LANCOMLAnguage for Network COnfiguration

and Management

Chitra S Agastya (csa2111@columbia.edu)Nipun Arora (na2271@columbia.edu)

Sambuddho Chakravarty (sc2516@columbia.edu)Milind Nimesh (mn2353@columbia.edu)

Ashish Singh Tomar (ast2124@columbia.edu)

Meet the System Administrator

Implement security / access policies on various of routers and firewalls

Proficient in esoteric configuration languages

Configure complex security strategies using low level firewall rules

The End Result….

Affects scalability of the network

No reusability of code

Conflicts arise due to use of different router configuration languages in the same network

“Misconfigurations are source of most network vulnerabilities”

The Business Angle…

“Security managers need a single place to look for the corporate policies on who gets in and who doesn’t”

-Forrester report

The Solution: LANCOM

An out of the box solution to configure routers in a network, manufactured by different vendors

Device Independent Configuration Language

Domain Specific

User Focus: Network Administrator

LEXER

PARSER

SYNTAX DIRECTED

TRANSLATION

CONFIGURATION ACTIONS

SYMBOL TABLE

COMMAND CLASSES

ROUTING/ FIREWALLING

COMMANDS FOR LINUX

TRANSLATOR ARCHITECTURE OF LANCOM

INPUT SOURCE

PROGRAM

OUTPUT CONFIG.

FILE

ROUTING/ FIREWALLING

COMMANDS FOR FREE BSD

LANCOM COMPILER

Programming Constructs Host

Host Group

Topology

Route

Program Structure

prog

Declarative Statements

Assignment Statements

Configuration Statements

endprog

policy_type_t pol;

pol = inbound deny tcp dst 1.1.1.1 netmask 255.255.255.0 8088;

apply policy pol;

Separation of Network Topology and Security Policy Description

prog

ipaddr_t ip1,ip2;

ip1=1.1.1.1;

ip2=4.4.4.4;

policy_type_t p1;

p1= inbound deny tcp src 2.2.2.2

netmask 255.255.255.0 all;

role_type_t r1;

r1=role { p1, outbound deny dst ip2 netmask 255.255.255.255 all};

host_type_t h1;

h1=ip_addr 6.6.6.6 netmask 255.255.255.0;

host_group_type_t hg1;

hg1=host_group {h1, ip_addr 5.5.5.5 netmask 255.255.255.0};

topology_type_t t1;

t1=hg1 r1;

apply topology t1;

endprog

POLICY

ROLE

HOST

HOST GROUP

TOPOLOGY

FreeBSD (IPFW)

Linux (IPTABLES)

Webserver

Webserver

Test-Bed to Test Basic FirewallPolicy Description Using

LANCOM

Test-Bed Designed and Implemented on deterlab

Device Independent Configuration

prog

policy_type_t p;

p=inbound deny tcp dst 10.3.0.6 netmask 255.255.255.0 8088;

apply policy p;

endprog

Linux (iptables)

/sbin/iptables -I FORWARD -p tcp -d 10.3.0.6/255.255.255.0 -s 0.0.0.0/0.0.0.0 --destination-port 8088 -j DROP

FreeBSD(ipfw)

/sbin/ipfw add deny tcp from 0.0.0.0:0.0.0.0 to 10.3.0.6:255.255.255.0 8088

Tools Used

What we learned

AntlrWorks – an easy to use GUI interface for writing your own language

Networking Concepts

Team Work

Not all team members were conversant with networking

THANK YOU!!