Firewall evaluation

1
Firewall evaluation

• Varying approaches in assessing the front line of
  network security

2
Introduction

• Quis custodiet ipses custodes?
• -Juvenalis
• Firewalls have become the front line of network
  security
• Can we trust them? How to test them?

3
Contents

• Approaches to firewall testing
• Active testing
• Passive testing
• Log inspection
• Intrusion detection systems
• Passive black box testing
• Determining firewall rules
• Value
• Summary of testing methods
• Testing methodology

4
Approaches to firewall testing

• Active testing
• Emphasis on vulnerabilities and errors in
  implementation
• Passive testing
• Emphasis on configuration checking
• Log analysis
• Analyses past events based on logs generated
• Intrusion detection systems
• Recognises intrusions based on traffic patterns

5
Active testing

• Properties and uses
• Uncovers implementation errors and
  vulnerabilities
• Represents a good approximation of what an
  attacker might attempt

• Problems
• Extensive checking of address-space impossible
• Generates traffic
• Finding a fault in a firewall (which is often a
  single point of failure) may cause a security
  hazard
• Done post-deployment
• Does not notice when configuration blocks
  legitimate traffic

Firewall
6
Passive testing

• Problems
• Fails to notice errors when the reality does not
  meet the policy stated in the configuration
  files.
• Vulnerabilities and implementation mistakes
  cannot be detected

Security policy
Config files
Firewall

• Properties
• Mostly concerned with checking correctness of
  configuration files
• Ensures that the configuration files match the
  security policy
• Does not generate traffic
• Can be done before deployment

?
7
Log inspection

• Properties
• Inspecting firewall logs provides a way to see
  what the firewalls been up to
• Looking at the logs shows what actually happened
  (if the logs arent altered)
• Often used as a basis for intrusion detection
  systems

Logs

• Problems
• Logs are amongst the intruders first targets
• When using logs generated by the firewall,
  analysis is dependent on the firewall providing
  accurate (or at least some) information, which
  may not be a given
• Post-deployment operation does not pre-empt
  errors
• Amount of data can be extremely large!

Firewall
8
Intrusion detection systems (IDS)

• Intrusion detection systems look for anomalies in
  internet traffic
• Theory malicious activity will have a differing
  signature compared to normal traffic
• Systems typically based either on log inspection
  or looking at network traffic directly

• Intrusion detection systems generally are
  interested about intrusions, assessing firewalls
  is not a main concern

OK
9
Question

• Can we, only through outside observation,
  determine what the firewall is doing?
• Could such a system be of any use in firewall
  testing?
• Could it replace or complement existing methods?

10
Passive black box testing
Probe
Measured traffic on side B of the firewall
Measured traffic on side A of the firewall
Firewall
Network traffic
Network traffic

• Aim
• Passively determine the firewall ruleset
• Provide clear view of the observed behaviour
• Applications
• Ensuring policy meets reality
• Monitoring for changes in observed behaviour

11
Determining firewall rules 1

• Measurements from different probes gathered and
  tagged
• Synchronisation essential to avoid apparently
  non-deterministic features
• An event list is produced

12
Determining firewall rules 2

• Events on different sides of firewall matched
• Challenges
• NAT
• Content mangling
• Fragmentation
• Reordering
• A critical feature

13
Determining firewall rules 3

• Individual protocols that are either all-pass or
  all-block
• Blocking based on address

14
Determining firewall rules 4

• For non-trivial cases, event context
• Aim to provide a suggestion for under which
  circumstances an event is blocked/passed

15
Determining firewall rules 5

• Out-bound events that couldnt be linked to any
  event that had entered the system
• Event context suggestions as with unclear
  filtering cases
• Non-deterministic packet generation a problem
  only network events are observed!

16
Passive black box testing

• New properties compared to existing methods
• Provides a reality-based view of the firewall
  activity as with active testing, but passively.
• Observed ruleset can be checked against policy
  and configuration.
• Permits monitoring changes in observed behaviour
• Problems
• Post-deployment
• Amount of data can again be extremely high
• Problems uncovered only after theyve happened
• Does not necessarily go through weaknesses known
  to be frequent in implementations
• Does not validate configuration, although can be
  used as a hint of configuration errors
• gt an approach best suited to complement, not to
  replace, existing testing methods

17
Summary of testing methods
Determine how the Firewall handles traffic
Is used to create
The firewall generates
Security policy
Logs
Config files
Firewall
Network traffic
Network traffic
Active testing Tests whether the firewall can
resist known attacks
Log inspection and intrusion detection Inspecting
logs and network traffic
Passive black box testing Observes the firewall
from the outside. Compares the results to the
security policy, the configuration and prior
observations
Passive testing Ensures that config files match
the security policy
18
Testing methodology

• Combined effort based on different approaches
• Idea to
• Validate configuration
• Test functionality
• Monitor activity
• End result
• Varied testing eliminates more errors
• Holistic approach produces a more secure
  perimeter to the internal network

19
Thank youThe End

• For contacts, please use the email address below
• ouspg_at_ee.oulu.fi