Paper Title: The Margrave Tool for Firewall Analysis
Authors: Timothey Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shiram Krishnamurthi
Date: In USENIX Large Installation System Administration Conference, 2010
Novel Idea: Margrave offers powerful features for firewall analysis: It supports queries at multiple levels (rules, filters, firewalls, and networks of firewalls), compares separate firewalls in a single query, supports reflexive Access Control Lists, and produces a set of scenarios that witness the queried behavior. All this is done in order to detect behavior inconsistencies within a firewall.
Margrave consists of a frontend read-evalprint loop and a backend written in Java. The frontend handles parsing and output presentation. The analysis and scenario generation occurs in the backend.
Main Results: Margrave works. It’s backend produces sets of solutions to first order logic formulas. Confirms the query language used and its results support debugging real firewall configuration problems. Furthermore, Margrave achieves reasonable performance on large policies. Finally, individual queries uniformly execute in seconds.
Performance-wise there are three types of queries Margrave supports:
-Computing over a single policy or network with just the default relations.
-Computing over a single policy or network while including additional relations
-Computing over multiple, independent policies or networks.
Furthermore, it has the ability to detect superfluous rules very effectively, and uniformly capture information about policies at various levels of granularity.
Criticism: It would be very difficult to change the structure of a network to support new internal flow of packets within routers after network deployment. Nevertheless, Margrave can reason about interactions between policies from multiple languages for different configuration concerns.
Also, the authors expect Margrave will scale poorly to large networks of firewalls due to a linear increase of formulas with increasing number of firewalls.
A difficulty arises when reusing queries due to policy edits. The compiler names rules by line-numbers, so edits may invalidate existing queries.
Question: What is the reason that so many rules were superfluous in the queries tested under the Enterprise firewall configuration?
Future work: To learn how effectively to model and reason about state without sacrificing performance, and to identify the sweet spot in IP addressing handling.
Title: The Margrave Tool for Firewall Analysis
Authors: Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi
Novel Idea: This paper proposes Margrave, a tool with powerful features for firewall analysis, that is different from existing tools in that it supports queries at multiple levels, it supports reflexive ACLs, it compares separate firewalls in one query and generally, it offers more functionality that other firewall tools. Margrave's unique features lie on the fact that it uses scenario-finding over first-order models and is based on multi-level policy-reasoning.
Main Result: The main result of the paper, is Margrave, a general purpose policy analyzer. The evaluation process of the tool showed that its performance is reasonable but it is slower than other firewall analyzers.
Evidence: The authors begin with a description of Margrave, and point out its distinct features compared to other firewall analysis tools. Through specific query examples, they describe its query language and its output on different scenarios. Then they talk about how Margrave sees policies, how it maps policies and queries into first order logic formulas and how it computes solutions. They discuss how firewall questions map into Margrave and then describe Margrave's implementation. The evaluation process is aiming on two things: First, to confirm that the query language supports debugging real firewall configuration problems and second, to ensure that Margrave has reasonable performance on large policies. To achieve the first goal, they applied Margrave to problems that were posted on help-forums for network configuration and checked if the suggested solutions fixed the problems without affecting traffic. They reported two examples of help-forum posts and reported reasonable performance (2751ms and 8725ms respectively, to run the full suite of queries) and the memory footprint of the Java engine (50MB and 74MB respectively). To achieve the second goal, they applied Margrave on an enterprise firewall configuration, in use, that contained 1000 total rules , belonging to several rule sets. They reported runtime performance for various types of queries.
Prior Work: Margrave, is an extension over a previous tool that had the same name [12] but targeted simple policies, encoding them as propositional formulas. In the current paper's tool version, first-order models are used, in order to model enterprise access-control policies.
Competitive Work: Plenty of related/competitive work is mentioned in the paper. Several surveys on firewall-configuration errors show the need for analysis tools [31, 35]. A firewall analyzer tool named Fang, was proposed in [26,27,34], that later evolved into a commercial product, AlgoSec Firewall Analyzer [3]. Unlike Margover though, Fang doesn't support first-order queries or integration with a programming language. The ITVall tool, proposed in [23,24] uses MMDs to execute SQL-like queries on firewall policies, but again Margrave offers more functionality, as it supports first-order queries. ConfigChecker [1,2], a BDD-based tool that analyses networks of firewalls using CTL queries, operates at the level of policies, while Margrave can also handle individual rules. Other tools proposed in [5,9,10] don't support NAT. Moreover, [36] as well as the FACE tool [33], also don't consider NAT or internal routing. Compared to Prometheus [30], Margrave offers a richer query language. Unlike NetPiler [18. 19], Margrave doesn't support BGP configurations but its core engine could support them. Other works such as [16], [11] and [7] also don't address NAT.
Criticism: This paper has both some positive and negative aspects. Margrave, offers more functionality than existing firewall tools. Its ability to support queries at multiple levels, real-world firewall configuration languages and NAT, its rich query language, as well as the fact that it benefits from first-order logic without excessive cost, are some of its strengths. On the other hand, although its performance is reasonable, it is slower than other firewall analyzers. Furthermore, it is expected to scale poorly to large networks of firewalls, as its formulas will grow linearly with the number of firewalls. However, the tool is still under development, with potential for further improvement and the authors have clearly stated how they plan on enhancing it further. Overall, it seems a promising approach. Another comment is that it would be good to see a broader variety of results on Margrave in the future.
--
You received this message because you are subscribed to the Google Groups "CSCI2950-u Spring 13 - Brown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csci2950u-sp13-b...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Paper Title: The Margrave Tool for Firewall Analysis
Authors: Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi
Date: 24th International Conference on Large Installation System Administration, 2010
Novel Idea:
Margrave is a tool for analyzing firewalls which includes utilities like enumerating consequences of configuration edits, detecting overlaps and conflicts among rules, tracing firewall behavior to specific rules, and verification against security goals.
Main Results:
Margrave provides an interface for querying firewall configurations and testing new configuration settings. Margrave can map both policies and queries into first order logic formulas. Margrave can be used to answer questions like which packets satisfy a condition, verify whether a configuration is possible, rule responsibility, rule relationships, and change impact.
Impact:
Firewalls will be easier to configure and analyze. Bugs could be faster to be located and eliminated.
Prior work: Fang, AlgoSec Firewall Analyzer, ITVal, ConfigChecker, Vantage tool, Firewall Decision Diagrams(FDD), Fireman tool, FACE tool, NetPiler tool, etc