Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Science of Firewall Analysis Presented By Athena Security Secure by Analysis 25 th April 2009.

Published byMaddison Soward Modified over 9 years ago

Similar presentations

Presentation on theme: "The Science of Firewall Analysis Presented By Athena Security Secure by Analysis 25 th April 2009."— Presentation transcript:

1 The Science of Firewall Analysis Presented By Athena Security Secure by Analysis 25 th April 2009

2 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

3 Introduction To Firewall Concepts ‏ A firewall’s place in the network Audit of firewalls The OSI reference model A firewall abstraction Types of firewalls

4

5 From: http://www.netcraftsmen.net/welcher/papers/pix01.html A Typical Network Concepts: multi-homed device firewall zones DMZ access paths routing direction of traffic filtering network address translation

6 Audit of Firewalls Firewall audits try to find out if the stated policy is the implemented policy. Firewall audits determine if network best practices are being followed. Firewall audits assess network risk. Are RFC 1918 and reserved IP addresses blocked as sources? Are insecure network services like HTTP, FTP, Telnet, SNMP, LDAP, Net BIOS, or X11 blocked? Are potentially risky but required services such as HTTPS, SMTP, and DNS isolated in a DMZ? From the SANS firewall checklist

7 From: http://www.netcraftsmen.net/welcher/papers/pix01.html Auditing a Firewall What other services besides http and ftp are allowed to the DMZ? Are insecure services blocked from the external interface? Can sources with private IP addresses enter through the external interface? Are insecure services blocked from the external interface? Can sources with private IP addresses enter through the external interface?

8 Audit of Firewalls Firewall audits require understanding firewall policy Firewall policy can be defined as the set of discrete source and destination addresses and services that are allowed or denied by the firewall at each of its interfaces Firewall policy is constructed from Security rules or Access Control Lists (ACLs) Network Address Translation rules Route rules The nature of rule execution and sequence of rules Firewall’s default behavior

9 Firewall Rules Security rules –Also called ACLs or filter rules –Primary access control responsibility –Most commonly changed in production Network Address Translation rules –Source or destination address translation –Used for anonymity or to share public IP addresses –Complex to manually interpret Routing rules –Data packet routing –Offers some degree of access control

10 Firewall Policy In general, firewall rules can be expressed as where P is a predicate describing what packets to match and is an ‘n’ tuple describing values for network sources, destinations and services. where action is one of (allow, deny, route, snat, dnat) Complete analysis requires the following to be taken into account Rule order All possible paths (physical and virtual) Routing actions Transformation actions

11 Lets take a quick recap of the OSI communications model and how data is transmitted between computers. http://geekandpoke.typepad.com/geekandpoke/images/2008/01/21/twitterfeed.jpg

12 The OSI reference model Sending Computer Receiving Computer

13 The IP Header IP address is a logical address 192.168.1.100 Netmask FFFF FFFF FFFF 0000 192.168.1.100/24 Protocols IPv4, IPv6, IPSec, ICMP

14 TCP and UDP Headers Transport Control Protocol Header User Datagram Protocol Header Source and Destination Ports Integers between 0 and 255

15 Firewall State Machine The IPTables Linux Firewall Every firewall has a distinct state machine processing model. Rules are collected into rulesets Routing, address translation and filtering rulesets are processed in the sequence laid out by the firewall’s processing model.

16 An abstract firewall model Input Address Space Rule Space intersected space is acted upon by the rules and accepted or denied. non intersected space is acted upon by the default action. Input Address Space = UNIVERSAL SPACE Output Address Space = FIREWALL POLICY Rulesets At each ruleset

17 Firewall Types Classification by interception layer –Layer 2 Transparent Firewalls Bridges –Layer 3,4 Network Firewalls –Layer 7 Application Firewalls Classification by statefulness –Stateless Not aware of sessions or traffic patterns Cannot detect replies that are forged fast –Stateful Aware of sessions and can detect illegal replies.

18 Other Functions of a firewall Network Address Translation (NAT) or Port Address Translation (PAT)‏ Content filtering (Java/ActiveX)‏ URL filtering IPsec VPN Support for leading X.509 PKI solutions DHCP client/server PPPoE support Advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting AAA (RADIUS/TACACS+) integration

19

20 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

21 Firewall Complexity Firewall complexity defined. Complexity parameters. Correlation between complexity and errors. Reducing complexity. Complexity and firewall performance.

22 Firewall Complexity Firewall complexity is a measure of the number of discrete elements of policy that is programmed into the device. Firewall complexity expresses itself during computation by an explosion of independent policy geometries that have to be managed.

23 Effect of Complexity Likelihood of errors Cost of management Difficulty of test and audit

24 Correlation between Complexity and Errors Rule-base complexity = Rules + Objects + Interfaces * (Interfaces -1) * 0.5 Source: IEEE magazine, June 2004

25 Complexity Parameters Number of native rules Number of security rules Number of address translation rules Number of interfaces Number of rules with ‘any’ source and ‘any’ destination Number of expanded rules

26 Reducing Firewall Complexity Benchmark complexity with respect to other firewalls Use tools to do periodic firewall analysis and clean up rule base –Discard unused rules –Avoid rule conflicts Audit the rule base for best practices Always use specific addresses/services in a rule. Avoid the use of “Any’. Ensure rules are disjoint.

