Scalable configuration management for secure web services infrastructure
Download
1 / 25

Scalable Configuration Management For Secure Web Services Infrastructure - PowerPoint PPT Presentation


  • 193 Views
  • Uploaded on

Scalable Configuration Management For Secure Web Services Infrastructure . Sanjai Narain Senior Research Scientist Telcordia Technologies [email protected] (732) 699 2806. Prepared For DIMACS Workshop on Security of Web Services and E-Commerce, May 5-6, 2005. Outline.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Scalable Configuration Management For Secure Web Services Infrastructure' - erna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Scalable configuration management for secure web services infrastructure l.jpg

Scalable Configuration Management For Secure Web Services Infrastructure

Sanjai Narain

Senior Research Scientist

Telcordia Technologies

[email protected]

(732) 699 2806

Prepared For

DIMACS Workshop on Security of Web Services and E-Commerce,

May 5-6, 2005


Outline l.jpg
Outline Infrastructure

  • Focus on architectural aspect of web-services security. Components can be robust, but architecture into which they are integrated can be fragile and vulnerable.

  • How do we answer questions such as “is there a single point of failure?”, “is there sufficient defense-in-depth?”

  • Show an approach based on model-finding

  • Show how to scale this approach to realistic size and complexity


Deploying web services security infrastructure component configuration is central operation l.jpg
Deploying Web Services Security Infrastructure Infrastructure Component Configuration Is Central Operation

Defense-in-depth via DMZ

Gateway

Router

F

W

XML

Gateway

Cluster

F

W

Application

Servers

Bulk encryption via

fault-tolerant network of

IPSec Tunnels

Credit card

encryption

Authentication

Authorization

WAN

Gateway

Router

Gateway

Router

F

W

XML

Gateway

Cluster

F

W

Application

Servers

Gateway

Router

F

W

XML

Gateway

Cluster

F

W

Application

Servers


Yet there is no theory of configuration l.jpg
Yet, there is no theory of configuration Infrastructure

System requirements on security, functionality, fault-tolerance

Requirement

Strengthening

Component Adds &

Deletes

Configuration Error

Diagnosis

Configuration Error

Fixing

RequirementVerification

Configuration

Synthesis

Configuration Sequencing

Operations on requirements

Components


Quotes l.jpg
Quotes Infrastructure

  • Although setup (of the trusted computing base) is much simpler than code, it is still complicated, it is usually done by less skilled people, and while code is written once, setup is different for every installation. So we should expect that it’s usually wrong, and many studies confirm this expectation. – Butler Lampson, Computer Security In the Real World. Proceedings of Annual Computer Security Applications Conference, 2000.

    • http://research.microsoft.com/lampson/64-SecurityInRealWorld/Acrobat.pdf

  • 65% of attacks exploit configuration errors. – British Telecom/Gartner Group. http://www.btglobalservices.com/business/global/en/products/docs/28154_219475secur_bro_single.pdf

  • ...operator error is the largest cause of failures...and largest contributor to time to repair ... in two of the three (surveyed) ISPs.......configuration errors are the largest category of operator errors. – David Oppenheimer, Archana Ganapathi, David A. Patterson. Why Internet Services Fail and What Can Be Done About These? Proceedings of 4th Usenix Symposium on Internet Technologies and Systems (USITS ‘03), 2003.

    • http://roc.cs.berkeley.edu/papers/usits03.pdf

  • Consider this: ….the complexity [of computer systems] is growing beyond human ability to manage it….the overlapping connections, dependencies, and interacting applications call for administrative decision-making and responses faster than any human can deliver. Pinpointing root causes of failures becomes more difficult. –Paul Horn, Senior VP, IBM Research. Autonomic Computing: IBM’s Perspective on the State of Information Technology.

    • http://www.research.ibm.com/autonomic/manifesto/autonomic_computing.pdf


New concept requirement solver l.jpg

System Requirements in FOL Infrastructure

System Components

Requirement

Solver

Alloy (MIT)

FOL  Boolean logic

compiler

SAT Solvers

(Very fast)

Configurations

Transformations

FOL formula model

New Concept: Requirement Solver

With policy-based networking, this work has to be done by system designer.

