Presentation is loading. Please wait.

Presentation is loading. Please wait.

AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University.

Published byArron August Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University."— Presentation transcript:

1 AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University

2 AlgoSec Inc.2 Agenda  Introduction  Data sources and procedures  Configuration errors  Highlights of 2004 study  Results and discussion

3 AlgoSec Inc.3 Firewalls seem to be badly configured:  45% of companies worldwide suffered attacks from viruses and worms in the last 12 months (this is a made up statistic, true in every year …)  A properly configured firewall could easily block attacks such as: Sasser worm: attacked port 445 (Netbios) Saphire SQL worm: attacked port 1431 Blaster worm: attacked ports 135/137 (Netbios)  Firewall configs are deemed sensitive – why? Admins know they have holes… Security by obscurity?

4 AlgoSec Inc.4 Can we quantify the problem? 1.Need firewall configuration data Not available publicly 2.Need to understand the configurations Complex vendor-dependent configuration languages 3.What is an error? Subjective, organization-dependent

5 AlgoSec Inc.5 #1 : We have the data  AlgoSec performed firewall analysis for hundreds of customers since 2000  Data is under non-disclosure agreements – but we can publish statistics

6 AlgoSec Inc.6 #2 : We have the technology  Firewall Analyzer software can parse configuration languages (Check Point, Cisco PIX, Cisco Router Access-lists)

7 AlgoSec Inc.7 #3 : What is an error?  Idea: only count “obvious” errors  Rely on “best practices”: SANS Top 20 CERT PCI DSS (Payment Card Industry) NIST 800-41 …

8 AlgoSec Inc.8 Plan of action First study (2004): Check Point Firewall-1 configurations Select 12 severe errors Analyze available configurations Count number of errors Statistical analysis to identify causes and trends Current study: Both Check Point and Cisco PIX Larger - 2x number of configurations More in-depth: 36 severe errors, Check whether 2004 findings are still valid

9 AlgoSec Inc.9 Timeline of data collection  Configuration files were collected between 2000-2005  Check Point Firewall-1 versions: 3.0, 4.0 – “end-of-life” 4.1 – was still supported NG – released in 2001, minor versions FP3, R54, R55  Cisco PIX PIX versions 4.x, 5.x, 6.x, 7.0

10 AlgoSec Inc.10 Highlights of the 2004 study

11 AlgoSec Inc.11 54%

12 AlgoSec Inc.12 Firewall-1 version helps On average, 2 risks less

13 AlgoSec Inc.13 Why did the version matter?  Some risks are the result of Check Point “implicit rules”  Changed default values in v4.1  New policy wizard to create a reasonable initial configuration

14 AlgoSec Inc.14 How to measure complexity  RC (Rule Complexity) = #Rules + #Network Objects + (#interfaces choose 2)  2 interfaces  1 data path  3 interfaces  3 data paths  4 interfaces  6 data paths, etc

15 AlgoSec Inc.15 Small is Beautiful

16 AlgoSec Inc.16 Current Results

17 AlgoSec Inc.17 Why should anything change?  Regulation and Compliance: Sarbanes-Oxley / Basel-II / CobiT / ISO 27001 Payment Card Industry (PCI DSS) NIST 800-41 …  Different vendors – different issues?  New software versions – continue the trend?

18 AlgoSec Inc.18 Differences from 2004 report  Both Check Point and PIX  2x configurations tested  Newer software versions  Vendor-neutral risk items 8 of 12 properties in 2004 study were specific to Check Point  Pick a new set of 36 risk items  Inbound / Outbound / Internal traffic

19 AlgoSec Inc.19 Firewalls still badly configured 42%

20 AlgoSec Inc.20 Version does not matter … (Check Point)

21 AlgoSec Inc.21 Version does not matter … (PIX)

22 AlgoSec Inc.22 Why?  Vendor-neutral risks are controlled by basic filtering functionality  Basic filtering controlled by explicit user-defined rules, rather than “check boxes” with vendor “know-how” (??)  Neither vendor has changed the basic filtering capabilities in years (and it’s unlikely that they will)

23 AlgoSec Inc.23 How to measure complexity of a PIX?  Check Point: Single rule-base Separate object database  Cisco PIX: Separate rule-base per interface No object database (almost)  Old RC metric not very suitable for PIX!

24 AlgoSec Inc.24 Issues with old RC metric (even on Check Point)  Not enough weight to #interfaces: #rules: 100s – 1000s #objects: 1000s #interfaces: 2-20 – dwarfed (even when quadratic)  Example: A firewall with 12 interfaces should be much more complex than with 3 … RC contribution by interfaces is only 66

25 AlgoSec Inc.25 A New Firewall Complexity Measure  Idea: pretend to “compile” Check Point configuration into a PIX configuration Duplicate the rule-base, once per interface Add the object database once Count the resulting “number of lines” Compare with PIX config “number of lines” (minus some PIX boilerplate) Check Point: FC = (#rules * #interfaces) + #objects PIX: FC = #lines - 50

26 AlgoSec Inc.26 Complexity distributions The range of complexity is comparable

27 AlgoSec Inc.27 Small is Still Beautiful Confidential

28 AlgoSec Inc.28 Check Point vs PIX

29 AlgoSec Inc.29 Questions?  E-mail: yash@eng.tau.ac.il avishai.wool@algosec.com http://www.algosec.com  Published in: IEEE Internet Computing, 14(4):58-65, 2010  2004 study: IEEE Computer, 37(6):62-67, 2004

Download ppt "AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University."

Similar presentations

EIDE System Requirements and Specification Documents

EIDE System Requirements and Specification Documents
Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
How to Improve your Firewall Performance

How to Improve your Firewall Performance
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.

Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Similar presentations

Ads by Google