The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson...

Preview:

Click to see full reader

Citation preview

The Margrave Tool for Firewall Analysis

Tim Nelson (WPI), Christopher Barratt (Brown),

Daniel J. Dougherty (WPI), Kathi Fisler (WPI)

and Shriram Krishnamurthi (Brown)

1

…and other dens of iniquity

2

“I don’t really know what’s wrong.”

“I’m having this strange issue with

Cisco IOS…”

“I need your advice…”

3

4

Policy-based routing

Static routing,NAT

ACLs, reflexive access-lists

5

6

Try this!

7

Try this!No! Try

this!

8

Try this!No! Try

this!

No, no, try this.

Suggestions do not always agree.

9

Try this!No! Try

this!

No, no, try this.

Debugging Questions:

10

Debugging Questions:

11

Q: Which hop will SMTP packets take next?

Debugging Questions:

12

Q: Which hop will SMTP packets take next?

192.168.100.4

192.168.200.5

A:

Debugging Questions:

13

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

192.168.100.4

192.168.200.5

A:

Debugging Questions:

14

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

Debugging Questions:

15

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

Debugging Questions:

16

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

TCP From X to YA:

Debugging Questions:

17

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

Q: How do a pair of configurationsbehave differently?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

TCP From X to YA:

Debugging Questions:

18

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

Q: How do a pair of configurationsbehave differently?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

TCP From X to YA:

Time Connection State

A:

Debugging Questions:

19

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

Q: How do a pair of configurationsbehave differently?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

TCP From X to YA:

Time Connection State

A:

Scenarios

Debugging Questions:

20

Q: What packets will pass the firewall?

Q: Which configuration rules caused the incorrect routing?

Q: Which hop will SMTP packets take next?

Q: How do a pair of configurationsbehave differently?

192.168.100.4

192.168.200.5

A: Line 14 applied to…

Line 15 applied to…

A:

TCP From X to YA:

Time Connection State

A:Margrave

Scenarios

21

22

23

24

25

26

27

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

28

“The web can access my server, but my server can’t access the web.”

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

29

“The web can access my server, but my server can’t access the web.”

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

interface FastEthernet0ip address 209.172.108.16 255.255.255.224

interface Vlan1ip address 192.168.2.1 255.255.255.0

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

30

“The web can access my server, but my server can’t access the web.”

access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16

ip access-group 102 in

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

31

“The web can access my server, but my server can’t access the web.”

ip route 0.0.0.0 0.0.0.0 209.172.108.1

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

32

“The web can access my server, but my server can’t access the web.”

ip nat outside

access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside

ip nat pool localnet 209.172.108.16 prefix-length 24ip nat inside source list 1 pool localnet overloadip nat inside source list 1 interface FastEthernet0ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 80ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 21ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16

3389

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

33

“The web can access my server, but my server can’t access the web.”

access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

34

“The web can access my server, but my server can’t access the web.”

access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

Firewall

Server: 192.168.2.6

Fe0 209.172.108.16

Vlan1 192.168.2.1/24

35

“The web can access my server, but my server can’t access the web.”

access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16

36

“The web can access my server, but my server can’t access the web.”

Passes fe0’sInbound ACL?

Can it be routed?

Passes vlan1’sOutbound

ACL?

Returning packets

37

“The web can access my server, but my server can’t access the web.”

Passes fe0’sInbound ACL?

Can it be routed?

Passes vlan1’sOutbound

ACL?

Returning packets

Passes fe0’sOutbound

ACL?

Can it be routed?

Passes vlan1’sInbound ACL?

Outgoing packets

38

“The web can access my server, but my server can’t access the web.”

“Can returning packets be lost?”

39

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

“Can returning packets be lost?”

40

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORE

“Find me scenarios where…”

“Can returning packets be lost?”

41

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>);

“Dropped or rejected”

<pkt> =entry-interface

src-addr-inprotocol

“Can returning packets be lost?”

42

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) ;

“Compute next hop and NAT”

<pktplus> =<pkt>

+temporary variables

“Can returning packets be lost?”

43

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interface;

“Arriving at FastEthernet0”

“Can returning packets be lost?”

