distributed firewall policy validation by kyle wheeler
Post on 22-Dec-2015
221 views
TRANSCRIPT
![Page 1: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/1.jpg)
Distributed Firewall Policy Validation
by Kyle Wheeler
![Page 2: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/2.jpg)
Outline 1. Introduction
Justification Requirements
2. Design Approaches Architecture
3. Implementation Requirements Graphing Example Policy Example
4. Conclusions
![Page 3: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/3.jpg)
Security is IMPORTANT Computer-based attacks are increasing
Code Red: 2000 hosts/minute (2001) Slammer: 55 million scans/second (2003)
Attacks are becoming more damaging CISCO’s IOS code stolen Valve’s HalfLife 2 code stolen Trend Micro says:
• $13 billion in 2001• $20 billion in 2002• $55 billion in 2003 (source)
![Page 4: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/4.jpg)
Security is HARD Firewalls
Most popular security method Rules can and do become very complex Not only method, however
Large networks have: Many different administrators Diverse software
Security of large networks requires: Centralized control Uniform software
No unified method of verifying security policy implementation For example, The University of Notre Dame network
![Page 5: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/5.jpg)
Rules for the Solution Few Requirements
Network-connectivity independent Mostly system-setup independent Cannot require root access Independent of firewall implementations
Flexible Testing Out-of-order data collection (some support) Non-uniform distribution of testing nodes
Define a testable security policy language
![Page 6: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/6.jpg)
Analysis Approaches
Static Vulnerability Analysis Splint
Threat Modeling Regression Testing
![Page 7: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/7.jpg)
Static Vulnerability Analysis
The Good Avoids logical
ambiguity Avoids common
loopholes and mistakes
Easy to understand
The Bad Requires detailed
knowledge of the implementation
Implementation-specific
Does not address system interactions
![Page 8: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/8.jpg)
Threat Modeling
The Good Models entire system Views system as an
attacker would Determines
vulnerability “surface”
The Bad Requires full
knowledge of all system details
![Page 9: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/9.jpg)
Regression Testing
The Good Does not need
implementation-specific details
Easy to understand
The Bad Effectiveness is tied
to the completeness of the policy
Can miss some vulnerabilities
![Page 10: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/10.jpg)
Data Collection Framework Hierarchical organization
Handles complex networks Allows asynchronous operation
Wizard Big picture management, handles policy testing
setup Manager
Organization, Coordination, Retrieval Prober
Low-level testing, yes/no answers
![Page 11: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/11.jpg)
Managers & Probers
Good Features Subordinate Managers Commands can be any length
Key Features Hierarchical Naming Maildir-like communication
![Page 12: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/12.jpg)
Hierarchical Naming Names contain routing information Names are given or assigned
Network must be laid out intelligently No auto-discovery Manually connectable
Must be a root to the tree (base) Three kinds of sub-names
base.m1.m1.p2.t1.t Example, slide 17, 12
![Page 13: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/13.jpg)
Maildir-like Algorithm Benefits
No locks: NFS safe No partial-files No new communication server to secure
Two-step file creation Create in tmp, then move to new Need unique new name
• Use pid and random• Could use more (inode#, for example)
Waiting For Results Requires Polling
![Page 14: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/14.jpg)
Given a complex network…
Administrator’s Console
Firewall Firewall
FirewallProber
Manager
ProberManager
ProberManagerProber Prober Prober
Prober Prober
Prober Prober Prober
![Page 15: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/15.jpg)
… Handled Nicely
Prober Prober Prober Prober Prober Prober
Prober Prober
ProberManager
ProberManager
ProberManager
Administrator’s Console
Firewall Firewall
Firewall
![Page 16: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/16.jpg)
Or, More Realistically…
192.168.0.131 192.168.0.131 192.168.0.131
24.11.249.68
internet
129.74.152.6 129.74.152.2129.74.155.226
172.16.0.16 172.16.0.17
![Page 17: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/17.jpg)
... Which Can be Organized
192.168.0.130Wizard & Manager
base
192.168.0.132Proberbase.p1
192.168.0.131Proberbase.p2
129.74.152.2Prober
base.m1.p2
172.16.0.17Prober
base.m1.m1.p2
172.16.0.16Prober
base.m1.m1.p1
129.74.155.226Manager - base.m1
Prober - base.p3
129.7.152.6Manager - base.m1.m1
Prober - base.m1.p1
24.11.249.68Proberbase.p4
![Page 18: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/18.jpg)
The Implementation Requirements:
ttcp installed in PATH• Binary connection testing
bash available, in PATH• Written in bash
SSH access, without password• Security issue• Impact can be reduced with careful administration
Graphing with Graphviz
![Page 19: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/19.jpg)
Raw Manager Capability Hosts, fully connected:
wopr.memoryhole.net iss.cse.nd.edu salinan.cse.nd.edu itisfast.cse.nd.edu
Legend: Black line = confirmed
connection Dotted line = one side reported
connection Red line = one side reported,
one side denied
![Page 20: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/20.jpg)
The Wizard
Interchangeable element Interprets policy language Generates and spawns tests
At least three per assertion Otherwise 50% of all possible
Interprets results of tests Must have control of “base” Manager
![Page 21: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/21.jpg)
Example Policy
network iss 172.16.0.0 255.255.0.0network nd 127.74.0.0 255.255.0.0network brk 192.168.0.0 255.255.0.0brk -> ndbrk -> iss via 129.74.152.6 nd -> brk via 24.11.249.168 nd -> iss via 129.74.152.6iss -X ndiss -X brk
16
![Page 22: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/22.jpg)
Conclusions Design is feasible Implementation works as expected Being generic is hard Future Work
Investigate long-running “continuous” testing Policy language needs further flexibility Speed of testing
![Page 23: Distributed Firewall Policy Validation by Kyle Wheeler](https://reader036.vdocuments.mx/reader036/viewer/2022062715/56649d765503460f94a58089/html5/thumbnails/23.jpg)
Any Questions?