Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Firewall Policy Validation by Kyle Wheeler.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Firewall Policy Validation by Kyle Wheeler."— Presentation transcript:

1 Distributed Firewall Policy Validation by Kyle Wheeler

2 Outline 1. Introduction Justification Requirements 2. Design Approaches Architecture 3. Implementation Requirements Graphing Example Policy Example 4. Conclusions

3 Security is IMPORTANT Computer-based attacks are increasing Code Red: 2000 hosts/minute (2001) Slammer: 55 million scans/second (2003) Attacks are becoming more damaging CISCO’s IOS code stolen Valve’s HalfLife 2 code stolen Trend Micro says: $13 billion in 2001 $20 billion in 2002 $55 billion in 2003 (source)source

4 Security is HARD Firewalls Most popular security method Rules can and do become very complex Not only method, however Large networks have: Many different administrators Diverse software Security of large networks requires: Centralized control Uniform software No unified method of verifying security policy implementation For example, The University of Notre Dame network

5 Rules for the Solution Few Requirements Network-connectivity independent Mostly system-setup independent Cannot require root access Independent of firewall implementations Flexible Testing Out-of-order data collection (some support) Non-uniform distribution of testing nodes Define a testable security policy language

6 Analysis Approaches Static Vulnerability Analysis Splint Threat Modeling Regression Testing

7 Static Vulnerability Analysis The Good Avoids logical ambiguity Avoids common loopholes and mistakes Easy to understand The Bad Requires detailed knowledge of the implementation Implementation- specific Does not address system interactions

8 Threat Modeling The Good Models entire system Views system as an attacker would Determines vulnerability “surface” The Bad Requires full knowledge of all system details

9 Regression Testing The Good Does not need implementation- specific details Easy to understand The Bad Effectiveness is tied to the completeness of the policy Can miss some vulnerabilities

10 Data Collection Framework Hierarchical organization Handles complex networks Allows asynchronous operation Wizard Big picture management, handles policy testing setup Manager Organization, Coordination, Retrieval Prober Low-level testing, yes/no answers

11 Managers & Probers Good Features Subordinate Managers Commands can be any length Key Features Hierarchical Naming Maildir-like communication

12 Hierarchical Naming Names contain routing information Names are given or assigned Network must be laid out intelligently No auto-discovery Manually connectable Must be a root to the tree (base) Three kinds of sub-names base.m1.m1.p2.t1.t Example, slide 17, 12

13 Maildir-like Algorithm Benefits No locks: NFS safe No partial-files No new communication server to secure Two-step file creation Create in tmp, then move to new Need unique new name Use pid and random Could use more (inode#, for example) Waiting For Results Requires Polling

14 Given a complex network… Administrator’s Console Firewall Prober Manager Prober Manager Prober Manager Prober

15 … Handled Nicely Prober Manager Prober Manager Prober Manager Administrator’s Console Firewall

16 Or, More Realistically… 192.168.0.131 24.11.249.68 internet 129.74.152.6 129.74.152.2129.74.155.226 172.16.0.16172.16.0.17

17 ... Which Can be Organized 192.168.0.130 Wizard & Manager base 192.168.0.132 Prober base.p1 192.168.0.131 Prober base.p2 129.74.152.2 Prober base.m1.p2 172.16.0.17 Prober base.m1.m1.p2 172.16.0.16 Prober base.m1.m1.p1 129.74.155.226 Manager - base.m1 Prober - base.p3 129.7.152.6 Manager - base.m1.m1 Prober - base.m1.p1 24.11.249.68 Prober base.p4

18 The Implementation Requirements: ttcp installed in PATH Binary connection testing bash available, in PATH Written in bash SSH access, without password Security issue Impact can be reduced with careful administration Graphing with Graphviz

19 Raw Manager Capability Hosts, fully connected: wopr.memoryhole.net iss.cse.nd.edu salinan.cse.nd.edu itisfast.cse.nd.edu Legend: Black line = confirmed connection Dotted line = one side reported connection Red line = one side reported, one side denied

20 The Wizard Interchangeable element Interprets policy language Generates and spawns tests At least three per assertion Otherwise 50% of all possible Interprets results of tests Must have control of “base” Manager

21 Example Policy network iss 172.16.0.0 255.255.0.0 network nd 127.74.0.0 255.255.0.0 network brk 192.168.0.0 255.255.0.0 brk -> nd brk -> iss via 129.74.152.6 nd -> brk via 24.11.249.168 nd -> iss via 129.74.152.6 iss -X nd iss -X brk 16

22 Conclusions Design is feasible Implementation works as expected Being generic is hard Future Work Investigate long-running “continuous” testing Policy language needs further flexibility Speed of testing

23 Any Questions?

Download ppt "Distributed Firewall Policy Validation by Kyle Wheeler."

Similar presentations

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Introducing Campus Networks

Introducing Campus Networks
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
8.

8.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Chapter 12 Distributed Database Management Systems

Chapter 12 Distributed Database Management Systems
Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.

Improving Data Access in P2P Systems Karl Aberer and Magdalena Punceva Swiss Federal Institute of Technology Manfred Hauswirth and Roman Schmidt Technical.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
WAN Technologies.

WAN Technologies.
–Streamline / organize Improve readability of code Decrease code volume/line count Simplify mechanisms Improve maintainability & clarity Decrease development.

–Streamline / organize Improve readability of code Decrease code volume/line count Simplify mechanisms Improve maintainability & clarity Decrease development.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.

1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google