Title: Defending Firewalls under Attack via Early Packet Filtering
1Defending Firewalls under Attack via Early Packet
Filtering
- Adel El-Atawy, Taghrid Samak, Ehab Al-Shaer
- DePaul University
- Chicago, IL USA
- Fifth Midwest Security Workshop
- April 26th 2008
2Motivation
- Policies can be HUGE. We have to do something
- Policies gt 10K rules exist
- IDSs have even more rules (100K is not a
surprise) - Sequential matching is still common
- In this case the filtering cost (matching/sec)
- It is not hard to guess/craft traffic to hit the
default-deny rule ? causing maximal matching
overhead
3Motivation
- Limited power of the classical representation of
policies - Dependency between rules
- Problems when Optimize for performance, Cache
frequent rules, Delegate rules to other firewalls
up/downstream, etc. - Harder Book-keeping
- Statistical Properties of packets over rules is
hard to calculate and to keep track of. Again
Dependency - Temporal Locality
- Can be enhanced with better projections
- Low Scalability with number of Fields
4Motivation
- Security devices can be victims of DoS attacks
- Very expensive packets to filter can be tailored
- A way to filter these packets early on is needed
5Early Packet Filtering
- Objective
- Maximal reduction in number of packets to process
- Early Rejection of EXPENSIVE Packets
- Solution
- Adaptive Early Packet Filtering
Early Filtering
Regular Filtering
Default Deny
6Related Work
- Hardware-based (McAulay93, Taylor05)
- Pure-software (Gupta99, Srinivasan99,
Feldmann00, Woo00, Baboescu01/03, Singh03,
Hasan05, Dong07) - Traffic-aware techniques
- (Gupta00) Alphabet trees, single field,
arbitrary distribution - (Cohen05) Decision lists of rules
- (Kim06) Filtering for DDoS defense
- (Hamed06) Ordering rules in their original
structure - (El-Atawy07) Huffman trees over policy
segments - Others (Znati06, Acharya06, Fulp07)
7I. Field Values Set Cover
- Some field values are common to many rules ? A
single check can remove these rules from the
policy. - A set of field values can cover the whole policy
- A RR is mapped to a set cover, and field values
are mapped to the available subsets.
8I. Field Values Set Cover
- R1 Allow TCP Any Any WebServer1 80
- R2 Allow TCP Any Any WebServer2 80
- R3 Allow TCP Any Any WebServer1 8080
- R4 Allow TCP Any Any FTPServer 20-21
- R5 Deny Any Private Any Internet Any
- R6 Allow ICMP RD -- Internet --
- R7 Allow TCP Any Any WebServer1 443
- R8 Allow UDP InternetAny DNS 53
- R8 Allow UDP DNS Any Internet 53
- . . .
- . . .
9I. Field Values Set Cover
- Operation
- Initialization
- A set of RRs is generated by several runs of
approximation algorithms of the set cover. - For each Packet
- Each RR will be checked against the packet,
either it will be rejected, or passed to normal
filtering module. - Periodically
- The set of chosen RRs will be updated based on
their effectiveness.
10I. Field Values Set Cover
- Policy 1 Optimum gain is 50 Achieved 41
- Policy 2 Optimum gain is 25 Achieved 20
- Policy 3 Optimum gain is 50 Achieved 34
(smaller policy, with more diverse values)
11I. Field Values Set Cover
- When expensive packets (default deny) are more
common ? Optimal number of RRs increase. - Same policy with different traffic statistics
results in different optimal RR set.
12I. Field Values Set Cover
13II. Policy Boolean Expression Relaxation
- Representation
- A variable represents a bit of the system
information - Example Firewalls 5-tuple are allocated 104
variables - Each constraint in the policy (e.g., routing
rule, access-control entry, IPS signature, IPSec
rule, etc) is represented by a conjunction of
variables - A packet is represented by an assignment
- A packet hits a firewall rule, if it satisfies
its condition - A policy is equivalent to a single expression
covering accepted packets -
14II Policy Boolean Expression Relaxation (P-BER)
- A single BDD can represent the whole policy
- A maximum depth of 104 (prot8 IPs3232
ports1616) can be found in the BDD tree. - Applicable to other devices
- Filtering Operation
- We traverse to a depth r If a leaf is not
reached then proceed to normal filtering - No structural updates involved (only parameter r)
- Notes
- Most rules contain wildcards
- Optimal ordering is NP-Hard, but based on
experience we can get closer
- Each node contains
- Left and right pointers
- Level before which no decision can be reached (
rth )
15II Policy Boolean Expression Relaxation (P-BER)
- For different policies, different depths are
needed to achieve the same coverage. - Most policies can be almost covered by not more
than 24 bits.
16II Policy Boolean Expression Relaxation (P-BER)
- Number of minterms in the tree can be huge
(orders of magnitude higher than policy size). - Longer minterms cover smaller areas of the
overall space
17Efficiency and Adaptability
- Both algorithms are controlled with a single
variable - Number of RRs
- Depth in the tree.
- Adjusting this single variable achieves
adaptability to traffic/filtering dynamics. - Criteria for efficiency depend on the complexity
of the original filtering algorithm.
18Efficiency and Adaptability
19Conclusion
- Attacking security devices is possible
- Protecting them is also possible
- Two techniques
- Field values set cover (FVSC)
- Policy Boolean expression relaxation (PBER)
- FVSC more suitable for smaller policies, with
low diversity of values - PBER more suitable for huge and complex policies
- Both can adapt to traffic changes.
20