1 / 49

The Science of Firewall Analysis

The Science of Firewall Analysis. Presented By Athena Security Secure by Analysis 25 th April 2009. Contents. Introduction to Firewall Concepts and Policy Analysis Firewall Complexity Demo of Complexity Analysis Firewall Rule Conflicts Semantic Firewall Analysis

hal
Download Presentation

The Science of Firewall Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Science of Firewall Analysis Presented By Athena Security Secure by Analysis 25th April 2009

  2. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  3. Introduction To Firewall Concepts ‏ • A firewall’s place in the network • Audit of firewalls • The OSI reference model • A firewall abstraction • Types of firewalls

  4. A Typical Network Concepts: • multi-homed device • firewall zones • DMZ • access paths • routing • direction of traffic • filtering • network address translation From: http://www.netcraftsmen.net/welcher/papers/pix01.html

  5. Audit of Firewalls • Firewall audits try to find out if the stated policy is the implemented policy. • Firewall audits determine if network best practices are being followed. • Firewall audits assess network risk. Are RFC 1918 and reserved IP addresses blocked as sources? Are insecure network services like HTTP, FTP, Telnet, SNMP, LDAP, Net BIOS, or X11 blocked? Are potentially risky but required services such as HTTPS, SMTP, and DNS isolated in a DMZ? From the SANS firewall checklist

  6. Auditing a Firewall Are insecure services blocked from the external interface? Can sources with private IP addresses enter through the external interface? What other services besides http and ftp are allowed to the DMZ? From: http://www.netcraftsmen.net/welcher/papers/pix01.html

  7. Audit of Firewalls • Firewall audits require understanding firewall policy • Firewall policy can be defined as the set of discrete source and destination addresses and services that are allowed or denied by the firewall at each of its interfaces • Firewall policy is constructed from • Security rules or Access Control Lists (ACLs) • Network Address Translation rules • Route rules • The nature of rule execution and sequence of rules • Firewall’s default behavior

  8. Firewall Rules • Security rules • Also called ACLs or filter rules • Primary access control responsibility • Most commonly changed in production • Network Address Translation rules • Source or destination address translation • Used for anonymity or to share public IP addresses • Complex to manually interpret • Routing rules • Data packet routing • Offers some degree of access control

  9. Firewall Policy • In general, firewall rules can be expressed as < P, action > • where P is a predicate describing what packets to match and is an ‘n’ tuple describing values for network sources, destinations and services. • where action is one of (allow, deny, route, snat, dnat) • Complete analysis requires the following to be taken into account • Rule order • All possible paths (physical and virtual) • Routing actions • Transformation actions

  10. Lets take a quick recap of the OSI communications model and how data is transmitted between computers. http://geekandpoke.typepad.com/geekandpoke/images/2008/01/21/twitterfeed.jpg

  11. The OSI reference model Sending Computer Receiving Computer

  12. The IP Header IP address is a logical address 192.168.1.100 Netmask FFFF FFFF FFFF 0000 192.168.1.100/24 Protocols IPv4, IPv6, IPSec, ICMP

  13. TCP and UDP Headers Transport Control Protocol Header User Datagram Protocol Header Source and Destination Ports Integers between 0 and 255

  14. Firewall State Machine The IPTables Linux Firewall Every firewall has a distinct state machine processing model. Rules are collected into rulesets Routing, address translation and filtering rulesets are processed in the sequence laid out by the firewall’s processing model.

  15. An abstract firewall model Input Address Space Output Address Space = FIREWALL POLICY Input Address Space = UNIVERSAL SPACE Rule Space Rulesets intersected space is acted upon by the rules and accepted or denied. non intersected space is acted upon by the default action. At each ruleset

  16. Firewall Types Classification by interception layer • Layer 2 • Transparent Firewalls • Bridges • Layer 3,4 • Network Firewalls • Layer 7 • Application Firewalls Classification by statefulness • Stateless • Not aware of sessions or traffic patterns • Cannot detect replies that are forged • fast • Stateful • Aware of sessions and can detect illegal replies.

  17. Other Functions of a firewall Network Address Translation (NAT) or Port Address Translation (PAT)‏ Content filtering (Java/ActiveX)‏ URL filtering IPsec VPN Support for leading X.509 PKI solutions DHCP client/server PPPoE support Advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting AAA (RADIUS/TACACS+) integration

  18. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  19. Firewall Complexity • Firewall complexity defined. • Complexity parameters. • Correlation between complexity and errors. • Reducing complexity. • Complexity and firewall performance.

  20. Firewall Complexity Firewall complexity is a measure of the number of discrete elements of policy that is programmed into the device. Firewall complexity expresses itself during computation by an explosion of independent policy geometries that have to be managed.

  21. Effect of Complexity • Likelihood of errors • Cost of management • Difficulty of test and audit

  22. Correlation between Complexity and Errors Rule-base complexity = Rules + Objects + Interfaces * (Interfaces -1) * 0.5 Source: IEEE magazine, June 2004

  23. Complexity Parameters • Number of native rules • Number of security rules • Number of address translation rules • Number of interfaces • Number of rules with ‘any’ source and ‘any’ destination • Number of expanded rules

  24. Reducing Firewall Complexity • Benchmark complexity with respect to other firewalls • Use tools to do periodic firewall analysis and clean up rule base • Discard unused rules • Avoid rule conflicts • Audit the rule base for best practices • Always use specific addresses/services in a rule. • Avoid the use of “Any’. • Ensure rules are disjoint.

