24 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/min burst 5 LOG flags 0
    level 4 prefix "[IPT_DROP]:"
    25 DROP all -- 0.0.0.0/0 0.0.0.0/0
    26
    27 Chain mac_96 (1 references )
    28 target prot opt source destination
    29 RETURN all -- 131.159.14.92 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX
    30 DROP all -- 131.159.14.92 0.0.0.0/0
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 27

    View Slide

  52. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Ruleset 3 – Upper Closure (excerpt)
    1 Chain FORWARD (policy ACCEPT)
    2 target prot source destination
    3 DROP all 127.0.0.0/8 0.0.0.0/0
    4 ACCEPT tcp 131.159.14.206/32 0.0.0.0/0
    5 ACCEPT tcp 131.159.14.208/32 0.0.0.0/0
    6 ACCEPT udp 131.159.14.206/32 0.0.0.0/0
    7 ACCEPT udp 131.159.14.208/32 0.0.0.0/0
    8 ACCEPT tcp 131.159.14.192/27 0.0.0.0/0
    9 ACCEPT tcp 131.159.14.0/23 131.159.14.192/27
    10 ACCEPT tcp 131.159.20.0/24 131.159.14.192/27
    11 ACCEPT udp 131.159.15.252/32 0.0.0.0/0
    12 ACCEPT udp 0.0.0.0/0 131.159.15.252/32
    13 ACCEPT all 131.159.15.247/32 0.0.0.0/0
    14 ACCEPT all 0.0.0.0/0 131.159.15.247/32
    15 ACCEPT all 131.159.15.248/32 0.0.0.0/0
    16 ACCEPT all 0.0.0.0/0 131.159.15.248/32
    17 DROP all !131.159.14.0/25 0.0.0.0/0
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 28

    View Slide

  53. Fakult¨
    at f¨
    ur Informatik Technische Universit¨
    at M¨
    unchen
    Ruleset 3 – Lower Closure (excerpt)
    1 Chain FORWARD (policy ACCEPT)
    2 target prot source destination
    3 DROP all 127.0.0.0/8 0.0.0.0/0
    4 ACCEPT udp 131.159.15.252/32 0.0.0.0/0
    5 ACCEPT all 131.159.15.247/32 0.0.0.0/0
    6 ACCEPT all 0.0.0.0/0 131.159.15.247/32
    7 ACCEPT all 131.159.15.248/32 0.0.0.0/0
    8 ACCEPT all 0.0.0.0/0 131.159.15.248/32
    9 DROP all 131.159.14.92/32 0.0.0.0/0
    10 DROP all 131.159.14.65/32 0.0.0.0/0
    11 . . . (unfolded DROPs from chain mac 96)
    12 DROP all !131.159.14.0/25 0.0.0.0/0
    FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 29

    View Slide