44

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0;

“Reasonable source”

“Can returning packets be lost?”

45

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0

AND prot-TCP = protocolAND port-80 = src-port-in;

“TCP from port 80”

“Can returning packets be lost?”

46

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0

AND prot-TCP = protocolAND port-80 = src-port-in;AND dest-addr-in = 209.172.108.16;

“To public address”

“Can returning packets be lost?”

47

1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0

AND prot-TCP = protocolAND port-80 = src-port-in;AND dest-addr-in = 209.172.108.16;

“To public address”Here, a scenario is:

Data about a packet’scontents & handling

“Can returning packets be lost?”

48

Check for denied return packets:

Result:

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> IS POSSIBLE?;

“Can returning packets be lost?”

49

Check for denied return packets:

Result:

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> IS POSSIBLE?;true>

Some return packets will be

dropped.

“Can returning packets be lost?”

50

Check for denied return packets:

Result:

Similar query: outgoing packets all pass the firewall.

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> IS POSSIBLE?;true>

Some return packets will be

dropped.

“Which rule(s) were responsible?”

51

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);

“Which rule(s) were responsible?”

52

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);

The ACL rules tied to FastEthernet0

“Which rule(s) were responsible?”

53

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);

> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);

{ InboundACL:router-FastEthernet0-line26_applies( … ) }>

54

{ InboundACL:router-FastEthernet0-line26_applies( … ) }

The ACL rule…

Can apply.

Appearing on line 26

Tied to the router’s

FastEthernet0interface

55

{ InboundACL:router-FastEthernet0-line26_applies( … ) }

The ACL rule…

Can apply.

Appearing on line 26

Tied to the router’s

FastEthernet0interface

EXPLORE InboundACL:router-FastEthernet0-line26_applies(<pkt>);

Use these in queries too:

56

{ InboundACL:router-FastEthernet0-line26_applies( … ) }

The ACL rule…

Can apply.

Appearing on line 26

Tied to the router’s

FastEthernet0interface

EXPLORE InboundACL:router-FastEthernet0-line26_applies(<pkt>);

EXPLORE InboundACL:router-FastEthernet0-line26_matches (<pkt>);

Use these in queries too:

“Add a rule allowing all returning traffic from

port 80…”

57

Will this change fix my problem?

“Add a rule allowing all returning traffic from

port 80…”

58

Will it introduce new problems?

Will this change fix my problem?

“Add a rule allowing all returning traffic from

port 80…”

59

60

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

diff says:

25a26> access-list 102 permit tcp any eq 80 any

61

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

62

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND

internal-result1(<pktplus>) AND

(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

63

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND

internal-result1(<pktplus>) AND

(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

64

EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND

internal-result1(<pktplus>) AND

(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND

internal-result1(<pktplus>) AND

(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

65

EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND

internal-result1(<pktplus>) AND

(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16

22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16

Change-impact analysis

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

66

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

67

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

68

Public address of server

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

“Some other address”

“Some other port”

69

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

70

Packet is routed successfully

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

71

protocol: prot-tcpentry-interface: fastethernet0

dest-addr-in: ipaddresssrc-addr-in: ipaddress

dest-port-in: port src-port-in: port-80 exit-interface: vlan1

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

72

protocol: prot-tcpentry-interface: fastethernet0

dest-addr-in: ipaddresssrc-addr-in: ipaddress

dest-port-in: port src-port-in: port-80 exit-interface: vlan1

More than we intended?

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

…protocol: prot-tcp

entry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

73

protocol: prot-tcpentry-interface: fastethernet0

dest-addr-in: ipaddresssrc-addr-in: ipaddress

dest-port-in: port src-port-in: port-80 exit-interface: vlan1

More than we intended?

> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );

> SHOW ALL;

…protocol: prot-tcp

entry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

74

protocol: prot-tcpentry-interface: fastethernet0

dest-addr-in: ipaddresssrc-addr-in: ipaddress

dest-port-in: port src-port-in: port-80 exit-interface: vlan1

More than we intended?

