Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Slides:



Advertisements
Similar presentations
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Advertisements

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)
ClassBench: A Packet Classification Benchmark
Firewalls and Intrusion Detection Systems
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Lesson 19: Configuring Windows Firewall
Chapter 9 Classification And Forwarding. Outline.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
FIREWALL Mạng máy tính nâng cao-V1.
Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Minimizing Rulesets for TCAM Implementation.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FiG: Automatic Fingerprint Generation Shobha Venkataraman Joint work with Juan Caballero, Pongsin Poosankam, Min Gyung Kang, Dawn Song & Avrim Blum Carnegie.
Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)
Packet Classifiers In Ternary CAMs Can Be Smaller Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison) Jia Wang.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
Retina Network Security Scanner
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Internet Firewall Security Present by: Ying Fu Department of Computer Science South Eastern University February, 2001.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
Stateful Filtering and Stateful Inspection.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and.
Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.
DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors 2008 YU-ANTL Lab Seminar June 11, 2008 JeongKi Park Advanced Networking Technology Lab. (YU-ANTL)
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
OS Fingerprinting and Tethering Detection in Mobile Networks
Port Scanning James Tate II
On-line Detection of Real Time Multimedia Traffic
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Distributed Network Traffic Feature Extraction for a Real-time IDS
IT443 – Network Security Administration Instructor: Bo Sheng
Footprinting (definition 1)
Chapter 6: Network Layer
Introduction to Networking
* Essential Network Security Book Slides.
DDoS Attack Detection under SDN Context
Transport Layer Systems Packet Classification
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Chapter 8 Network Perimeter Security
Firewalls Jiang Long Spring 2002.
Firewalls.
Autonomous Network Alerting Systems and Programmable Networks
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs - Research IEEE INFOCOM 2012 左昌國 ADLab, NCU

Introduction Related Work Background Overview Firewall Characteristics Firewall Inference Conclusion and Future Work Outline 2

Motivation Firewalls are the first line of defense in network traffic Firewalls also have vulnerabilities The first step of attacks is to do firewall fingerprinting Previous Limitation Mostly OS fingerprinting Bridge mode makes firewalls not directly accessible Packet header analysis is useless in firewall fingerprinting Challenges Closed source Parameters and configuration details Not remote accessible Difficult to infer firewall types Introduction 3

This paper … Propose a set techniques that can collect information about firewalls Identify characteristics Packet classification algorithms Performance in different traffic load Identify firewalls Introduction 4

OS fingerprinting tools NMAP xprobe2++ p0f OS fingerprinting research Medeiros et al. Snacktime Firewall performance Lyu and Lau Funke et al. Related Work 5

Firewall policies Caching Rule caching: 4-tuple: source IP, dest. IP, dest. port, and protocol type Flow caching: 5-tuple: +source port Background 6

Statefulness A stateful firewall tracks TCP sessions in a state table by examining the TCP flags of incoming TCP packets Packet Classification Solutions Software based solutions Sequential search Complex data structures Ternary Content Addressable Memory (TCAM) Background 7

Measurements based on probe packet processing time Overview 8

Probe packets TCP Fix: A sequence of TCP packets with the same packet header TCP Vary: A sequence of TCP packets with the same packet header except the source port which is chosen randomly for each packet UDP Fix: A sequence of UDP packets with the same packet header UDP Vary: A sequence of UDP packets with the same packet header except the source port which is chosen randomly for each probe packet Firewall Characteristics 9

Background traffic load Measuring PPT Local measurement Remote measurement Packet Classification Algorithm Whether a firewall adopts a sequential search based algorithm Whether the performance of a firewall is sensitive to traffic load How a firewall performs in terms of the PPT Firewall Characteristics 10

Generating a sequence of probe packets where each packet matches exactly one of the rules in the policy PPT measurement Linear: probably sequential search Different pattern (or lack of change) : not sequential search Firewall Characteristics – Sequential Search 11

Firewall Characteristics – Sequential Search

Firewall Characteristics – Sequential Search

Firewall Characteristics – Sequential Search

Firewall Characteristics – Sensitivity to Traffic Load

Firewall Characteristics – Sensitivity to Traffic Load

Cache effectiveness (C) : the ratio of the PPT for the first probe packet to the median PPT of the rest in the same sequence C > 1: effective caching C ~= 1: no caching or not effective Effective in TCP Fix and UDP Fix Caching 5 fields in header  flow caching Effective in TCP Vary and UDP Vary Caching 4 fields (no source port)  rule caching Firewall Characteristics – Caching and Statefulness 17

Firewall Characteristics – Caching and Statefulness 18

Firewall Characteristics – Packet Protocol and Payload Size 19

Firewall Characteristics – Packet Protocol and Payload Size 20

2 consecutive probe packets Each: TCP SYN flag set, and another TCP flag set Firewall Inference – TCP Probe Packets 21

A dataset 3600 data points Each point: 11 consecutive probe packets in 4 modes(TCP Fix,…) with and w/o payload (total 8 times) Packets collected in 3 load level: no load, medium load, full load Point: x = (24 features) x 3i-2 : median x 3i-1 : STD x 3i : cache effectiveness Labels Y1 = {‘FW1’, ‘FW2’, ‘FW3’} Y2 = {‘stateful’, ‘stateless’} Y3 = {‘FW1-SF’, ‘FW2-SF’, ‘FW3-SF’, ‘FW1-SL’, ‘FW2-SL’, ‘FW3-SL’} Firewall Inference – Packet Processing Time 22

SVM Firewall Inference – Packet Processing Time 23

Firewall Inference – Packet Processing Time 24

Firewall Inference – Packet Processing Time 25

A methods for finding the firewall characteristics Using these characteristics, this paper show 2 methods for inferring firewall implementation Future work Defense mechanisms Conclusion and Future Work 26