System components, e.g., hosts, servers, routers, firewalls


Formalizing configuration management problems l.jpg
Formalizing Infrastructure ConfigurationManagement Problems

Verification:

  • Where R is a requirement, to show that S R is valid show S R is unsatisfiable

Component adds/deletes:

  • Solve S for new set of components

Configuration synthesis:

  • Find system configuration C:S is satisfiable

S = System

Requirement

Configuration Sequencing:

  • SAT for planning

  • Also Quantified Boolean Formulas

Requirement Strengthening:

  • Solve S  NewReq

Configuration error diagnosis:

  • Where C is current system configuration, is SC satisfiable?

Configuration error fixing:

  • Find new configuration C: S is satisfiable and cost of migration to C is acceptable


Fully configured fault tolerant vpn l.jpg
Fully Configured Fault-Tolerant VPN Infrastructure

Hub Router

IPSec

Tunnel

GRE Tunnel

XML

GW

Cluster

XML

GW

Cluster

Spoke

Spoke

WAN

Router

Router

Router

Hub Router

Full mesh of IPSec tunnels does not scale


Network components l.jpg

Component Attributes Infrastructure

interface

chassis: router

network: subnet

routing: routingDomain

ipsecTunnel

local: externalInterface,

remote: externalInterface,

protocolToSecure: protocol

greTunnel

localPhysical: externalInterface

remotePhysical:externalInterface

routing:routingDomain

firewallPolicy

prot: protocol

action: permission

protectedInterface: physicalInterface

ipPacket

source:interface,

destination:interface,

prot:protocol

Network Components

  • Interface

  • Physical Interface

    • Internal Interface

    • External Interface

      • hubExternalInterface

      • spokeExternalInterface

  • Protocols

  • ike

  • esp

  • gre

  • Subnet

  • Internal Subnet

  • External Subnet

  • Permissions

  • permit

  • deny

OSPF Routing

Domain

RIP Routing

Domain

ipPacket

Spoke

Router

IPSec Tunnel

GRE Tunnel

firewallPolicy

Access Server

(router subtype)

Legacy

Router

WAN

Router

Hub Router


Fault tolerant vpn requirements l.jpg
Fault-Tolerant VPN Requirements Infrastructure

GRERequirements

  • There is a GRE tunnel between each hub and spoke router

  • RIP is enabled on all GRE interfaces

RouterInterfaceRequirements

  • Each spoke router has internal and external interfaces

  • Each access server has internal and external interfaces

  • Each hub router has only external interfaces

  • Each WAN router has only external interfaces

SecureGRERequirements

  • For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic

SubnettingRequirements

  • A router does not have more than one interface on a subnet

  • All internal interfaces are on internal subnets

  • All external interfaces are on external subnets

  • Every hub and spoke router is connected to a WAN router

  • No two non-WAN routers share a subnet

FirewallPolicyRequirements

  • Each hub and spoke external interface permits esp and ike packets

RoutingRequirements

  • RIP is enabled on all internal interfaces

  • OSPF is enabled on all external interfaces

Human administrators reason with these in different ways to synthesize initial network, then reconfigure it as operating conditions change.

Can we automate this reasoning?


Current vpn configuration process l.jpg
Current VPN Configuration Process Infrastructure

hostname AI-RTR

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key SN1BS-RTR_key_with_AI-RTR address 128.128.128.2

crypto isakmp key PN1BS-RTR_key_with_AI-RTR address 148.148.148.2

crypto isakmp key SN2-RTR_key_with_AI-RTR address 138.138.138.2

!

crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac

!

crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp

set peer 128.128.128.2

set transform-set IPSecProposal

match address 142

crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp

set peer 148.148.148.2

set transform-set IPSecProposal

match address 143

crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp

set peer 138.138.138.2

set transform-set IPSecProposal

match address 144

!

interface Tunnel0

ip address 35.35.35.2 255.255.255.0

tunnel source 158.158.158.2

tunnel destination 128.128.128.2

crypto map vpn-map-Ethernet0/0

!

