Management of Exceptions in Access Control Policies J. G. Alfaro, - PowerPoint PPT Presentation

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST Bretagne, Rennes RSM/SERES

Outline - 2 - � Problem domain � Main strategies � Use of full expressiveness � Conclusions and Perspectives

Problem domain - 3 - � When specifying an access control policy … … how can we properly specify exceptions to those general rules that almost always apply? � Example: in a hospital � General rule: � All physicians are allowed to consult patient’s medical records � Exception 1 (exception to the general case): � Physicians on strike can’t access medical records � Exception 2 (exception to Exception 1 ): � For emergency purposes, even physicians going on strike can access patient’s medical records

Management of exceptions on firewalls - 4 - Zone Private can access web resources of zone Internet Example : ������������� ����������� Private Internet Firewall ����������� � Format of a filtering rule: Condition → accept or Condition → deny Where condition is a conjunctive set of attributes in the form: (s)ource ∧ (d)estination ∧ source-port(sport) ∧ destination-port (dport) ∧ (p)rotocole � Possible rule for the example: R: s ∈ ∈ ∈ 111.222.1.0/24 ∧ ∈ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ any ∧ ∧ p = tcp ∧ ∧ ∧ ∧ ∧ ∧ dport = 80 → → → → accept

Management of exceptions on firewalls - 5 - Example (continuation): ��������������������������� ����������� ������������� ����������� Admin Corporate Internet Private Firewall ����������� Exception 1: The interfaces of Firewall (Interf-fw) are not allowed to access � web resources on the zone Internet � Exclusion of address 111.222.1.1 from zone Private Exception 2: The hosts in Admin are not allowed to access web resources � � Exclusion of zone Admin from zone Private Exception 3: The hosts in Corporate (111.222.*.*) are not considered a part � of zone Internet � Exclusion of zone Corporate from zone Internet

Management of exceptions on firewalls - 6 - � Example (continuation): ��������������������������� ����������� ������������� ����������� Admin Corporate Internet Private Firewall ����������� � Problem: How to express the following rule? Zone (Private — Admin — Interf-fw) has the permission of accessing web resources in zone (Internet — Corporate)?

Management of exceptions on firewalls - 7 - � Three main strategies: 1. First/Last Matching Algorithms � Total ordering of rules 2. Segmentation of Rules � Exclusion of condition attributes 3. Partial Ordering of Rules � Use of Chains and Jumps

First Matching Strategy - 8 - � Principle: � Ordering of permissions and prohibitions � The firewall is parsing rules until one applies: � If the rule is a permission, traffic is accepted � Otherwise, traffic is refused � When no rule applies, the decision depends on the default policy: � In the case of an open policy, traffic is accepted � If the policy is closed, traffic is refused R: s ∈ ∈ ∈ ∈ (A ∧ ∧ ∧ ∧ ¬ ¬ ¬ ¬ B) → → accept → → � Example: R 1 : (s ∈ B) → deny R 2 : (s ∈ A) → accept

First Matching Strategy - 9 - � Motivation example: ��������������������������� ����������� ������������� ����������� Admin Corporate Internet Private Firewall ����������� “Zone (Private — Admin — Interf-firewall) has the permission of accessing web resources from zone (Internet — Corporate)” � Possible set of rules: R 1 : s ∈ 111.222.1.1 ∧ ∧ d ∈ ∧ ∧ ∈ ∈ ∈ any ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → deny ∧ R 2 : s ∈ [111.222.1.13, 111.222.1.25] ∧ ∧ ∧ ∧ d ∈ ∈ any ∧ ∈ ∈ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ dport = 80 → deny ∧ R 3 : s ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ ∈ 111.222.0.0/16 ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → deny ∧ R 4 : s ∈ 111.222.1.0/24 ∧ ∧ d ∈ ∈ any ∧ ∧ p = tcp ∧ ∧ dport = 80 → accept ∧ ∧ ∈ ∈ ∧ ∧ ∧ ∧

First Matching Strategy - 10 - � Advantages � Solution implemented in most existing firewalls � Drawbacks � Necessity of defining a total order between rules � Transformation of local rule’s exceptions into global exceptions � Risk of interference between rules � Administration of setups becomes error prone o Adding/removing of general rules o Adding/removing of exceptions � Combinations of rules not always possible to implement by simple ordering of rules