27 Firewall Performance Measured By –Packets per Second –Connections per Second –Transactions per Second –Maximum Concurrent Connections –SMTP Sessions per Second –DNS Requests per Second –Latency

28 Complexity and Performance Performance inversely correlated to size of rule base –Most used rules may be deep down in the rule order Difficult to improve performance through rule re-ordering –Rule movements can cause inadvertent policy changes –Optimization is difficult

29 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

30 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

31 Rule Conflicts - Types –Shadowing One or more preceding rules match a superset of the packets matched by a given rule and the rules have different actions. –Redundant One or more preceding rules match a superset of the packets that are matched by a given rule and the rules have the same action. –Correlation Two rules are correlated when each rule matches some of the packets matched by the other and they have different actions. –Generalization A rule is a generalization of a previous rule if they have different actions and the subsequent rule matches a superset of all the packets matched by the preceding rule.

32 Rule Conflicts - Examples Shadowing –access-list inbound deny tcp any 10.20.1.0 255.255.255.0 eq https –access-list inbound permit tcp any host 10.20.1.89 eq https Redundant –access-list inbound deny tcp any 10.20.1.0 255.255.255.0 eq https –access-list inbound deny tcp any host 10.20.1.89 eq https

33 Rule Conflicts - Examples Correlation –object-group network rfc1918 –network-object 10.0.0.0 255.0.0.0 –network-object 172.16.0.0 255.240.0.0 –network-object 192.168.0.0 255.255.0.0 –access-list inbound permit icmp any any –access-list inbound deny ip object-group rfc1918 any Generalization –access-list inbound permit tcp any 10.20.1.0 255.255.255.0 eq https –access-list inbound deny tcp any 10.20.1.0 255.255.255.0 any

34 Rule Conflicts - Consequences Shadowed –A shadowed rule will never be activated. This rule conflict indicates a possible mis- configuration where services are either being allowed or denied unintentionally. Redundant –A redundant rule has no effect on policy. Correlation –The action performed on the traffic that matches the intersection of the two rules is dependent on the ordering of the rules. Generalization –The preceding rule represents an exception to the policy applied by the following rule.

35 The Policy Tree http://www.crocodile.org/lord/fwpolicy.pdf

36 Impact of Rule Conflicts Potentially incorrect policy Potentially insecure configuration Degraded performance Increased maintenance effort Increased cost of compliance to standards

37 Optimal Rule Order Consider rule usage. –More frequently used rules should show higher up in the rule base. Unused rules and disabled rules should be removed Rules without logging and without comments should be reviewed “Decaying” rules should be observed and subsequently removed Correlation of a rule with other rules should be considered

38 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

39 Semantic Firewall Analysis Introduction to semantic firewall analysis Examples Common errors with pattern matching Demonstration

40 Semantic Analysis Route rules SNAT rules Filter rules DNAT rules Filter rules denied accepted transformed non routable routed transformed denied accepted IN OUT

41 Semantic Analysis Not based on pattern matching (or syntactic analysis) –No false positives Includes NAT and ROUTE rules in analysis –Accurate –Not possible with pattern matching Universal analysis –Comprehensive –Full address space covered

42 Typical Analysis (between an ingress and egress interface) Depending on firewall, one or more rule sets may apply to the data flow path. Input set ‘I’ consists of the set of all packets with every possible source and destination addresses and ports and all protocols. That is, the entire address space. Analysis yields result set ‘A’ of all packets that can possibly reach the egress interface and the set ‘D’ of all denied packets. I = A union D

43 The mathematics of rule processing For the j th rule in a rule set, we define the current state ‘S’ as where A j and D j denote the packets accepted and denied before the j th rule. Let R j be For the first rule: R 1 = I, A 0 = B 0 = { } For each subsequent rule, the current state ‘S’ is updated by the following transformation until the last rule is covered. If, = R j+1 = R j – (A j  P j )

44 Geometrical Intersection A input B rule  = A1A1 A2A2 A3A3 B2B2 B1B1 Geometries have 5 dimensions 1. Source address 2. Destination address 3. Source port 4. Destination port 5. Protocol Universal Address Space Rule Application

45 Examples access-list inbound permit tcp any 10.20.1.0 255.255.255.0 eq https access-list inbound deny tcp any host 10.20.1.89 eq https OBSERVATIONS 1. The second rule denies the HTTPS service to a single host on the same subnet. 2. The first rule permits inbound access to HTTPS service for all hosts on the 10.20.1.0/24 subnet. 3. A shadow conflict! 4. Easy to spot because rules are adjacent. May not be so always. 5. Pattern matching may not discover problem.

46 Examples access-list inbound permit icmp any any access-list inbound deny ip object-group rfc1918 any object-group network rfc1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 OBSERVATIONS 1. Simple review might would find that potentially spoofed private IP addresses are blocked. 2. Reality is that an entire class of packets with illegal addresses would be allowed. 3. A correlation conflict! 4. Not easy to spot even when rules are adjacent. 5. Difficult to syntactically discover such anomalies.

47 Contents Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis Semantic Analysis with Athena FirePAC About Athena Security Questions and Answers

48 About Athena Security Inc. ‏ Established in 2007 Launched and funded by Lisle Technology Partners Focus on analytical solutions for network security –Reduce testing effort for security FirePAC launched in September 2008 –Automates firewall audits –Over 300 global users –Key markets – compliance and security audits Other products –Athena Verify for Networks

49 Thank You and Questions

Download ppt "The Science of Firewall Analysis Presented By Athena Security Secure by Analysis 25 th April 2009."

Similar presentations

CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Detection and Resolution of Anomalies in Firewall Policy Rules

Detection and Resolution of Anomalies in Firewall Policy Rules
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.

Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Similar presentations

Ads by Google