interface Tunnel1

ip address 33.33.33.2 255.255.255.0

tunnel source 158.158.158.2

tunnel destination 148.148.148.2

crypto map vpn-map-Ethernet0/0

hostname SN2-RTR

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key PN1BS-RTR_key_with_SN2-RTR address 148.148.148.2

crypto isakmp key AI-RTR_key_with_SN2-RTR address 158.158.158.2

crypto isakmp key SN1BS-RTR_key_with_SN2-RTR address 128.128.128.2

!

crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac

!

crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp

set peer 148.148.148.2

set transform-set IPSecProposal

match address 142

crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp

set peer 158.158.158.2

set transform-set IPSecProposal

match address 143

crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp

set peer 128.128.128.2

set transform-set IPSecProposal

match address 144

!

interface Tunnel0

ip address 32.32.32.1 255.255.255.0

tunnel source 138.138.138.2

tunnel destination 148.148.148.2

crypto map vpn-map-Ethernet0/0

!

interface Tunnel1

ip address 36.36.36.1 255.255.255.0

tunnel source 138.138.138.2

tunnel destination 158.158.158.2

crypto map vpn-map-Ethernet0/0

!

interface Tunnel2

ip address 36.36.36.2 255.255.255.0

tunnel source 158.158.158.2

tunnel destination 138.138.138.2

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/0

ip address 158.158.158.2 255.255.255.0

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/1

ip address 80.80.80.1 255.255.255.0

!

router rip

version 2

network 80.0.0.0

network 35.0.0.0

network 33.0.0.0

network 36.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 158.158.158.1

no ip http server

!

access-list 142 permit gre host 158.158.158.2 host 128.128.128.2

access-list 143 permit gre host 158.158.158.2 host 148.148.148.2

access-list 144 permit gre host 158.158.158.2 host 138.138.138.2

!

end

interface Tunnel2

ip address 34.34.34.2 255.255.255.0

tunnel source 148.148.148.2

tunnel destination 138.138.138.2

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/0

ip address 128.128.128.2 255.255.255.0

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/1

ip address 50.50.50.1 255.255.255.0

!

router rip

version 2

network 50.0.0.0

network 31.0.0.0

network 34.0.0.0

network 35.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 128.128.128.1

no ip http server

!

access-list 142 permit gre host 128.128.128.2 host 148.148.148.2

access-list 143 permit gre host 128.128.128.2 host 158.158.158.2

access-list 144 permit gre host 128.128.128.2 host 138.138.138.2

!

end

hostname PN1BS-RTR

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key SN1BS-RTR_key_with_PN1BS-RTR address 128.128.128.2

crypto isakmp key A1-RTR_key_with_PN1BS-RTR address 158.158.158.2

crypto isakmp key SN2-RTR_key_with_PN1BS-RTR address 138.138.138.2

!

crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac

!

crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp

set peer 128.128.128.2

set transform-set IPSecProposal

match address 142

crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp

set peer 158.158.158.2

set transform-set IPSecProposal

match address 143

crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp

set peer 138.138.138.2

set transform-set IPSecProposal

match address 144

!

interface Tunnel0

ip address 31.31.31.2 255.255.255.0

tunnel source 148.148.148.2

tunnel destination 128.128.128.2

crypto map vpn-map-Ethernet0/0

!

interface Tunnel1

ip address 33.33.33.1 255.255.255.0

tunnel source 148.148.148.2

tunnel destination 158.158.158.2

crypto map vpn-map-Ethernet0/0

hostname SN1BS-RTR

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key PN1BS-RTR_key_with_SN1BS-RTR address 148.148.148.2

crypto isakmp key AI-RTR_key_with_SN1BS-RTR address 158.158.158.2

crypto isakmp key SN2-RTR_key_with_SN1BS-RTR address 138.138.138.2

!

crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac

!

crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp

set peer 148.148.148.2

set transform-set IPSecProposal

match address 142

crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp

set peer 158.158.158.2

set transform-set IPSecProposal

match address 143

crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp

set peer 138.138.138.2

set transform-set IPSecProposal

match address 144

!

interface Tunnel0

ip address 31.31.31.1 255.255.255.0

tunnel source 128.128.128.2

tunnel destination 148.148.148.2

crypto map vpn-map-Ethernet0/0

!

