Defending Firewalls under Attack via Early Packet Filtering

1
Defending Firewalls under Attack via Early Packet
Filtering

• Adel El-Atawy, Taghrid Samak, Ehab Al-Shaer
• DePaul University
• Chicago, IL USA
• Fifth Midwest Security Workshop
• April 26th 2008

2
Motivation

• Policies can be HUGE. We have to do something
• Policies gt 10K rules exist
• IDSs have even more rules (100K is not a
  surprise)
• Sequential matching is still common
• In this case the filtering cost (matching/sec)
• It is not hard to guess/craft traffic to hit the
  default-deny rule ? causing maximal matching
  overhead

3
Motivation

• Limited power of the classical representation of
  policies
• Dependency between rules
• Problems when Optimize for performance, Cache
  frequent rules, Delegate rules to other firewalls
  up/downstream, etc.
• Harder Book-keeping
• Statistical Properties of packets over rules is
  hard to calculate and to keep track of. Again
  Dependency
• Temporal Locality
• Can be enhanced with better projections
• Low Scalability with number of Fields

4
Motivation

• Security devices can be victims of DoS attacks
• Very expensive packets to filter can be tailored
• A way to filter these packets early on is needed

5
Early Packet Filtering

• Objective
• Maximal reduction in number of packets to process
• Early Rejection of EXPENSIVE Packets
• Solution
• Adaptive Early Packet Filtering

Early Filtering
Regular Filtering
Default Deny
6
Related Work

• Hardware-based (McAulay93, Taylor05)
• Pure-software (Gupta99, Srinivasan99,
  Feldmann00, Woo00, Baboescu01/03, Singh03,
  Hasan05, Dong07)
• Traffic-aware techniques
• (Gupta00) Alphabet trees, single field,
  arbitrary distribution
• (Cohen05) Decision lists of rules
• (Kim06) Filtering for DDoS defense
• (Hamed06) Ordering rules in their original
  structure
• (El-Atawy07) Huffman trees over policy
  segments
• Others (Znati06, Acharya06, Fulp07)

7
I. Field Values Set Cover

• Some field values are common to many rules ? A
  single check can remove these rules from the
  policy.
• A set of field values can cover the whole policy
• A RR is mapped to a set cover, and field values
  are mapped to the available subsets.

8
I. Field Values Set Cover

• R1 Allow TCP Any Any WebServer1 80
• R2 Allow TCP Any Any WebServer2 80
• R3 Allow TCP Any Any WebServer1 8080
• R4 Allow TCP Any Any FTPServer 20-21
• R5 Deny Any Private Any Internet Any
• R6 Allow ICMP RD -- Internet --
• R7 Allow TCP Any Any WebServer1 443
• R8 Allow UDP InternetAny DNS 53
• R8 Allow UDP DNS Any Internet 53
• . . .
• . . .

9
I. Field Values Set Cover

• Operation
• Initialization
• A set of RRs is generated by several runs of
  approximation algorithms of the set cover.
• For each Packet
• Each RR will be checked against the packet,
  either it will be rejected, or passed to normal
  filtering module.
• Periodically
• The set of chosen RRs will be updated based on
  their effectiveness.

10
I. Field Values Set Cover

• Policy 1 Optimum gain is 50 Achieved 41
• Policy 2 Optimum gain is 25 Achieved 20
• Policy 3 Optimum gain is 50 Achieved 34
  (smaller policy, with more diverse values)

11
I. Field Values Set Cover

• When expensive packets (default deny) are more
  common ? Optimal number of RRs increase.
• Same policy with different traffic statistics
  results in different optimal RR set.

12
I. Field Values Set Cover

• Result Summary

13
II. Policy Boolean Expression Relaxation

• Representation
• A variable represents a bit of the system
  information
• Example Firewalls 5-tuple are allocated 104
  variables
• Each constraint in the policy (e.g., routing
  rule, access-control entry, IPS signature, IPSec
  rule, etc) is represented by a conjunction of
  variables
• A packet is represented by an assignment
• A packet hits a firewall rule, if it satisfies
  its condition
• A policy is equivalent to a single expression
  covering accepted packets

14
II Policy Boolean Expression Relaxation (P-BER)

• A single BDD can represent the whole policy
• A maximum depth of 104 (prot8 IPs3232
  ports1616) can be found in the BDD tree.
• Applicable to other devices
• Filtering Operation
• We traverse to a depth r If a leaf is not
  reached then proceed to normal filtering
• No structural updates involved (only parameter r)
• Notes
• Most rules contain wildcards
• Optimal ordering is NP-Hard, but based on
  experience we can get closer

• Each node contains
• Left and right pointers
• Level before which no decision can be reached (
  rth )

15
II Policy Boolean Expression Relaxation (P-BER)

• For different policies, different depths are
  needed to achieve the same coverage.
• Most policies can be almost covered by not more
  than 24 bits.

16
II Policy Boolean Expression Relaxation (P-BER)

• Number of minterms in the tree can be huge
  (orders of magnitude higher than policy size).
• Longer minterms cover smaller areas of the
  overall space

17
Efficiency and Adaptability

• Both algorithms are controlled with a single
  variable
• Number of RRs
• Depth in the tree.
• Adjusting this single variable achieves
  adaptability to traffic/filtering dynamics.
• Criteria for efficiency depend on the complexity
  of the original filtering algorithm.

18
Efficiency and Adaptability

• Average cost

19
Conclusion

• Attacking security devices is possible
• Protecting them is also possible
• Two techniques
• Field values set cover (FVSC)
• Policy Boolean expression relaxation (PBER)
• FVSC more suitable for smaller policies, with
  low diversity of values
• PBER more suitable for huge and complex policies
• Both can adapt to traffic changes.

20

• Questions ?