75

Query:

76

EXPLOREpasses-firewall(<pkt>)

Query:

77

EXPLOREpasses-firewall(<pkt>)

Query:

Variables for packet contents & handling

78

EXPLOREpasses-firewall(<pkt>)

Query:

entry-interface,next-hop,

dest-addr-in,…

79

entry-interface: fe0 next-hop: 192.168.2.6

dest-addr-in: 209.172.108.16…

EXPLOREpasses-firewall(<pkt>)

Query: Scenario:

entry-interface,next-hop,

dest-addr-in,…

80

entry-interface: fe0 next-hop: 192.168.2.6

dest-addr-in: 209.172.108.16…

EXPLOREpasses-firewall(<pkt>)

Query: Scenario:

192.168.2.6

209.172.108.16

fe0

81

entry-interface: fe0 next-hop: 192.168.2.6

dest-addr-in: 209.172.108.16…

EXPLOREpasses-firewall(<pkt>)

Query: Scenario:

192.168.2.6

209.172.108.16

fe0

How large a scenario do we need to check?

82

entry-interface: fe0 next-hop: 192.168.2.6

dest-addr-in: 209.172.108.16…

EXPLOREpasses-firewall(<pkt>)

Query: Scenario:

192.168.2.6

209.172.108.16

fe0

How large a scenario do we need to check?

Margrave computes a bound automatically, most of the time.

Let’s Recap:

83

Let’s Recap:

84

Do scenarios exist?

True/false

Let’s Recap:

85

Do scenarios exist?

True/false

Which scenarios exist?

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

Let’s Recap:

86

Do scenarios exist?

True/false

Which scenarios exist? Which rules can

take effect?

“InboundACL forFastEthernet0 onLine26”

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

Let’s Recap:

87

Do scenarios exist?

True/false

Which scenarios exist? Which rules can

take effect?

“InboundACL forFastEthernet0 onLine26”

Single-configuration

and

multi-configuration queries

(Change-impact analysis)

protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16

src-addr-in: ipaddressdest-port-in: port

src-port-in: port-80 exit-interface: vlan1

Passes fe0’sInbound ACL?

Can it be routed?

Passes vlan1’sOutbound

ACL?

Returning packets

88

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0ip access-group 101 inip policy route-map internet!ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130!access-list 101 deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255access-list 101 deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255access-list 101 permit ip any any!access-list 10 permit 10.232.0.0 0.0.3.255access-list 10 permit 10.232.100.0 0.0.3.255!route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15

89

Can it be routed?

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0ip access-group 101 inip policy route-map internet!ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130!access-list 101 deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255access-list 101 deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255access-list 101 permit ip any any!access-list 10 permit 10.232.0.0 0.0.3.255access-list 10 permit 10.232.100.0 0.0.3.255!route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15

90

How is it routed?

91

92

InboundACL:PermitInboundACL:Deny

ip access-group 102 in

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

93

LocalSwitching:ForwardLocalSwitching:Pass

ip access-group 102 in

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

94

ip policy route-map internet

route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15 PolicyRouting:Forward

PolicyRouting:RoutePolicyRouting:Pass

ip access-group 102 in

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

95

ip policy route-map internet

route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15 StaticRouting:Forward

StaticRouting:RouteStaticRouting:Pass

ip access-group 102 in

ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

96

DefaultPolicyRouting:ForwardDefaultPolicyRouting:RouteDefaultPolicyRouting:Pass

ip access-group 102 in

ip policy route-map internet

route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15

ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

97

NetworkSwitching:ForwardNetworkSwitching:Pass

ip access-group 102 in

ip policy route-map internet

route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15

ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130

Provides these query terms:

interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0

98

OutboundACL:PermitOutboundACL:Deny

ip access-group 102 in ip access-group 102 out

ip policy route-map internet

route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15

ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130

Provides these query terms:

EXPLORE

entry-interface = fastethernet0

AND NOT LocalSwitching:Forward(<pkt>)

I only want packets that don’t have a local

destination.

99

EXPLORE

entry-interface = fastethernet0

AND NOT LocalSwitching:Forward(<pkt>)

I only want packets that don’t have a local

destination.

Which permitted packets are

handled by policy routing?

Does the static route ever apply

to WWW packets?