interface Tunnel1

ip address 35.35.35.1 255.255.255.0

tunnel source 128.128.128.2

tunnel destination 158.158.158.2

crypto map vpn-map-Ethernet0/0

ip classless

!

interface Tunnel2

ip address 32.32.32.2 255.255.255.0

tunnel source 148.148.148.2

tunnel destination 138.138.138.2

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/0

ip address 148.148.148.2 255.255.255.0

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/1

ip address 192.110.175.1 255.255.255.0

!

router rip

version 2

network 192.110.175.0

network 31.0.0.0

network 33.0.0.0

network 32.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 148.148.148.1

no ip http server

!

access-list 142 permit gre host 148.148.148.2 host 128.128.128.2

access-list 143 permit gre host 148.148.148.2 host 158.158.158.2

access-list 144 permit gre host 148.148.148.2 host 138.138.138.2

!

end

!

interface Tunnel2

ip address 34.34.34.1 255.255.255.0

tunnel source 138.138.138.2

tunnel destination 128.128.128.2

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/0

ip address 138.138.138.2 255.255.255.0

crypto map vpn-map-Ethernet0/0

!

interface Ethernet0/1

ip address 60.60.60.1 255.255.255.0

!

router rip

version 2

network 60.0.0.0

network 32.0.0.0

network 34.0.0.0

network 36.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 138.138.138.1

no ip http server

!

access-list 142 permit gre host 138.138.138.2 host 148.148.148.2

access-list 143 permit gre host 138.138.138.2 host 158.158.158.2

access-list 144 permit gre host 138.138.138.2 host 128.128.128.2

!

end

New Cisco IOS configuration needs to be implemented at all VPN peer routers! For 4 node VPN that is more than 240 command lines


Requirements in alloy l.jpg

pred RouterInterfaceRequirements () Infrastructure

{

(all x:spokeRouter | some y:internalInterface | y.chassis = x) &&

(all x:spokeRouter | some y:spokeExternalInterface | y.chassis = x) &&

(all x:accessServer | some y:internalInterface | y.chassis = x) &&

(all x:accessServer | some y:externalInterface | y.chassis = x) &&

(all x:hubRouter | some y:hubExternalInterface | y.chassis = x)&&

(all x:wanRouter | some y:externalInterface | y.chassis = x)

}

pred SecureGRERequirements ()

