Reviews for Margrave

[Rodrigo Fonseca]

Hi, 

Please post your reviews to Margrave as a group response to this message.

Thanks,

Rodrigo

[Jeff Rasley]

Title: The Margrave Tool for Firewall Analysis

Authors: Timothy Nelson (WPI), Christopher Barratt (Brown) Daniel J. Dougherty WPI), Kathi Fisler (WPI), Shriram Krishnamurthi (Brown)

Context: LISA '10

Novel Idea: Created the tool Margrave which is used to analyze firewall configurations and generate scenarios for a users queries. Margrave appears to support more features and is more rigourus than other existing tools.

Main Results: The authors created a tool to analyze firewall configurations. The tool, called Margrave, is able to load a configuration file and the user is then able to ask questions about if a packet will be able to enter/exit the network, ACLs, what changes in behavior occur when adding/removing rules, etc. They built this tool (Racket front-end, Java back-end) to help sysadmins administer and debug their Cisco IOS switch configurations.

Impact/Evidence/Reproducibility: It appears the tool has real use from sysadmins and is available on their site.

Competitive work: Existing firewall analyzers: ITVal, Fireman, Prometheus, ConfigChecker, Fang/AlgoSec, Vantage.

Future work: The authors would like to collapse potential outcome scenarios by commonality, such as the behavior may be the same for the same incoming IPs but with different ports.

Question/Comment: Someone in the video had a great comment about work from Google called Caprica. In their system they collect firewall logs and then when they make a firewall change they replay some recent logs to see what the changes would be. This way you only potentially see a subset of changes that you may care about. Of course since this isn't as exhaustive as what Margrave could do (I think?) you may miss something that would only appear rarely.

Video/Slides: https://www.usenix.org/conference/lisa10/margrave-tool-firewall-analysis

[Christopher Picardo]

Paper Title: The Margrave Tool for Firewall Analysis

Authors: Timothey Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shiram Krishnamurthi

Date: In USENIX Large Installation System Administration Conference, 2010

Novel Idea: Margrave offers powerful features for firewall analysis: It supports queries at multiple levels (rules, filters, firewalls, and networks of firewalls), compares separate firewalls in a single query, supports reflexive Access Control Lists, and produces a set of scenarios that witness the queried behavior. All this is done in order to detect behavior inconsistencies within a firewall.

Margrave consists of a frontend read-evalprint loop and a backend written in Java. The frontend handles parsing and output presentation. The analysis and scenario generation occurs in the backend.

Main Results: Margrave works. It’s backend produces sets of solutions to first order logic formulas. Confirms the query language used and its results support debugging real firewall configuration problems.  Furthermore, Margrave achieves reasonable performance on large policies. Finally, individual queries uniformly execute in seconds.

Performance-wise there are three types of queries Margrave supports:

-Computing over a single policy or network with just the default relations.

-Computing over a single policy or network while including additional relations

-Computing over multiple, independent policies or networks.

Furthermore, it has the ability to detect superfluous rules very effectively, and uniformly capture information about policies at various levels of granularity.

Criticism: It would be very difficult to change the structure of a network to support new internal flow of packets within routers after network deployment. Nevertheless, Margrave can reason about interactions between policies from multiple languages for different configuration concerns.

Also, the authors expect Margrave will scale poorly to large networks of firewalls due to a linear increase of formulas with increasing number of firewalls.

A difficulty arises when reusing queries due to policy edits. The compiler names rules by line-numbers, so edits may invalidate existing queries.

Question: What is the reason that so many rules were superfluous in the queries tested under the Enterprise firewall configuration?

Future work: To learn how effectively to model and reason about state without sacrificing performance, and to identify the sweet spot in IP addressing handling.

[Papagiannopoulou, Dimitra]

Title: The Margrave Tool for Firewall Analysis

 

Authors: Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi

 

 

Novel Idea: This paper proposes Margrave, a tool with powerful features for firewall analysis, that is different from existing tools in that it supports queries at multiple levels, it supports reflexive ACLs, it compares separate firewalls in one query and generally, it offers more functionality that other firewall tools. Margrave's unique features lie on the fact that it uses scenario-finding over first-order models and is based on multi-level policy-reasoning.

 

Main Result: The main result of the paper, is Margrave, a general purpose policy analyzer. The evaluation process of the tool showed that its performance is reasonable but it is slower than other firewall analyzers.