  25. Firewall Performance Measured By • Packets per Second • Connections per Second • Transactions per Second • Maximum Concurrent Connections • SMTP Sessions per Second • DNS Requests per Second • Latency

  26. Complexity and Performance • Performance inversely correlated to size of rule base • Most used rules may be deep down in the rule order • Difficult to improve performance through rule re-ordering • Rule movements can cause inadvertent policy changes • Optimization is difficult

  27. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  28. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  29. Rule Conflicts - Types • Shadowing • One or more preceding rules match a superset of the packets matched by a given rule and the rules have different actions. • Redundant • One or more preceding rules match a superset of the packets that are matched by a given rule and the rules have the same action. • Correlation • Two rules are correlated when each rule matches some of the packets matched by the other and they have different actions. • Generalization • A rule is a generalization of a previous rule if they have different actions and the subsequent rule matches a superset of all the packets matched by the preceding rule.

  30. Rule Conflicts - Examples Shadowing • access-list inbound deny tcp any 10.20.1.0 255.255.255.0 eq https • access-list inbound permit tcp any host 10.20.1.89 eq https Redundant • access-list inbound deny tcp any 10.20.1.0 255.255.255.0 eq https • access-list inbound deny tcp any host 10.20.1.89 eq https

  31. Rule Conflicts - Examples Correlation • object-group network rfc1918 • network-object 10.0.0.0 255.0.0.0 • network-object 172.16.0.0 255.240.0.0 • network-object 192.168.0.0 255.255.0.0 • access-list inbound permit icmp any any • access-list inbound deny ip object-group rfc1918 any Generalization • access-list inbound permit tcp any 10.20.1.0 255.255.255.0 eq https • access-list inbound deny tcp any 10.20.1.0 255.255.255.0 any

  32. Rule Conflicts - Consequences Shadowed • A shadowed rule will never be activated. This rule conflict indicates a possible mis-configuration where services are either being allowed or denied unintentionally. Redundant • A redundant rule has no effect on policy. Correlation • The action performed on the traffic that matches the intersection of the two rules is dependent on the ordering of the rules. Generalization • The preceding rule represents an exception to the policy applied by the following rule.

  33. The Policy Tree http://www.crocodile.org/lord/fwpolicy.pdf

  34. Impact of Rule Conflicts • Potentially incorrect policy • Potentially insecure configuration • Degraded performance • Increased maintenance effort • Increased cost of compliance to standards

  35. Optimal Rule Order • Consider rule usage. • More frequently used rules should show higher up in the rule base. • Unused rules and disabled rules should be removed • Rules without logging and without comments should be reviewed • “Decaying” rules should be observed and subsequently removed • Correlation of a rule with other rules should be considered

  36. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  37. Semantic Firewall Analysis • Introduction to semantic firewall analysis • Examples • Common errors with pattern matching • Demonstration

  38. Semantic Analysis denied non routable denied IN Filter rules Route rules Filter rules transformed transformed routed accepted accepted DNAT rules OUT SNAT rules

  39. Semantic Analysis • Not based on pattern matching (or syntactic analysis) • No false positives • Includes NAT and ROUTE rules in analysis • Accurate • Not possible with pattern matching • Universal analysis • Comprehensive • Full address space covered

  40. Typical Analysis(between an ingress and egress interface) • Depending on firewall, one or more rule sets may apply to the data flow path. • Input set ‘I’ consists of the set of all packets with every possible source and destination addresses and ports and all protocols. That is, the entire address space. • Analysis yields result set ‘A’ of all packets that can possibly reach the egress interface and the set ‘D’ of all denied packets. • I = A union D

  41. The mathematics of rule processing For the jth rule in a rule set, we define the current state ‘S’ as <Aj, Dj> where Aj and Dj denote the packets accepted and denied before the jth rule. Let Rj be <Aj> For the first rule: R1 = I, A0= B0 = { } For each subsequent rule, the current state ‘S’ is updated by the following transformation until the last rule is covered. If <Pj, accept>, <Aj+1, Dj+1> = <AjÈ (RjÇPj), Dj> If <Pj, deny>, <Aj+1, Dj+1> = <Aj, (RjÇPj) ÈDj> Rj+1 = Rj – (AjÇPj)

  42. Geometrical Intersection Universal Address Space AÇB A input = B rule Rule Application Geometries have 5 dimensions Source address Destination address Source port Destination port Protocol A1 A2 A3 B2 B1

  43. Examples access-list inbound permit tcp any 10.20.1.0 255.255.255.0 eq https access-list inbound deny tcp any host 10.20.1.89 eq https OBSERVATIONS The second rule denies the HTTPS service to a single host on the same subnet. The first rule permits inbound access to HTTPS service for all hosts on the 10.20.1.0/24 subnet. A shadow conflict! Easy to spot because rules are adjacent. May not be so always. Pattern matching may not discover problem.

  44. Examples object-group network rfc1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list inbound permit icmp any any access-list inbound deny ip object-group rfc1918 any OBSERVATIONS Simple review might would find that potentially spoofed private IP addresses are blocked. Reality is that an entire class of packets with illegal addresses would be allowed. A correlation conflict! Not easy to spot even when rules are adjacent. Difficult to syntactically discover such anomalies.

  45. Contents • Introduction to Firewall Concepts and Policy Analysis • Firewall Complexity • Demo of Complexity Analysis • Firewall Rule Conflicts • Semantic Firewall Analysis • Semantic Analysis with Athena FirePAC • About Athena Security • Questions and Answers

  46. About Athena Security Inc.‏ • Established in 2007 • Launched and funded by Lisle Technology Partners • Focus on analytical solutions for network security • Reduce testing effort for security • FirePAC launched in September 2008 • Automates firewall audits • Over 300 global users • Key markets – compliance and security audits • Other products • Athena Verify for Networks

  47. Thank YouandQuestions

More Related