{all g:greTunnel |

some p:ipsecTunnel | p.protocolToSecure=gre &&

((p.local = g.localPhysical && p.remote = g.remotePhysical) or

(p.local = g.localPhysical && p.remote = g.remotePhysical))}

Requirements In Alloy


Sample output from requirement solver l.jpg

routing : samples/router/routingDomain = Infrastructure

{externalInterface_0 -> ospfDomain_0,

externalInterface_1 -> ospfDomain_0,

externalInterface_2 -> ospfDomain_0,

externalInterface_3 -> ospfDomain_0,

externalInterface_4 -> ospfDomain_0,

hubExternalInterface_0 -> ospfDomain_0,

hubExternalInterface_1 -> ospfDomain_0,

internalInterface_0 -> ripDomain_0,

internalInterface_1 -> ripDomain_0,

internalInterface_2 -> ripDomain_0,

spokeExternalInterface_0 -> ospfDomain_0,

spokeExternalInterface_1 -> ospfDomain_0}

chassis : samples/router/router =

{externalInterface_0 -> accessServer_0,

externalInterface_1 -> wanRouter_0,

externalInterface_2 -> wanRouter_0,

externalInterface_3 -> wanRouter_0,

externalInterface_4 -> wanRouter_0,

hubExternalInterface_0 -> hubRouter_0,

hubExternalInterface_1 -> hubRouter_1,

internalInterface_0 -> spokeRouter_0,

internalInterface_1 -> accessServer_0,

internalInterface_2 -> spokeRouter_1,

spokeExternalInterface_0 -> spokeRouter_1,

spokeExternalInterface_1 -> spokeRouter_0}

network : samples/router/subnet =

{externalInterface_0 -> externalSubnet_0,

externalInterface_1 -> externalSubnet_0,

externalInterface_2 -> externalSubnet_1,

externalInterface_3 -> externalSubnet_2,

externalInterface_4 -> externalSubnet_3,

hubExternalInterface_0 -> externalSubnet_2,

hubExternalInterface_1 -> externalSubnet_3,

internalInterface_0 -> internalSubnet_0,

internalInterface_1 -> internalSubnet_0,

internalInterface_2 -> internalSubnet_1,

spokeExternalInterface_0 -> externalSubnet_0,

spokeExternalInterface_1 -> externalSubnet_1}

Sample Output From Requirement Solver


Configuration synthesis physical connectivity and routing l.jpg

To synthesize network, satisfy R1-R11 for Infrastructure

1 hub router,

1 WAN router,

1 spoke router,

1 internal subnet,

2 external subnets

1 internal interface,

4 external interfaces,

RIP domain,

1 OSPF domain

RouterInterfaceRequirements

  • Each spoke router has internal and external interfaces

  • Each access server has internal and external interfaces

  • Each hub router has only external interfaces

  • Each WAN router has only external interfaces

Configuration Synthesis:Physical Connectivity and Routing

Hub

Router

SubnettingRequirements

  • A router does not have more than one interface on a subnet

  • All internal interfaces are on internal subnets

  • All external interfaces are on external subnets

  • Every hub and spoke router is connected to a WAN router

  • No two non-WAN routers share a subnet

RIP Domain

OSPF Domain

Spoke

Router

WAN

Router

RoutingRequirements

  • RIP is enabled on all internal interfaces

  • OSPF is enabled on all external interfaces

Requirement Solver generates

solution. Note that Hub and Spoke routers

are not directly connected, due to Requirement 9


Strengthening requirement adding overlay network l.jpg

To synthesize network, satisfy R1-R13 for Infrastructure

previous list of components &

1 GRE tunnel

NOTE: GRE tunnel set up and RIP domain extended to include GRE interfaces automatically!

RouterInterfaceRequirements

  • Each spoke router has internal and external interfaces

  • Each access server has internal and external interfaces

  • Each hub router has only external interfaces

  • Each WAN router has only external interfaces

Strengthening Requirement:Adding Overlay Network

Hub

Router

GRE Tunnel

SubnettingRequirements

  • A router does not have more than one interface on a subnet

  • All internal interfaces are on internal subnets

  • All external interfaces are on external subnets

  • Every hub and spoke router is connected to a WAN router

  • No two non-WAN routers share a subnet

RIP Domain

OSPF Domain

Spoke

Router

WAN

Router

RoutingRequirements

  • RIP is enabled on all internal interfaces

  • OSPF is enabled on all external interfaces

GRERequirements

  • There is a GRE tunnel between each hub and spoke router

  • RIP is enabled on all GRE interfaces


Strengthening requirement adding security for overlay network l.jpg

RouterInterfaceRequirements Infrastructure

  • Each spoke router has internal and external interfaces

  • Each access server has internal and external interfaces

  • Each hub router has only external interfaces

  • Each WAN router has only external interfaces

Strengthening Requirement:Adding Security For Overlay Network

Hub

Router

SubnettingRequirements

  • A router does not have more than one interface on a subnet

  • All internal interfaces are on internal subnets

  • All external interfaces are on external subnets

  • Every hub and spoke router is connected to a WAN router

  • No two non-WAN routers share a subnet

IPSec Tunnel

OSPF Domain

Spoke

Router

WAN

Router

RoutingRequirements

  • RIP is enabled on all internal interfaces

  • OSPF is enabled on all external interfaces

GRERequirements

  • There is a GRE tunnel between each hub and spoke router

  • RIP is enabled on all GRE interfaces

SecureGRERequirements

  • For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic

To synthesize network, satisfy R1-R14 for

  • previous list of components &

  • 1 IPSec tunnel

    NOTE: IPSec tunnel securing GRE tunnel set up automatically


Component addition adding new spoke router l.jpg
Component Addition: Adding New Spoke Router Infrastructure

Hub Router

Spoke

Router

Spoke

Router

WAN

Router

  • To add another spoke router satisfy requirements R1-R15 for previous components and one additional spoke router and related components