Drawbacks of first matching strategies - 11 - � Example – Expression of the following two rules R 1,1 : (s ∈ B) → deny R 2,1 : (s ∈ A) → deny R 1,2 : (s ∈ A) → accept R 2,2 : (s ∈ B) → accept We must first compute A ∩ ∩ B and the following transformations: ∩ ∩ � R 2,1 : (s ∈ (A ∩ B)) → deny R 1,1 : (s ∈ (A ∩ B)) → deny R 2,2 : (s ∈ B) → accept R 1,2 : (s ∈ A) → accept � We can finally deploy the following three rules: R 1 : (s ∈ (A ∩ B)) → deny R 2 : (s ∈ A) → accept R 3 : (s ∈ B) → accept

Drawbacks of first matching strategies - 12 - � Example – insertion of the following rule: The hosts of Private can access to web resources in DMZ ����������� DMZ ��������������������������� ����������� ����������� Admin Corporate ������������� ����������� Internet Private Firewall ����������� ����� ∈ ∈ ��������������� ∧ ∈ ∈ ∧ ∧ ∧ d ∈ ∈ ∈ ��������������� ∧ ∈ ∧ ∧ ∧ ������� ∧ ∧ ∧ ∧ ����� ����� → → → ������ →

Drawbacks of first matching strategies - 13 - � Ordering of rules: Only possibility! R 1 : s ∈ ∈ ∈ ∈ 111.222.1.0/24 ∧ ∧ ∧ ∧ d ∈ ∈ ∈ 111.222.2.0/24 ∧ ∈ ∧ ∧ ∧ p = tcp ∧ ∧ dport = 80 → ∧ ∧ → → → accept R 2 : s ∈ ∈ ∈ ∈ 111.222.1.1 ∧ ∧ d ∈ ∧ ∧ ∈ ∈ any ∧ ∈ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ dport = 80 → ∧ → → → deny R 3 : s ∈ ∈ ∈ ∈ [111.222.1.13, 111.222.1.25] ∧ ∧ ∧ ∧ d ∈ ∈ ∈ any ∧ ∈ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → ∧ → → deny → R 4 : s ∈ ∈ 111.222.1.0/24 ∧ ∈ ∈ ∧ ∧ d ∈ ∧ ∈ ∈ 111.222.0.0/16 ∧ ∈ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ dport = 80 → ∧ → → deny → R 5 : s ∈ ∈ 111.222.1.0/24 ∧ ∧ d ∈ ∈ any ∧ ∧ p = tcp ∧ ∧ dport = 80 → → accept ∈ ∈ ∧ ∧ ∈ ∈ ∧ ∧ ∧ ∧ → →

Segmentation of condition attributes - 14 - � Principle: � Expression of only permissions – In case of an open policy � Expression of only prohibitions – In case of a closed policy � Transformation of general rules taking into account the set of exceptions R: s ∈ ∈ (A ∧ ∧ ¬ ¬ B) → → accept ∈ ∈ ∧ ∧ ¬ ¬ → → Example: R: (s ∈ (A — B) → accept

Segmentation of condition attributes - 15 - � Expression of rule: Zone (Private — Admin — Interf-firewall) has the permission of accessing web resources from zone (Internet — Corporate) Private = 111.222.1.* Admin = [111.222.1.13 , 111.222.1.25] Interf-firewall = { 111.222.1.1 , 111.222.100.1 } Private – Admin – Interf-firewall: [111.222.1.2 , 111.222.1.12] ∪ [111.222.1.26 , 111.222.1.255] Internet = *.*.*.* Corporate = 111.222.*.* Internet – Corporate: [1.1.1.1 , 111.221.255.255] ∪ [111.223.1.1, 255.255.255.255]

Segmentation of condition attributes - 16 - � Expression of rule: Zone (Private — Admin — Interf-firewall) has the permission of accessing web resources from zone (Internet — Corporate) R 1 : s ∈ ∈ ∈ ∈ [111.222.1.2 , 111.222.1.12] ∧ ∧ d ∈ ∧ ∧ ∈ ∈ ∈ [1.1.1.1 , 111.221.255.255] \ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ dport = 80 → ∧ ∧ → accept → → R 2 : s ∈ ∈ ∈ ∈ [111.222.1.26 , 111.222.1.255] ∧ ∧ d ∈ ∧ ∧ ∈ ∈ [1.1.1.1 , 111.221.255.255] \ ∈ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → accept → → R 3 : s ∈ ∈ ∈ ∈ [111.222.1.2 , 111.222.1.12] ∧ ∧ ∧ d ∈ ∧ ∈ [1.223.1.1 , 255.255.255.255] \ ∈ ∈ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → accept → → R 4 : s ∈ ∈ [111.222.1.26 , 111.222.1.255] ∧ ∧ d ∈ ∈ [1.223.1.1 , 255.255.255.255] \ ∈ ∈ ∧ ∧ ∈ ∈ ∧ ∧ ∧ ∧ p = tcp ∧ ∧ ∧ ∧ dport = 80 → → → → accept