Analysis Service
Contents
1. 3 filteringZone3 filteringZone2 filteringZone2 Analysers Figure 3 Main View Distributed The distributed tab Fig 3 gives the uses the possibility to analyse distributed configurations A distributed configuration is identified by the source filtering zone and the destination filtering zone The tab contains one button and three lists With the button Go the user can execute the analysis of the selected distributed configuration using the selected analyser the result of the analysis is show in the result view Fig 7 The first two lists contain all available filtering zones the fist list Source FilteringZone identifies the source filtering zone and the second list Destination FilteringZone identifies the destination filtering zone By selecting one filtering zone from the first list and one from the second one the user can specify the distributed configuration which he wants to analyse The last list analysers contains all analysers that can be used Configuration View The configuration view displays the filtering and data protection configuration selected in the main view Filtering Configuration iy Filtering Configuration View Name Source IP Destination IP Source Port Destination Port L4Protocol Url Action F filtering con rule 9 172 17 8 147 172178 133 j a 2 ALLOW c filtering conf rule 12 172 17 8 155 172 17 8 133 h ALLOW OG filtering conf rule 11 172 17 8 131 172 17 8 203 8081 6 TC2. 5 Boston MA November 6 9 2005 pp 259 278 Vol 44 No 3 March 2006 pp 134 141 6 6
3. 7 196 102 IPsec allow OUT edoae MAKES REDUNDANT 7 filteringConfiguration edoae confWo1 1 filtering conf rule 85 17 29 132 ipv4fipsec 46 165 247 152 IPsec allow OUT edoae MARES REDUNDANT filteringConfiguration_edge1_confNo1_1 filtering conf rule 85 17 196 101 ipv4 85 17 29 132 22 Tcp Ssh nd Sshiledgel posecco atosrese MAKES REDUNDANT filteringConfiguration edoae confWo1 1 filtering conf rule 85 17 196 101 ipv4fpsec 85 17 29 132 IPsec allow IN edgel MAKES REDUNDANT filteringConfiguration edoae confNoi 1 filtering conf rule 46 165 247 151 ipv4 ipsec_ 85 17 29 132 IPsec allow IN edgel MAKES REDUNDANT filteringConfiguration_edge1 confNoi 1 filtering conf rule 192 168 102 1 ipv4 85 17 29 132 21 Tcp Em nd Ftp edgel posecco atosresear MAKES REDUNDANT filteringConfiguration edoae confNo1 1 filtering conf rule 192 168 102 1 ipv4 85 17 29 132 1935 Tcp Rtmp nd Rtmpiledgel posecco atos MAKES REDUNDANT 4 Figure 7 Result View Single Analyser The result view of the single analyser displays the result of the last analysis executed by the user Fig 7 The view shows only the conflicts found in the configuration The result view is organized in three columns the first two columns contain the rules which are in conflict and the third column contains the type of the conflict By moving the mouse over a rule name a tool tip appears which shows details of the rule Result View Distributed Analyser The re
4. Analysis Service user manual version 0 2 0 13 December 2013 D ANALYSISSERV CE PoSecCo http www posecco eu Analysis Service user manual Contents 1 Introduction er Dar asas rara da ee hee eee eee das ur CT be ee DN Re OS Roe wee eee ee eS 2 Graphical User Interface PRO Veen koe ew GE BB AA BA GES EG add TEES HEA a EA Siena sepa a SEES PU EMT eee es isa ee eee eee Ree ee ee eee KR a ec ct nn A ne ee a ER CU ca Ges ase a En ee a a AAA AA Configuration View casos beeen Ge ew aa d E Sa Sa ee dee Dew ew eee d Es Filtering Configuration 2 ee n es Ba me da aa das ER EE eS Data Protection Configuration 2 RRR d u Hee as EDEMA SA Filtering Zone Landscape View lt lt lt amena ss 3a dem deus EE m s s s ss SS Result View Single Analyser 2c A A mes era aa SCALE ES ERY dd Quan ea aa EH Result View Distributed Analyser cos ee e E AER ER A ene eer E e e d A N Nin Un Dn BE A HRW W W u Analysis Service user manual 1 Introduction The role of this document is to provide an overview on how to use the Analysis Service implementation The Analysis Service allows the user to perform a intra policy and inter policy analysis of filtering and data protection configurations Filtering and data protection configurations are defined in D3 3 Configuration Meta Model Intra Policy Intra Policy analysis is performed on one single filtering or data protection configuration The Analysis Service Implementa
