html5-img
1 / 32

Procedure of Firewall testing and evaluation Supervisor Zbigniew A. Kotulski , Ph.D.,D.Sc .

Wydział Elektroniki i Technik Informacyjnych. Procedure of Firewall testing and evaluation Supervisor Zbigniew A. Kotulski , Ph.D.,D.Sc. SEMINARY PRESENTATION. Agenda. Problem definition Goals of work Test environmet description Test structure Results examples Problems

holt
Download Presentation

Procedure of Firewall testing and evaluation Supervisor Zbigniew A. Kotulski , Ph.D.,D.Sc .

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wydział Elektroniki i Technik Informacyjnych Procedure of Firewall testing and evaluationSupervisorZbigniew A. Kotulski, Ph.D.,D.Sc. SEMINARY PRESENTATION

  2. Agenda • Problem definition • Goals of work • Test environmet description • Test structure • Results examples • Problems • Conclusions

  3. Problem definition • Not exist any form of such procedure (existence of RFC 3511 but it limits only to pure firewall evaluation), • IP throughput • Concurrent TCP Connection Capacity • Maximum TCP Connection Establishment Rate • Maximum TCP Connection Tear Down Rate • Denial Of Service Handling • HTTP Transfer Rate • Maximum HTTP Transaction Rate • Illegal Traffic Handling • IP Fragmentation Handling • Latency

  4. Typical firewall functionallities

  5. Extensionintroduced by UTM

  6. Problem definition • There are speculations not facts, • Each vendor convincing about it’s superiority. „Check Point Network Security Solutions are the market-leading choice for securing the network infrastructure” source www.checkpoint.com „Whatever the size, location and function of the network, Juniper Networks solutions deliver secure, best-in-class performance.” source www.juniper.net

  7. Simple UTM Schema

  8. Goals of thework • Analysis of contemporary UTM market in seek of optimal technologies and solutions, I defined following ways to fulfill this aim: • analysis of architecture of such kind of devices , • comparison particular functionalities with similar stand-alone appliances , • analysis of the market in seek for devices which comply requirements of the highest security requirements ,

  9. Market evaluation

  10. Goals of thework • Evaluation of previously selected devices in specially prepared environment: I defined following steps to fulfill this aim: • initial configuration of devices for further tests, • preparation of test scenarios seek of auxiliary software needed to fulfill scenarios requirements, • preparation of own supplementary scripts, • analysis of received results,

  11. Goals of thework • Preparation of procedure on a basis of results analysis obtained from previously selected device evaluation . • TC1.1 - audit sub-procedure, • TC1.2 - pen test sub-procedure, • TC1.3 - attack resistance sub-procedure, • TC1.4 - system scanning sub-procedure, • TC2.1 - virtual private network mechanism evaluation sub-procedure, • TC2.2 - antivirus, spam , content filtering mechanism evaluation sub-procedure, • TC2.3 - rule set evaluation sub-procedure.

  12. LABORATORY INITIAL SCHEMA- 1 • Generally tests were divided into two scenarios: • tests which aim was to measure the performance and behavior of the appliance according to traffic passing through the firewall, • tests which aim was to measure the performance, behavior and features of appliance according to traffic directed to the UTM directly.

  13. LABORATORY INITIAL SCHEMA- 2 Network configuration was based on one of the schemas defined by RFC 3511 (Benchmarking Methodology for Firewall Performance) which defines some milestones of testing firewall performance

  14. Laboratorychanges

  15. Laboratorychanges

  16. Deviceinitialconfiguration

  17. Test structure • tests concerning resistance of the system against reconnaissance attacks , deny of service attacks, brute force attacks , sql injection attacks, cross-site-scripting attacks and attack based on discovered vulnerabilities of the system, • tests evaluating proper hardening of the operation system : checking right privilege distribution, file structure, user privilege distribution, resource (random access memory, central processing unit access time, password files, configuration information) protection mechanisms embedded into the system, • tests concerning attempts to capture a confidential information from the unprivileged user level based on attempts to tries to get access to specific catalogues, execution system commands, attempts to interfere in proper behavior of the system and attempts to compile or execute a malicious code on the evaluated system, • tests evaluating efficiency of anti-spam mechanism using specially made different types of e-mail messages: advertisement spam , phishing spam, picture spam, • tests evaluating anti-virus mechanism using specially generated file packages which contained different combinations and types of files with connection with virus test files, different level of nesting archives, files password protected, • tests evaluating efficiency of intrusion detection system mechanism based on estimation of the appliance behavior under network attack, • tests evaluating efficiency of the VPN mechanism on a resource usage basis.

