Distributed Firewall Policy Validation by Kyle Wheeler.

Slides:



Advertisements
Similar presentations
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Advertisements

Chapter 1: Introduction to Scaling Networks
Introducing Campus Networks
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
Chapter One The Essence of UNIX.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
8.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Chapter 12 Distributed Database Management Systems
Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Enterprise Network Security Accessing the WAN Lecture week 4.
WAN Technologies.
–Streamline / organize Improve readability of code Decrease code volume/line count Simplify mechanisms Improve maintainability & clarity Decrease development.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
MiVoice Office v MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
INTRODUCTION TO WEB DATABASE PROGRAMMING
BMC Software confidential. BMC Performance Manager Will Brown.
Figure 1-2: Simple peer-to-peer network
Central Online Grading System COGS Dec15-21 dec1521.sd.ece.iastate.edu.
Introduction to Information Technology, 2 nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 7-1 Introduction to Information Technology.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Honeypot and Intrusion Detection System
Computer Measurement Group, India Optimal Design Principles for better Performance of Next generation Systems Balachandar Gurusamy,
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
CS 474 Database Design and Application Terminology Jan 11, 2000.
Software Security Testing Vinay Srinivasan cell:
COMP1321 Digital Infrastructure Richard Henson February 2014.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
Week 5 Lecture Distributed Database Management Systems Samuel ConnSamuel Conn, Asst Professor Suggestions for using the Lecture Slides.
CS 390 Unix Programming Summer Unix Programming - CS 3902 Course Details Online Information Please check.
Computer Emergency Notification System (CENS)
Assorted Topics Introduction AJAX What is it? Why is it important? Examples of live applications Cloud Computing What is it? Why.
An application architecture specifies the technologies to be used to implement one or more (and possibly all) information systems in terms of DATA, PROCESS,
4 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved. Computer Software Chapter 4.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.
Institute of Technology Sligo - Dept of Computing Sem 2 Chapter 12 Routing Protocols.
INTRODUCTION TO WEB APPLICATION Chapter 1. In this chapter, you will learn about:  The evolution of the Internet  The beginning of the World Wide Web,
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Experiment Management System CSE 423 Aaron Kloc Jordan Harstad Robert Sorensen Robert Trevino Nicolas Tjioe Status Report Presentation Industry Mentor:
CS 127 Introduction to Computer Science. What is a computer?  “A machine that stores and manipulates information under the control of a changeable program”
Advanced Programming in the UNIX Environment Hop Lee.
This is an introduction to Soft Assess – an assessment software solution for FET colleges, and schools.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
Sem 2 v2 Chapter 12: Routing. Routers can be configured to use one or more IP routing protocols. Two of these IP routing protocols are RIP and IGRP. After.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.
Overview – SOE PatchTT November 2015.
Secure Software Confidentiality Integrity Data Security Authentication
Overview – SOE PatchTT December 2013.
HARDENING CLIENT COMPUTERS
Chapter 4: Routing Concepts
Design Unit 26 Design a small or home office network
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
An Introduction to Computer Networking
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

Distributed Firewall Policy Validation by Kyle Wheeler

Outline 1. Introduction Justification Requirements 2. Design Approaches Architecture 3. Implementation Requirements Graphing Example Policy Example 4. Conclusions

Security is IMPORTANT Computer-based attacks are increasing Code Red: 2000 hosts/minute (2001) Slammer: 55 million scans/second (2003) Attacks are becoming more damaging CISCO’s IOS code stolen Valve’s HalfLife 2 code stolen Trend Micro says: $13 billion in 2001 $20 billion in 2002 $55 billion in 2003 (source)source

Security is HARD Firewalls Most popular security method Rules can and do become very complex Not only method, however Large networks have: Many different administrators Diverse software Security of large networks requires: Centralized control Uniform software No unified method of verifying security policy implementation For example, The University of Notre Dame network

Rules for the Solution Few Requirements Network-connectivity independent Mostly system-setup independent Cannot require root access Independent of firewall implementations Flexible Testing Out-of-order data collection (some support) Non-uniform distribution of testing nodes Define a testable security policy language

Analysis Approaches Static Vulnerability Analysis Splint Threat Modeling Regression Testing

Static Vulnerability Analysis The Good Avoids logical ambiguity Avoids common loopholes and mistakes Easy to understand The Bad Requires detailed knowledge of the implementation Implementation- specific Does not address system interactions

Threat Modeling The Good Models entire system Views system as an attacker would Determines vulnerability “surface” The Bad Requires full knowledge of all system details

Regression Testing The Good Does not need implementation- specific details Easy to understand The Bad Effectiveness is tied to the completeness of the policy Can miss some vulnerabilities

Data Collection Framework Hierarchical organization Handles complex networks Allows asynchronous operation Wizard Big picture management, handles policy testing setup Manager Organization, Coordination, Retrieval Prober Low-level testing, yes/no answers

Managers & Probers Good Features Subordinate Managers Commands can be any length Key Features Hierarchical Naming Maildir-like communication

Hierarchical Naming Names contain routing information Names are given or assigned Network must be laid out intelligently No auto-discovery Manually connectable Must be a root to the tree (base) Three kinds of sub-names base.m1.m1.p2.t1.t Example, slide 17, 12

Maildir-like Algorithm Benefits No locks: NFS safe No partial-files No new communication server to secure Two-step file creation Create in tmp, then move to new Need unique new name Use pid and random Could use more (inode#, for example) Waiting For Results Requires Polling

Given a complex network… Administrator’s Console Firewall Prober Manager Prober Manager Prober Manager Prober

… Handled Nicely Prober Manager Prober Manager Prober Manager Administrator’s Console Firewall

Or, More Realistically… internet

... Which Can be Organized Wizard & Manager base Prober base.p Prober base.p Prober base.m1.p Prober base.m1.m1.p Prober base.m1.m1.p Manager - base.m1 Prober - base.p Manager - base.m1.m1 Prober - base.m1.p Prober base.p4

The Implementation Requirements: ttcp installed in PATH Binary connection testing bash available, in PATH Written in bash SSH access, without password Security issue Impact can be reduced with careful administration Graphing with Graphviz

Raw Manager Capability Hosts, fully connected: wopr.memoryhole.net iss.cse.nd.edu salinan.cse.nd.edu itisfast.cse.nd.edu Legend: Black line = confirmed connection Dotted line = one side reported connection Red line = one side reported, one side denied

The Wizard Interchangeable element Interprets policy language Generates and spawns tests At least three per assertion Otherwise 50% of all possible Interprets results of tests Must have control of “base” Manager

Example Policy network iss network nd network brk brk -> nd brk -> iss via nd -> brk via nd -> iss via iss -X nd iss -X brk 16

Conclusions Design is feasible Implementation works as expected Being generic is hard Future Work Investigate long-running “continuous” testing Policy language needs further flexibility Speed of testing

Any Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.