5. P https 172 17 8 203 8080 ALLOW filtering conf rule 10 172 17 8 132 172 17 8 203 6081 6 TCP https 172 17 8 203 8080 ALLOW C 4 K Figure 4 Filtering Configuration View This view displays the selected configuration containing filtering rules Fig 4 the view is organized in a tabular form every row contains one rule and its attributes 4 6 Analysis Service user manual 3 Data Protection Configuration View Name Source IP Destination IP AuthenticationAl AuthenticationT EncryptionAlgo ExchangeMode HashAlgorithm IF dataProt conf rule 14 172 17 8 131 172 17 8 133 hmac sha256 HMAC AES main SHA256 Ti dataProt conf rule 13 172 17 8 131 172 17 8 132 hmac sha256 HMAC AES main SHA256 Ti dataProt conf rule 12 172 17 8 131 172 17 8 131 hmac sha256 HMAC AES main SHA256 Ti 4 K Figure 5 Data Protection Configuration View Data Protection Configuration This view displays the selected configuration containing data protection rules Fig 5 the view is organized in a tabular form every row contains one rule and its attributes Filtering Zone Landscape View tg LandscapeExplorerView Landscape EXDIOrel Network Graph Figure 6 Filtering Zone Landscape This view displays the landscape Fig 6 with the different filtering zones highlighted by different colors Result View Single Analyser 4 Analyzer Result Rule 1 Rule 2 Conflict filteringConfiguration edoae confNoi 1 filtering conf rule 85 17 29 132 ipv4 ipsec_ 85 1
6. The analysis takes also in consideration potential address translations introduced by NAT NAPT and IPsec tunnels The distributed analysis serves to verify what happens to packets exchanged between these zones that is if packets are allowed or deny The analyser searches for serial and parallel anomalies serial anomalies are found on one single path between two security devices where parallel anomalies are found by comparing the applied actions in multiple paths Moreover the distributed model supports IPsec policies using transport mode actions and classifies all the types of IPsec anomalies identified in literature 1 2 Serial conflicts include shadowing anomaly the spuriousness anomaly the redundancy anomaly and the corre lation anomaly A shadowing anomaly occurs if an upstream firewall blocks the network traffic accepted by a downstream firewall A spuriousness anomaly occurs if an upstream firewall permits the network traffic denied by a downstream firewall A redundancy anomaly occurs if a downstream firewall denies the network traffic already blocked by an upstream firewall A correlation anomaly occurs as a result of having two correlated rules in the upstream and downstream firewalls There exists only one parallel anomaly which is when the applied filtering actions is not the same one all paths between to policies IPsec anomalies include overlapping conflict and weak protection conflict this kind of anomalies can be found between
7. rules of one single policy or of a distributed policy Overlapping conflict exists if two tunnel mode tunnels overlaps or the first 1s transport mode tunnel and the second is tunnel mode tunnel and the rule which sends the packet to the nearer device takes priority of the rule which sends the packet to the farther device Weak protection conflict exists if ESP transport mode applies over AH transport mode or AH transport mode applies over ESP tunnel mode 2 6 Analysis Service user manual 2 Graphical User Interface The main GUI of the Analysis Service is divided into three views the Main View the Configuration View and the Result View Main View The main view is used by the user to select the type of analysis he wants to perform It contains three tabs the filtering the data protection and the distributed Filtering sg Analyzer Filtering Data protection Distributed Filtering Go View Configurations nfiguration Tw2 con filteringConfiguration_fw4_confNo2 filteringConfiguration_fwi_confNo3 filteringConfiguration_fw3_confNo1 Analysers Figure 1 Main View Filtering The filtering tab Fig 1 gives the user the possibility to analyse filtering configuration The tab contains two buttons and two lists With the button Go the user can execute the analysis of the selected configuration using the selected analyser the result of the analysis is show in the result view Fig 7 The button View allows the
