AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University.

Slides:



Advertisements
Similar presentations
EIDE System Requirements and Specification Documents
Advertisements

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists
How to Improve your Firewall Performance
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
The Regulation Zoo: Dealing With Compliance Within The Firewall World
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lesson 19: Configuring Windows Firewall
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Computer Networks IGCSE ICT Section 4.
1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Using Windows Firewall and Windows Defender
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
Honeypot and Intrusion Detection System
Web Application Firewall (WAF) RSA ® Conference 2013.
PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Windows 7 Firewall.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
Introduction to Firewalls TEC 236. What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized.
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
INSTALLATION HANDS-ON. Page 2 About the Hands-On This hands-on section is structured in a way, that it allows you to work independently, but still giving.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
The Changing World of Endpoint Protection
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
22 Irwin/Mcgraw-Hill © The McGraw-Hill Companies, Inc., 2000 Information Technology for Human Resources.
Rick Segal CEO Fixmo, Inc.. The Starting Point The Mobile Device is the most personal computer you will ever own.The Mobile Device is the most personal.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Lesson 11: Configuring and Maintaining Network Security
Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
AQA A2 COMP 3: Internet Security. Lesson Aim By the end of the lesson: By the end of the lesson: Describe different security issues and recommend tools/techniques.
Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
1 Pertemuan 24 Access Control List Fundamentals. Discussion Topics Introduction ACLs How ACLs work Creating ACLs The function of a wildcard mask Verifying.
Cryptography and Network Security
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 7. Identifying Assets and Activities to Be Protected
Working at a Small-to-Medium Business or ISP – Chapter 8
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Configuring Windows Firewall with Advanced Security
Breaches by Merchant Type
PROJECT PRESENTATION ON INTERNET FIREWALLS PRESENTED BY THE GUARDS
Introduction to Networking
Firewalls.
Present By:- Company Name: Global Market Forecastes Tel: / Web:
EIDE System Requirements and Specification Documents
Windows Firewall Adem Enes POLAT
Presentation transcript:

AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University

AlgoSec Inc.2 Agenda  Introduction  Data sources and procedures  Configuration errors  Highlights of 2004 study  Results and discussion

AlgoSec Inc.3 Firewalls seem to be badly configured:  45% of companies worldwide suffered attacks from viruses and worms in the last 12 months (this is a made up statistic, true in every year …)  A properly configured firewall could easily block attacks such as: Sasser worm: attacked port 445 (Netbios) Saphire SQL worm: attacked port 1431 Blaster worm: attacked ports 135/137 (Netbios)  Firewall configs are deemed sensitive – why? Admins know they have holes… Security by obscurity?

AlgoSec Inc.4 Can we quantify the problem? 1.Need firewall configuration data Not available publicly 2.Need to understand the configurations Complex vendor-dependent configuration languages 3.What is an error? Subjective, organization-dependent

AlgoSec Inc.5 #1 : We have the data  AlgoSec performed firewall analysis for hundreds of customers since 2000  Data is under non-disclosure agreements – but we can publish statistics

AlgoSec Inc.6 #2 : We have the technology  Firewall Analyzer software can parse configuration languages (Check Point, Cisco PIX, Cisco Router Access-lists)

AlgoSec Inc.7 #3 : What is an error?  Idea: only count “obvious” errors  Rely on “best practices”: SANS Top 20 CERT PCI DSS (Payment Card Industry) NIST …

AlgoSec Inc.8 Plan of action First study (2004): Check Point Firewall-1 configurations Select 12 severe errors Analyze available configurations Count number of errors Statistical analysis to identify causes and trends Current study: Both Check Point and Cisco PIX Larger - 2x number of configurations More in-depth: 36 severe errors, Check whether 2004 findings are still valid

AlgoSec Inc.9 Timeline of data collection  Configuration files were collected between  Check Point Firewall-1 versions: 3.0, 4.0 – “end-of-life” 4.1 – was still supported NG – released in 2001, minor versions FP3, R54, R55  Cisco PIX PIX versions 4.x, 5.x, 6.x, 7.0

AlgoSec Inc.10 Highlights of the 2004 study

AlgoSec Inc.11 54%

AlgoSec Inc.12 Firewall-1 version helps On average, 2 risks less

AlgoSec Inc.13 Why did the version matter?  Some risks are the result of Check Point “implicit rules”  Changed default values in v4.1  New policy wizard to create a reasonable initial configuration

AlgoSec Inc.14 How to measure complexity  RC (Rule Complexity) = #Rules + #Network Objects + (#interfaces choose 2)  2 interfaces  1 data path  3 interfaces  3 data paths  4 interfaces  6 data paths, etc

AlgoSec Inc.15 Small is Beautiful

AlgoSec Inc.16 Current Results

AlgoSec Inc.17 Why should anything change?  Regulation and Compliance: Sarbanes-Oxley / Basel-II / CobiT / ISO Payment Card Industry (PCI DSS) NIST …  Different vendors – different issues?  New software versions – continue the trend?

AlgoSec Inc.18 Differences from 2004 report  Both Check Point and PIX  2x configurations tested  Newer software versions  Vendor-neutral risk items 8 of 12 properties in 2004 study were specific to Check Point  Pick a new set of 36 risk items  Inbound / Outbound / Internal traffic

AlgoSec Inc.19 Firewalls still badly configured 42%

AlgoSec Inc.20 Version does not matter … (Check Point)

AlgoSec Inc.21 Version does not matter … (PIX)

AlgoSec Inc.22 Why?  Vendor-neutral risks are controlled by basic filtering functionality  Basic filtering controlled by explicit user-defined rules, rather than “check boxes” with vendor “know-how” (??)  Neither vendor has changed the basic filtering capabilities in years (and it’s unlikely that they will)

AlgoSec Inc.23 How to measure complexity of a PIX?  Check Point: Single rule-base Separate object database  Cisco PIX: Separate rule-base per interface No object database (almost)  Old RC metric not very suitable for PIX!

AlgoSec Inc.24 Issues with old RC metric (even on Check Point)  Not enough weight to #interfaces: #rules: 100s – 1000s #objects: 1000s #interfaces: 2-20 – dwarfed (even when quadratic)  Example: A firewall with 12 interfaces should be much more complex than with 3 … RC contribution by interfaces is only 66

AlgoSec Inc.25 A New Firewall Complexity Measure  Idea: pretend to “compile” Check Point configuration into a PIX configuration Duplicate the rule-base, once per interface Add the object database once Count the resulting “number of lines” Compare with PIX config “number of lines” (minus some PIX boilerplate) Check Point: FC = (#rules * #interfaces) + #objects PIX: FC = #lines - 50

AlgoSec Inc.26 Complexity distributions The range of complexity is comparable

AlgoSec Inc.27 Small is Still Beautiful Confidential

AlgoSec Inc.28 Check Point vs PIX

AlgoSec Inc.29 Questions?   Published in: IEEE Internet Computing, 14(4):58-65, 2010  2004 study: IEEE Computer, 37(6):62-67, 2004

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.