 

Evidence: The authors begin with a description of Margrave, and point out its distinct features compared to other firewall analysis tools. Through specific query examples, they describe its query language and its output on different scenarios. Then they talk about how Margrave sees policies, how it maps policies and queries into first order logic formulas and how it computes solutions.  They discuss how firewall questions map into Margrave and then describe Margrave's implementation. The evaluation process is aiming on two things: First, to confirm that the query language supports debugging real firewall configuration problems and second, to ensure that Margrave has reasonable performance on large policies. To achieve the first goal, they applied Margrave to problems that were posted on help-forums for network configuration and checked if the suggested solutions fixed the problems without affecting traffic. They reported two examples of help-forum posts and reported reasonable performance (2751ms and 8725ms respectively, to run the full suite of queries) and the memory footprint of the Java engine (50MB and 74MB respectively). To achieve the second goal, they applied Margrave on an enterprise firewall configuration, in use, that contained 1000 total rules , belonging to several rule sets. They reported runtime performance for various types of queries.

 

Prior Work: Margrave, is an extension over a previous tool that had the same name [12] but targeted simple policies, encoding them as propositional formulas. In the current paper's tool version, first-order models are used, in order to model enterprise access-control policies.

Competitive Work: Plenty of related/competitive work is mentioned in the paper. Several surveys on firewall-configuration errors show the need for analysis tools [31, 35]. A firewall analyzer tool named Fang, was proposed in [26,27,34], that later evolved into a commercial product, AlgoSec Firewall Analyzer [3]. Unlike Margover though, Fang doesn't support first-order queries or integration with a programming language. The ITVall tool, proposed in [23,24] uses MMDs to execute SQL-like queries on firewall policies, but again Margrave offers more functionality, as it supports first-order queries. ConfigChecker [1,2], a BDD-based tool that analyses networks of firewalls using CTL queries, operates  at the level of policies, while Margrave can also handle individual rules. Other tools proposed in [5,9,10] don't support NAT. Moreover, [36] as well as the FACE tool [33], also don't consider NAT or internal routing. Compared to Prometheus [30], Margrave offers a richer query language. Unlike NetPiler [18. 19], Margrave doesn't support BGP configurations but its core engine could support them. Other works such as [16], [11] and [7] also don't address NAT.

 

 

Criticism: This paper has both some positive and negative aspects. Margrave, offers more functionality than existing firewall tools. Its ability to support queries at multiple levels, real-world firewall configuration languages and NAT, its rich query language,  as well as the fact that it benefits from first-order logic without excessive  cost, are some of its strengths. On the other hand, although its performance is reasonable, it is slower than other firewall analyzers. Furthermore, it is expected to scale poorly to large networks of firewalls, as its formulas will grow linearly with the number of firewalls. However, the tool is still under development, with potential for further improvement and the authors have clearly stated how they plan on enhancing it further. Overall, it seems a promising approach. Another comment is that it would be good to see a broader variety of results on Margrave  in the future. 

--
You received this message because you are subscribed to the Google Groups "CSCI2950-u Spring 13 - Brown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csci2950u-sp13-b...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Charles Zhang]

Paper Title: The Margrave Tool for Firewall Analysis

Authors: Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi

Date: 24th International Conference on Large Installation System Administration, 2010

Novel Idea:

Margrave is a tool for analyzing firewalls which includes utilities like enumerating consequences of configuration edits, detecting overlaps and conflicts among rules, tracing firewall behavior to specific rules, and verification against security goals.

Main Results:

Margrave provides an interface for querying firewall configurations and testing new configuration settings. Margrave can map both policies and queries into first order logic formulas. Margrave can be used to answer questions like which packets satisfy a condition, verify whether a configuration is possible, rule responsibility, rule relationships, and change impact.

Impact:

Firewalls will be easier to configure and analyze. Bugs could be faster to be located and eliminated.

Prior work: Fang, AlgoSec Firewall Analyzer, ITVal, ConfigChecker, Vantage tool, Firewall Decision Diagrams(FDD), Fireman tool, FACE tool, NetPiler tool, etc

[Shao, Tuo]

Paper Title

The Margrave Tool for Firewall Analysis

Authors

Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi

Novel Ideas

The paper proposes a firewall-analysis tool which enables users to analyse various scenarios and reason mutli-level policies.

Main Results

The main contribution of this paper is provides a way to convert IOS configurations to first-order policies. The paper also describes how this logic could indentify and analyse various scenarios.

Impact

Compared to other existing tools, the paper claims that it provides more powerful features.

Evidence

The paper first describes the basic features of Margrave. And then it decribes the first-order logic model used to define scenarios and how Margrave mapping IOS to these first-order policies. Finally, the paper gives the implementation and the evaluation of Margrave to test its capativity to resolve real-world problem and its performance.

Prior Work and Competetive Work

Margrave use Kodkod to produce solutions to first-order formulas. And the paper also compare Margrave to many other existing firewall-analysis tools and according to the paper, Margrave outperforms them in the number of features it provides.

Reproducibility

I think the result of this paper by following the steps how the configurations are decomposed in section 4 which is the paper's main takeaway.

On Wed, Apr 17, 2013 at 9:40 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote:

[Rodrigo Fonseca]

On behalf of David Trejo:

On Wed, Apr 17, 2013 at 9:40 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote: