![Page 1: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/1.jpg)
The Margrave Tool for Firewall Analysis
Tim Nelson (WPI), Christopher Barratt (Brown),
Daniel J. Dougherty (WPI), Kathi Fisler (WPI)
and Shriram Krishnamurthi (Brown)
1
![Page 2: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/2.jpg)
…and other dens of iniquity
2
![Page 3: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/3.jpg)
“I don’t really know what’s wrong.”
“I’m having this strange issue with
Cisco IOS…”
“I need your advice…”
3
![Page 4: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/4.jpg)
4
Policy-based routing
Static routing,NAT
ACLs, reflexive access-lists
![Page 5: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/5.jpg)
5
![Page 6: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/6.jpg)
6
Try this!
![Page 7: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/7.jpg)
7
Try this!No! Try
this!
![Page 8: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/8.jpg)
8
Try this!No! Try
this!
No, no, try this.
![Page 9: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/9.jpg)
Suggestions do not always agree.
9
Try this!No! Try
this!
No, no, try this.
![Page 10: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/10.jpg)
Debugging Questions:
10
![Page 11: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/11.jpg)
Debugging Questions:
11
Q: Which hop will SMTP packets take next?
![Page 12: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/12.jpg)
Debugging Questions:
12
Q: Which hop will SMTP packets take next?
…
192.168.100.4
192.168.200.5
A:
![Page 13: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/13.jpg)
Debugging Questions:
13
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
…
192.168.100.4
192.168.200.5
A:
![Page 14: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/14.jpg)
Debugging Questions:
14
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
![Page 15: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/15.jpg)
Debugging Questions:
15
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
![Page 16: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/16.jpg)
Debugging Questions:
16
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
…
TCP From X to YA:
![Page 17: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/17.jpg)
Debugging Questions:
17
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
Q: How do a pair of configurationsbehave differently?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
…
TCP From X to YA:
![Page 18: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/18.jpg)
Debugging Questions:
18
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
Q: How do a pair of configurationsbehave differently?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
…
TCP From X to YA:
…
Time Connection State
A:
![Page 19: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/19.jpg)
Debugging Questions:
19
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
Q: How do a pair of configurationsbehave differently?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
…
TCP From X to YA:
…
Time Connection State
A:
Scenarios
![Page 20: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/20.jpg)
Debugging Questions:
20
Q: What packets will pass the firewall?
Q: Which configuration rules caused the incorrect routing?
Q: Which hop will SMTP packets take next?
Q: How do a pair of configurationsbehave differently?
…
192.168.100.4
192.168.200.5
A: Line 14 applied to…
Line 15 applied to…
…
A:
…
TCP From X to YA:
…
Time Connection State
A:Margrave
Scenarios
![Page 21: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/21.jpg)
21
![Page 22: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/22.jpg)
22
![Page 23: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/23.jpg)
23
![Page 24: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/24.jpg)
24
![Page 25: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/25.jpg)
25
![Page 26: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/26.jpg)
26
![Page 27: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/27.jpg)
27
![Page 28: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/28.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
28
“The web can access my server, but my server can’t access the web.”
![Page 29: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/29.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
29
“The web can access my server, but my server can’t access the web.”
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
interface FastEthernet0ip address 209.172.108.16 255.255.255.224
interface Vlan1ip address 192.168.2.1 255.255.255.0
![Page 30: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/30.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
30
“The web can access my server, but my server can’t access the web.”
access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16
ip access-group 102 in
![Page 31: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/31.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
31
“The web can access my server, but my server can’t access the web.”
ip route 0.0.0.0 0.0.0.0 209.172.108.1
![Page 32: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/32.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
32
“The web can access my server, but my server can’t access the web.”
ip nat outside
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside
ip nat pool localnet 209.172.108.16 prefix-length 24ip nat inside source list 1 pool localnet overloadip nat inside source list 1 interface FastEthernet0ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 80ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 21ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16
3389
![Page 33: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/33.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
33
“The web can access my server, but my server can’t access the web.”
access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16
![Page 34: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/34.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
34
“The web can access my server, but my server can’t access the web.”
access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16
![Page 35: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/35.jpg)
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
Firewall
Server: 192.168.2.6
Fe0 209.172.108.16
Vlan1 192.168.2.1/24
35
“The web can access my server, but my server can’t access the web.”
access-list 102 permit tcp any host 209.172.108.16 eq 80access-list 102 permit tcp any host 209.172.108.16 eq 21access-list 102 permit tcp any host 209.172.108.16 eq 20access-list 102 permit tcp any host 209.172.108.16 eq 23access-list 102 deny tcp any host 209.172.108.16
![Page 36: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/36.jpg)
36
“The web can access my server, but my server can’t access the web.”
![Page 37: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/37.jpg)
Passes fe0’sInbound ACL?
Can it be routed?
Passes vlan1’sOutbound
ACL?
Returning packets
37
“The web can access my server, but my server can’t access the web.”
![Page 38: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/38.jpg)
Passes fe0’sInbound ACL?
Can it be routed?
Passes vlan1’sOutbound
ACL?
Returning packets
Passes fe0’sOutbound
ACL?
Can it be routed?
Passes vlan1’sInbound ACL?
Outgoing packets
38
“The web can access my server, but my server can’t access the web.”
![Page 39: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/39.jpg)
“Can returning packets be lost?”
39
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
![Page 40: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/40.jpg)
“Can returning packets be lost?”
40
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORE
“Find me scenarios where…”
![Page 41: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/41.jpg)
“Can returning packets be lost?”
41
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>);
“Dropped or rejected”
<pkt> =entry-interface
src-addr-inprotocol
…
![Page 42: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/42.jpg)
“Can returning packets be lost?”
42
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) ;
“Compute next hop and NAT”
<pktplus> =<pkt>
+temporary variables
![Page 43: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/43.jpg)
“Can returning packets be lost?”
43
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interface;
“Arriving at FastEthernet0”
![Page 44: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/44.jpg)
“Can returning packets be lost?”
44
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0;
“Reasonable source”
![Page 45: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/45.jpg)
“Can returning packets be lost?”
45
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0
AND prot-TCP = protocolAND port-80 = src-port-in;
“TCP from port 80”
![Page 46: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/46.jpg)
“Can returning packets be lost?”
46
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0
AND prot-TCP = protocolAND port-80 = src-port-in;AND dest-addr-in = 209.172.108.16;
“To public address”
![Page 47: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/47.jpg)
“Can returning packets be lost?”
47
1. interface FastEthernet02. ip address 209.172.108.16 255.255.255.2243. ip access-group 102 in4. ip nat outside5. speed auto6. full-duplex7. !8. interface Vlan19. ip address 192.168.2.1 255.255.255.010. ip nat inside11. !12. ip route 0.0.0.0 0.0.0.0 209.172.108.113. !14. ip nat pool localnet 209.172.108.16 prefix-length 2415. ip nat inside source list 1 pool localnet overload16. ip nat inside source list 1 interface FastEthernet017. ip nat inside source static tcp 192.168.2.6 80 209.172.108.16 8018. ip nat inside source static tcp 192.168.2.6 21 209.172.108.16 2119. ip nat inside source static tcp 192.168.2.6 3389 209.172.108.16 338920. !21. access-list 1 permit 192.168.2.0 0.0.0.25522. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
EXPLORENOT passes-firewall(<pkt>)AND internal-result(<pktplus>) AND FastEthernet0 = entry-interfaceAND NOT src-addr-in IN 192.168.2.0/255.255.255.0
AND prot-TCP = protocolAND port-80 = src-port-in;AND dest-addr-in = 209.172.108.16;
“To public address”Here, a scenario is:
Data about a packet’scontents & handling
![Page 48: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/48.jpg)
“Can returning packets be lost?”
48
Check for denied return packets:
Result:
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> IS POSSIBLE?;
![Page 49: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/49.jpg)
“Can returning packets be lost?”
49
Check for denied return packets:
Result:
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> IS POSSIBLE?;true>
Some return packets will be
dropped.
![Page 50: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/50.jpg)
“Can returning packets be lost?”
50
Check for denied return packets:
Result:
Similar query: outgoing packets all pass the firewall.
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> IS POSSIBLE?;true>
Some return packets will be
dropped.
![Page 51: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/51.jpg)
“Which rule(s) were responsible?”
51
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);
![Page 52: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/52.jpg)
“Which rule(s) were responsible?”
52
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);
The ACL rules tied to FastEthernet0
![Page 53: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/53.jpg)
“Which rule(s) were responsible?”
53
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 AND FastEthernet0 = entry-interfaceAND prot-TCP = protocolAND port-80 = src-port-inAND dest-addr-in = 209.172.108.16AND internal-result(<pktplus>) AND NOT passes-firewall(<pkt>);
> SHOW REALIZED InboundACL:router-FastEthernet0-line22_applies(<pkt>),InboundACL:router-FastEthernet0-line23_applies(<pkt>),InboundACL:router-FastEthernet0-line24_applies(<pkt>),InboundACL:router-FastEthernet0-line25_applies(<pkt>),InboundACL:router-FastEthernet0-line26_applies(<pkt>);
{ InboundACL:router-FastEthernet0-line26_applies( … ) }>
![Page 54: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/54.jpg)
54
{ InboundACL:router-FastEthernet0-line26_applies( … ) }
The ACL rule…
Can apply.
Appearing on line 26
Tied to the router’s
FastEthernet0interface
![Page 55: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/55.jpg)
55
{ InboundACL:router-FastEthernet0-line26_applies( … ) }
The ACL rule…
Can apply.
Appearing on line 26
Tied to the router’s
FastEthernet0interface
EXPLORE InboundACL:router-FastEthernet0-line26_applies(<pkt>);
Use these in queries too:
![Page 56: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/56.jpg)
56
{ InboundACL:router-FastEthernet0-line26_applies( … ) }
The ACL rule…
Can apply.
Appearing on line 26
Tied to the router’s
FastEthernet0interface
EXPLORE InboundACL:router-FastEthernet0-line26_applies(<pkt>);
EXPLORE InboundACL:router-FastEthernet0-line26_matches (<pkt>);
Use these in queries too:
![Page 57: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/57.jpg)
“Add a rule allowing all returning traffic from
port 80…”
57
![Page 58: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/58.jpg)
Will this change fix my problem?
“Add a rule allowing all returning traffic from
port 80…”
58
![Page 59: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/59.jpg)
Will it introduce new problems?
Will this change fix my problem?
“Add a rule allowing all returning traffic from
port 80…”
59
![Page 60: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/60.jpg)
60
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
![Page 61: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/61.jpg)
diff says:
25a26> access-list 102 permit tcp any eq 80 any
61
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
![Page 62: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/62.jpg)
62
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
![Page 63: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/63.jpg)
EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND
internal-result1(<pktplus>) AND
(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
63
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
![Page 64: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/64.jpg)
EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND
internal-result1(<pktplus>) AND
(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
64
EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND
internal-result1(<pktplus>) AND
(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
![Page 65: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/65.jpg)
EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND
internal-result1(<pktplus>) AND
(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
65
EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDFastEthernet0 = entry-interface AND
internal-result1(<pktplus>) AND
(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 deny tcp any host 209.172.108.16
22. access-list 102 permit tcp any host 209.172.108.16 eq 8023. access-list 102 permit tcp any host 209.172.108.16 eq 2124. access-list 102 permit tcp any host 209.172.108.16 eq 2025. access-list 102 permit tcp any host 209.172.108.16 eq 2326. access-list 102 permit tcp any eq 80 any27. access-list 102 deny tcp any host 209.172.108.16
Change-impact analysis
![Page 66: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/66.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
66
![Page 67: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/67.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
67
![Page 68: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/68.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
68
Public address of server
![Page 69: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/69.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
“Some other address”
“Some other port”
69
![Page 70: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/70.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
70
Packet is routed successfully
![Page 71: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/71.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
71
protocol: prot-tcpentry-interface: fastethernet0
dest-addr-in: ipaddresssrc-addr-in: ipaddress
dest-port-in: port src-port-in: port-80 exit-interface: vlan1
![Page 72: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/72.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
72
protocol: prot-tcpentry-interface: fastethernet0
dest-addr-in: ipaddresssrc-addr-in: ipaddress
dest-port-in: port src-port-in: port-80 exit-interface: vlan1
More than we intended?
![Page 73: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/73.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
…protocol: prot-tcp
entry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
73
protocol: prot-tcpentry-interface: fastethernet0
dest-addr-in: ipaddresssrc-addr-in: ipaddress
dest-port-in: port src-port-in: port-80 exit-interface: vlan1
More than we intended?
![Page 74: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/74.jpg)
> EXPLORENOT src-addr-in IN 192.168.2.0/255.255.255.0 ANDfastethernet0 = entry-interface ANDinternal-result1(<pktplus>) AND(passes-firewall1(<pkt>) AND NOT passes-firewall2(<pkt>)ORpasses-firewall2(<pkt>) AND NOT passes-firewall1(<pkt>) );
> SHOW ALL;
…protocol: prot-tcp
entry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
74
protocol: prot-tcpentry-interface: fastethernet0
dest-addr-in: ipaddresssrc-addr-in: ipaddress
dest-port-in: port src-port-in: port-80 exit-interface: vlan1
More than we intended?
![Page 75: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/75.jpg)
75
Query:
![Page 76: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/76.jpg)
76
EXPLOREpasses-firewall(<pkt>)
Query:
![Page 77: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/77.jpg)
77
EXPLOREpasses-firewall(<pkt>)
Query:
Variables for packet contents & handling
![Page 78: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/78.jpg)
78
EXPLOREpasses-firewall(<pkt>)
Query:
entry-interface,next-hop,
dest-addr-in,…
![Page 79: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/79.jpg)
79
entry-interface: fe0 next-hop: 192.168.2.6
dest-addr-in: 209.172.108.16…
EXPLOREpasses-firewall(<pkt>)
Query: Scenario:
entry-interface,next-hop,
dest-addr-in,…
![Page 80: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/80.jpg)
80
entry-interface: fe0 next-hop: 192.168.2.6
dest-addr-in: 209.172.108.16…
EXPLOREpasses-firewall(<pkt>)
Query: Scenario:
192.168.2.6
209.172.108.16
fe0
…
![Page 81: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/81.jpg)
81
entry-interface: fe0 next-hop: 192.168.2.6
dest-addr-in: 209.172.108.16…
EXPLOREpasses-firewall(<pkt>)
Query: Scenario:
192.168.2.6
209.172.108.16
fe0
…
How large a scenario do we need to check?
![Page 82: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/82.jpg)
82
entry-interface: fe0 next-hop: 192.168.2.6
dest-addr-in: 209.172.108.16…
EXPLOREpasses-firewall(<pkt>)
Query: Scenario:
192.168.2.6
209.172.108.16
fe0
…
How large a scenario do we need to check?
Margrave computes a bound automatically, most of the time.
![Page 83: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/83.jpg)
Let’s Recap:
83
![Page 84: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/84.jpg)
Let’s Recap:
84
Do scenarios exist?
True/false
![Page 85: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/85.jpg)
Let’s Recap:
85
Do scenarios exist?
True/false
Which scenarios exist?
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
![Page 86: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/86.jpg)
Let’s Recap:
86
Do scenarios exist?
True/false
Which scenarios exist? Which rules can
take effect?
“InboundACL forFastEthernet0 onLine26”
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
![Page 87: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/87.jpg)
Let’s Recap:
87
Do scenarios exist?
True/false
Which scenarios exist? Which rules can
take effect?
“InboundACL forFastEthernet0 onLine26”
Single-configuration
and
multi-configuration queries
(Change-impact analysis)
protocol: prot-tcpentry-interface: fastethernet0 dest-addr-in: 209.172.108.16
src-addr-in: ipaddressdest-port-in: port
src-port-in: port-80 exit-interface: vlan1
![Page 88: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/88.jpg)
Passes fe0’sInbound ACL?
Can it be routed?
Passes vlan1’sOutbound
ACL?
Returning packets
88
![Page 89: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/89.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0ip access-group 101 inip policy route-map internet!ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130!access-list 101 deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255access-list 101 deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255access-list 101 permit ip any any!access-list 10 permit 10.232.0.0 0.0.3.255access-list 10 permit 10.232.100.0 0.0.3.255!route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15
89
Can it be routed?
![Page 90: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/90.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0ip access-group 101 inip policy route-map internet!ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130!access-list 101 deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255access-list 101 deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255access-list 101 permit ip any any!access-list 10 permit 10.232.0.0 0.0.3.255access-list 10 permit 10.232.100.0 0.0.3.255!route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15
90
How is it routed?
![Page 91: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/91.jpg)
91
![Page 92: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/92.jpg)
92
InboundACL:PermitInboundACL:Deny
ip access-group 102 in
Provides these query terms:
![Page 93: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/93.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
93
LocalSwitching:ForwardLocalSwitching:Pass
ip access-group 102 in
Provides these query terms:
![Page 94: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/94.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
94
ip policy route-map internet
route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15 PolicyRouting:Forward
PolicyRouting:RoutePolicyRouting:Pass
ip access-group 102 in
Provides these query terms:
![Page 95: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/95.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
95
ip policy route-map internet
route-map internet permit 10match ip address 10set ip next-hop 10.232.0.15 StaticRouting:Forward
StaticRouting:RouteStaticRouting:Pass
ip access-group 102 in
ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130
Provides these query terms:
![Page 96: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/96.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
96
DefaultPolicyRouting:ForwardDefaultPolicyRouting:RouteDefaultPolicyRouting:Pass
ip access-group 102 in
ip policy route-map internet
route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15
ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130
Provides these query terms:
![Page 97: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/97.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
97
NetworkSwitching:ForwardNetworkSwitching:Pass
ip access-group 102 in
ip policy route-map internet
route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15
ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130
Provides these query terms:
![Page 98: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/98.jpg)
interface GigabitEthernet0/0ip address 10.232.0.1 255.255.252.0
98
OutboundACL:PermitOutboundACL:Deny
ip access-group 102 in ip access-group 102 out
ip policy route-map internet
route-map internet permit 10match ip address 10set ip [default] next-hop 10.232.0.15
ip route 10.232.100.0 255.255.252.0 10.254.1.130ip route 10.232.104.0 255.255.252.0 10.254.1.130
Provides these query terms:
![Page 99: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/99.jpg)
EXPLORE
entry-interface = fastethernet0
AND NOT LocalSwitching:Forward(<pkt>)
I only want packets that don’t have a local
destination.
99
![Page 100: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/100.jpg)
EXPLORE
entry-interface = fastethernet0
AND NOT LocalSwitching:Forward(<pkt>)
I only want packets that don’t have a local
destination.
Which permitted packets are
handled by policy routing?
Does the static route ever apply
to WWW packets?
100
![Page 101: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/101.jpg)
Scenario-finding logic engine
101
![Page 102: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/102.jpg)
Scenario-finding logic engine
102
Kodkod& SAT Solving
![Page 103: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/103.jpg)
Scenario-finding logic engine
General Policy Language
103
Kodkod& SAT Solving
![Page 104: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/104.jpg)
Scenario-finding logic engine
Query Language
General Policy Language
104
Kodkod& SAT Solving
![Page 105: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/105.jpg)
Scenario-finding logic engine
Query Language
General Policy Language
105
Kodkod& SAT Solving
![Page 106: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/106.jpg)
Scenario-finding logic engine
Query Language
General Policy Language
Supported subset of Cisco IOS
106
Kodkod& SAT Solving
![Page 107: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/107.jpg)
Scenario-finding logic engine
Query Language
General Policy Language
Supported subset of Cisco IOS
107
Kodkod& SAT Solving
XACML
Amazon SQSIptables
(in progress)
![Page 108: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/108.jpg)
108
![Page 109: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/109.jpg)
Future Work
109
![Page 110: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/110.jpg)
Future Work
110
192.168.1.5
Port 25
192.168.1.5
Port 80
![Page 111: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/111.jpg)
Future Work
111
192.168.1.5
Port 25
192.168.1.5
Port 80
192.168.1.5
Ports 25, 80
![Page 112: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/112.jpg)
Future Work
112
192.168.1.5
Port 25
192.168.1.5
Port 80
192.168.1.5
Ports 25, 80
![Page 113: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/113.jpg)
Future Work
113
EXPLOREFastEthernet0 = entry-interface AND prot-TCP = protocol AND port-80 = src-port-in
192.168.1.5
Port 25
192.168.1.5
Port 80
192.168.1.5
Ports 25, 80
![Page 114: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/114.jpg)
Future Work
114
EXPLOREFastEthernet0 = entry-interface AND prot-TCP = protocol AND port-80 = src-port-in
“Try stateful inspection.”
192.168.1.5
Port 25
192.168.1.5
Port 80
192.168.1.5
Ports 25, 80
![Page 115: The Margrave Tool for Firewall Analysis · The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and](https://reader034.vdocuments.us/reader034/viewer/2022052012/6028d88096ba8c53f40660ad/html5/thumbnails/115.jpg)
What configuration problems do you face?
Come talk to me! (I’m here until Friday.)
Text me: (774) 314-1128
Email me: [email protected]
Download the tool:
www.margrave-tool.org
Thank you to:
Varun Singh (Brown), Morgan Quirk (WPI), Emina Torlak (IBM Watson)
115