  • Note: New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically


Component addition adding new hub router l.jpg
Component Addition: Adding New Hub Router Infrastructure

Hub Router

OSPF Domain

Spoke

Router

Spoke

Router

WAN

Router

Access Server

Hub Router

  • To add another hub router satisfy requirements R1-R15 for previous components and one additional hub router (and related com[ponents)

  • New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically


Verification adding firewall requirements discovering design flaw l.jpg
Verification: Adding Firewall Requirements & Discovering Design Flaw

Hub Router

OSPF Domain

Spoke

Router

Spoke

Router

WAN

Router

Hub Router

  • Symptom: Cannot ping from one internal interface to another

  • Define Bad = ip packet is blocked

  • Check if R1-R16 & Bad is satisfiable

  • Answer: WAN router firewalls block ike/ipsec traffic

  • Action: Create new policy that allows WAN router firewalls to pass esp/ike packets


Scalability approaches l.jpg
Scalability Approaches Design Flaw

  • Can we write specifications in such a way that they are “efficient”?

  • Two heuristics:

    • Small number of quantifiers in formulas

    • Scope splitting

  • Even with these, Alloy crashes for 10 sites (200 object instances)

  • New approach is required


Divide conquer verify l.jpg
Divide, Conquer, Verify Design Flaw

  • Heuristic: Instead of creating VPN for all sites all at once, create it incrementally by adding sites one at a time

  • Goal: Solve R for component set C

  • If C is large, Alloy will take a long time or crash

  • Split C into C1,..,Ck and solve R for C1,..,Ck generating solutions M1,..,Mk. Then take union of M1,..,Mk = M

  • Verify that M is a solution for R.

  • Using Alloy for verification will restore inefficiency

  • However, one can use Prolog


Any fol formula can be expressed in full prolog l.jpg
Any FOL formula can be expressed in full Prolog. Design Flaw

pred greTunnelEveryHubSpoke ()

{all x:hubExternalInterface, y:spokeExternalInterface | some g:greTunnel |

(g.localPhysical=x && g.remotePhysical=y) or (g.localPhysical=y && g.remotePhysical=x)}

-----------------------------------------------------------------------------------------------------------------------------------

greTunnelEveryHubSpoke if not counterExampleGreTunnelEveryHubSpoke.

counterExampleGreTunnelEveryHubSpoke if type(X,hub),type(Y,spoke), not existsGRE(X,Y).

existsGRE(X,Y) if localPhysical(GT, P1),remotePhysical(GT,P2), chassis(P1, X), chassis(P2, Y)

existsGRE(X,Y) if localPhysical(GT, P1),remotePhysical(GT,P2), chassis(P2, X), chassis(P1, Y)

------------------------------------------------------------------------------------------------------------------------------------

  • Represent model as a collection of Prolog ground facts. Now, evaluate Prolog requirement. This is a database integrity checking problem


Summary future directions l.jpg
Summary & Future Directions Design Flaw

  • Problem: Focus on architectural aspects of security

  • Configuration plays central role in web services infrastructure synthesis & management

  • We need a theory of configuration to solve following fundamental problems:

    • Specification languages

    • Configuration synthesis

    • Incremental configuration (requirement strengthening, component addition)

    • Configuration error diagnosis

    • Configuration error troubleshooting

    • Verification

    • Configuration sequencing

    • Distributed configuration

  • Proposed formalization of 1-6 via Alloy and SAT solvers

  • Proposed scalability approach by complementary use of Prolog

  • Future directions:

    • Scalable algorithms to solve above problems.

    • Combine FOL reasoning systems, Linear Programming systems, relational databases, graph algorithms into single programming model


Slide24 l.jpg

Thank You Design Flaw


Slide25 l.jpg

  • There is no theory of configuration. There is a deep logic that governs infrastructure.

  • Security and routing interfere

  • Move from coding to configuration

  • Why is diagnosis hard: work in isolation but not together

  • Policies across components, and across layers……! GUIs don’t even have expressive power of Boolean logic

  • Self-healing architecture VG

  • Emphasize Language (syntax/semantics). Semantics: services at each layer

  • Integrate fault-tolerant protocols

  • Scalability

  • LP


ad