  18. Architectureevaluationbulletpoints • if the firewall works in spited or joined management (ex. Check Point Smart ServerCenter may be embedded to the appliance or works on separate machine, • if the firewall uses external servers like syslog to send or receive information, • if the firewall uses secured way of communication with policy server, • if the firewall uses a secured way of communication with other auxiliary servers, • if the policy server configuration is secured – there is no lick allowing compromising the firewall.

  19. Architectureanalysis

  20. Rule set validationpre-assimptions • what (if defined ) is the number of rules recommended, • what is the order in which the firewall proceeds the rules set ( to the first match ex. Checkpoint , to group match ex. ISA server, if the rules ale proceed in groups (zones ) ex. Juniper, • if any particular actions are prioritized over the others, • how the additional actions are impacting the performance (ex. counting in Check Point firewall rules can significantly decrease the performance), • how the traffic is spread over the rule set – if the most used are placed on the start of firewall proceed path, • if the rule set is optimized – do not exist divided rules which can spitted together, • if there do not exist implied rules which do not officially appear in the rule set but filter the traffic additionally, • if there exist firewall protecting hidden rule set filtrating the traffic directed to firewall itself

  21. Auditung of the system • name of the system, • analysis of how the space of the disk is distributed through the partitions, • analysis of the starting scripts, • analysis of services started from xinetd.conf, • users and groups defined in the system, • analysis of unmask value parameter, • analysis of shells in the system, • configuration of PATH variable configuration, • analysis of restrictions set in PAM module, • analysis of system logging module (if exist), • analysis of system auditing module (if exist),

  22. Auditing of the system • analysis of system privileges access to catalogues (generally files with bit SUID enabled), • analysis of privileges to most valuable to the system files, • analysis of privileges of accessing the cron’s files, • analysis of processes working in the system, • analysis of network configuration.

  23. Spam filesexamples Your financial contribution towards getting medical supplies and food {which are the most important needs} now is highly solicited. We alongside over 30 emergency relief agencies irrespective of race or religion are working in conjunction with the W.H.O to avert an epidemic of cholera and other water borne diseases. Presently,over 5 million people in South Asia are without food or water. The UN health agency requires over 68million pounds to forestall an outbreak of disease in a couple of days, which could be an even bigger disaster. Please send your Contributions/Donations no matter how small, via WESTERN UNION MONEY TRANSFER TO Name: GREGORY OVIENRIA Address:Netherland. Goodday Sir/Madam, On Sunday December 26th 2004 at about 9:00 am, the world witnessed a natural disaster. A quake measuring 9.0 on the ritcher scale occurred at the bottom of the Indian Ocean close to the Island of Sumatra, North East Indonesia. Resulting Tsunamis from the quake caused destruction of lives and properties never before experienced in modern history. Reports say this is the strongest quake in 40 years with its energy equal to 9,500 Hiroshima bombs.So far 155,000 people have been officially reported dead, of this figure 27 are Britons, 79,900 Indonesians and 27,268 from Sri Lanka.India recorded over 6,000 dead and Thailand over 10,000. The Swedish Prime Minister says about 1,000 Swedish tourists have died so far, and the death toll is still on the increase. The British public has so far donated 21million pounds, with 10million raised overnight. The British government has also pledged 15million pounds; the EU has pledged $4m dollars and other International organizations pledging sums of money.

  24. Spam filesexamples

  25. Test procedureexample

  26. Results Examples

  27. Results Examples

  28. Results Examples

  29. Problems • Difficulty in hiring needed equipment • Difficulty in getting evaluation licenses • Problems with suiting proper test software • Problems with lab establishment • 1)Netscreen has a predefined labels - functions binded to interfaces and I needed 4 so I had to change the default function of one of the interfaces to make possible syslog mechanism to work • 2) device didn't accepted the licenses - upgrade of os was needed • 3) device didn't want to load database of DI

  30. Conclusions • Obtained: • Market evaluation • Test software found or created • Benchamark lab environment created and tested • Benchamark scenarios created • Benchamark results obtained • Advanced methodology created • Clear and precise procedure created

  31. Questions

  32. Thankyou.

More Related