Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Published byAngelina White Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs."— Presentation transcript:

1 Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs - Research IEEE INFOCOM 2012 左昌國 Seminar @ ADLab, NCU

2 Introduction Related Work Background Overview Firewall Characteristics Firewall Inference Conclusion and Future Work Outline 2

3 Motivation Firewalls are the first line of defense in network traffic Firewalls also have vulnerabilities The first step of attacks is to do firewall fingerprinting Previous Limitation Mostly OS fingerprinting Bridge mode makes firewalls not directly accessible Packet header analysis is useless in firewall fingerprinting Challenges Closed source Parameters and configuration details Not remote accessible Difficult to infer firewall types Introduction 3

4 This paper … Propose a set techniques that can collect information about firewalls Identify characteristics Packet classification algorithms Performance in different traffic load Identify firewalls Introduction 4

5 OS fingerprinting tools NMAP xprobe2++ p0f OS fingerprinting research Medeiros et al. Snacktime Firewall performance Lyu and Lau Funke et al. Related Work 5

6 Firewall policies Caching Rule caching: 4-tuple: source IP, dest. IP, dest. port, and protocol type Flow caching: 5-tuple: +source port Background 6

7 Statefulness A stateful firewall tracks TCP sessions in a state table by examining the TCP flags of incoming TCP packets Packet Classification Solutions Software based solutions Sequential search Complex data structures Ternary Content Addressable Memory (TCAM) Background 7

8 Measurements based on probe packet processing time Overview 8

9 Probe packets TCP Fix: A sequence of TCP packets with the same packet header TCP Vary: A sequence of TCP packets with the same packet header except the source port which is chosen randomly for each packet UDP Fix: A sequence of UDP packets with the same packet header UDP Vary: A sequence of UDP packets with the same packet header except the source port which is chosen randomly for each probe packet Firewall Characteristics 9

10 Background traffic load Measuring PPT Local measurement Remote measurement Packet Classification Algorithm Whether a firewall adopts a sequential search based algorithm Whether the performance of a firewall is sensitive to traffic load How a firewall performs in terms of the PPT Firewall Characteristics 10

11 Generating a sequence of probe packets where each packet matches exactly one of the rules in the policy PPT measurement Linear: probably sequential search Different pattern (or lack of change) : not sequential search Firewall Characteristics – Sequential Search 11

12 Firewall Characteristics – Sequential Search 12 0.1176 0.1645 0.1411 -0.0317

13 Firewall Characteristics – Sequential Search 13 0.1339 0.0208 0.3809 -0.0073

14 Firewall Characteristics – Sequential Search 14 0.0033 0.0082

15 60.3360 77.5470 151.7891 Firewall Characteristics – Sensitivity to Traffic Load 15 4.6034 2.7385 0.9874

16 Firewall Characteristics – Sensitivity to Traffic Load 16 50.3710 49.7796 126.7352 92.8078

17 Cache effectiveness (C) : the ratio of the PPT for the first probe packet to the median PPT of the rest in the same sequence C > 1: effective caching C ~= 1: no caching or not effective Effective in TCP Fix and UDP Fix Caching 5 fields in header  flow caching Effective in TCP Vary and UDP Vary Caching 4 fields (no source port)  rule caching Firewall Characteristics – Caching and Statefulness 17

18 Firewall Characteristics – Caching and Statefulness 18

19 Firewall Characteristics – Packet Protocol and Payload Size 19

20 Firewall Characteristics – Packet Protocol and Payload Size 20

21 2 consecutive probe packets Each: TCP SYN flag set, and another TCP flag set Firewall Inference – TCP Probe Packets 21

22 A dataset 3600 data points Each point: 11 consecutive probe packets in 4 modes(TCP Fix,…) with and w/o payload (total 8 times) Packets collected in 3 load level: no load, medium load, full load Point: x = (24 features) x 3i-2 : median x 3i-1 : STD x 3i : cache effectiveness Labels Y1 = {‘FW1’, ‘FW2’, ‘FW3’} Y2 = {‘stateful’, ‘stateless’} Y3 = {‘FW1-SF’, ‘FW2-SF’, ‘FW3-SF’, ‘FW1-SL’, ‘FW2-SL’, ‘FW3-SL’} Firewall Inference – Packet Processing Time 22

23 SVM Firewall Inference – Packet Processing Time 23

24 Firewall Inference – Packet Processing Time 24

25 Firewall Inference – Packet Processing Time 25

26 A methods for finding the firewall characteristics Using these characteristics, this paper show 2 methods for inferring firewall implementation Future work Defense mechanisms Conclusion and Future Work 26

Download ppt "Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs."

Similar presentations

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)

® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)
ClassBench: A Packet Classification Benchmark

ClassBench: A Packet Classification Benchmark
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:

1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google