8. sult view of the distributed analyser displays the result of the last analysis executed by the user Fig 8 The view shows only the conflicts found in the path from one filtering zone to another The view is structured as 5 6 Analysis Service user manual x Analyzer Result D REDUNDAN E fi teringConfiguration r2 confNo6 DefaultAction E filteringConfiguration r2 DefaultAction E fi E fi teringConfiguration r4 confNo8 IN t NATDA 2 nat default teringConfiguration H confNo8 OUT NATDA 2 nat default 0 SPL JRIOUS D REDUNDANT O REDUNDANT a tree where the first level specifies the type of the conflict the second level specifies the involved configuration and the third level specifies the involved rule Every configuration is divided into two parts IN contains all rules applied to a packet before a IPsec action is applied and OUT contains all rules applied to a packet after a IPsec action is applied In the case no rule is applied a a certain point and the default action of the configuration is Figure 8 Result View Distributed Analyser activated the third level of the tree contains the string DefaultAction References 1 E Al Shaer H Hamed Taxonomy of conflicts in network security policies IEEE Communications Magazine 2 E Al Shaer H Hamed Modeling and verification of IPSec and VPN security policies 13TH IEEE International Conference on Network Protocols ICNP 0
9. tion handles intra policy analysis of filtering and data protection configurations separately and also presents them in that way The Analysis Service Implementation can identify the following intra policy anoma lies shadowing anomaly correlation anomaly generalization anomaly redundancy anomaly and irrelevance anomaly Given two rules r and ro where r is the highest priority rule the rule pair anomalies are shadowing anomaly ro is shadowed when r matches all the packets that ro matches so that ro will never be activated correlation anomaly r and ro are correlated if they enforce different actions and there exists some packet matching both r and ro and there exists some packet matching r but not ro and vice versa generalization anomaly ro is a generalization of r if they enforce different actions and all the packets matching r also match ro but not the contrary redundancy anomaly ro is redundant if r matches the same packets and enforces the same action as ra so the removal of ro will not change the policy behaviour irrelevance anomaly a rule is irrelevant if does not match any packet that could pass trough the firewall It does not concern relations between rules rather between a rule and the enforcing device Inter Policy Inter Policy analysis nominated by the Analysis Service implementation as distributed is performed on all policy filtering and data protection between two filtering zones
10. user to visualize the selected configuration in the filtering configuration view Fig 4 The first list Configurations contains all filtering configurations available to be analysed and the second list Analysers contains all analysers that can be used Data Protection y Analyzer Filtering Data protection Distributed Data protection Go View Configurations dataProtectionConfiguration s3 wssec s3 dl dataProtectionConfiguration s2 wssec Sie dataProtectionConfiguration s2 ipsec dataProtectionConfiguration si wssec si o dataProtectionConfiguration s3 ipsec Wa guration si BC Analysers Figure 2 Main View Data Protection 3 6 Analysis Service user manual The data protection tab Fig 2 gives the user the possibility to analyse data protection configurations The tab contains two buttons and two lists With the button Go the user can execute the analysis of the selected configuration using the selected analyser the result of the analysis is show in the result view Fig 7 The button View allows the user to visualize the selected configuration in the filtering configuration view Fig 4 The first list Configurations contains all data protection configurations available to be analysed and the second list analysers contains all analysers that can be used e e Distributed Filtering Data protection Distributed Go Source FilteringZone Destination FilteringZone filteringZone
Download Pdf Manuals
Related Search