100

Scenario-finding logic engine

101

Scenario-finding logic engine

102

Kodkod& SAT Solving

Scenario-finding logic engine

General Policy Language

103

Kodkod& SAT Solving

Scenario-finding logic engine

Query Language

General Policy Language

104

Kodkod& SAT Solving

Scenario-finding logic engine

Query Language

General Policy Language

105

Kodkod& SAT Solving

Scenario-finding logic engine

Query Language

General Policy Language

Supported subset of Cisco IOS

106

Kodkod& SAT Solving

Scenario-finding logic engine

Query Language

General Policy Language

Supported subset of Cisco IOS

107

Kodkod& SAT Solving

XACML

Amazon SQSIptables

(in progress)

108

Future Work

109

Future Work

110

192.168.1.5

Port 25

192.168.1.5

Port 80

Future Work

111

192.168.1.5

Port 25

192.168.1.5

Port 80

192.168.1.5

Ports 25, 80

Future Work

112

192.168.1.5

Port 25

192.168.1.5

Port 80

192.168.1.5

Ports 25, 80

Future Work

113

EXPLOREFastEthernet0 = entry-interface AND prot-TCP = protocol AND port-80 = src-port-in

192.168.1.5

Port 25

192.168.1.5

Port 80

192.168.1.5

Ports 25, 80

Future Work

114

EXPLOREFastEthernet0 = entry-interface AND prot-TCP = protocol AND port-80 = src-port-in

“Try stateful inspection.”

192.168.1.5

Port 25

192.168.1.5

Port 80

192.168.1.5

Ports 25, 80

What configuration problems do you face?

Come talk to me! (I’m here until Friday.)

Text me: (774) 314-1128

Email me: tn@cs.wpi.edu

Download the tool:

www.margrave-tool.org

Thank you to:

Varun Singh (Brown), Morgan Quirk (WPI), Emina Torlak (IBM Watson)

115

mailto:tn@cs.wpi.edu
http://www.margrave-tool.org/
http://www.margrave-tool.org/
http://www.margrave-tool.org/

Recommended

wpi Agustus 011
Documents
Solar Salvation at WPI - Worcester Polytechnic Institute (WPI)
Documents
The Margrave Mini History website: Home Mini British...met een Griekse eigenaar, die over een werkelijk schitterende Wood and Pickett Inno Cooper beschikt. Geen Margrave dus, maar
Documents
WPI International Brochure
Documents
Windows 7 Firewall. Windows 7 Firewall Topics What is a firewall? What is a firewall? Firewall types Firewall types How a firewall works How a firewall
Documents
WPI Aula 04
Design
WPI Research · 2017-02-10 · WPI Research Discovery and Innovation with Purpose > wpi.edu/+research 2017 KEEP UP WITH RESEARCH AT WPI > Read the latest WPI research news, watch
Documents
The Margrave Tool for Firewall Analysis › legacy › event › lisa10 › tech › ... · 14. ip nat pool localnet 209.172.108.16 prefix-length 24 15. ip nat inside source list
Documents
Margrave: An Improved Analyzer for Access-Control and Con ...€¦ · Margrave: An Improved Analyzer for Access-Control and Con guration Policies by Tim Nelson A Thesis Submitted
Documents
WPI London Centre Paul Davis Director, WPI London Centre
Documents
WPI London Centre
Documents
WPI Aula 05
Design
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown
Documents
WPI Monthly
Documents
WPI Aula 03
Design
Policy Analysis Using Margrave
Documents
Gary F. Margrave, Samantha Taylor, and Joanna K. Cooper · 2021. 3. 30. · Gary F. Margrave, Samantha Taylor and Joanna K. Cooper Subject: CREWES Research Report Volume 20 (2008)
Documents
Tianci Cui and Gary F. Margrave - CREWES...Tianci Cui and Gary F. Margrave ABSTRACT In this paper, four methods of seismic wavelet estimation are investigated:the statistical method,
Documents
Elisa Negrini (WPI) Advisors: Professors Luca Capogna (WPI ... · Elisa Negrini (WPI) Advisors: Professors Luca Capogna (WPI) and Giovanna Citti (UNIBO) In this work we reconstruct
Documents
WPI 2010 Baccalaureate
Documents