0
Firewall Rule Modelling and Review            Marc Ruef           www.scip.ch                   SwiNOG 24                 ...
Agenda | Firewall Rule Modelling and Review                  Intro                                                        ...
Introduction | Who am I?                                            Intro                                                 ...
Introduction | What is our Goal?             Intro                                               Who?                     ...
Introduction | Approach                    Intro                                             Who?                         ...
Introduction | Files vs. Screenshots                              Intro                                                   ...
Extraction | Get the Firewall Rulesets                                           Intro                                    ...
Parsing | Handle Ruleset Structure                                   Intro                                                ...
Parsing | Access Firewall Rule Attributes (Cisco ASA Example)                                                     Intro   ...
Parsing | Access Firewall Rule Attributes (Firewall-1 Example)                                                      Intro ...
Dissection | Access Rule Attributes                               Intro                                                   ...
Dissection | Example Table                                                          Intro                                 ...
Review | Weaknesses Checklist (1/2)                      Intro                                                           W...
Review | Weaknesses Checklist (2/2)               Intro                                                    Who?           ...
Review | Example Report Table (Findings)                                                    Intro                         ...
Review | Example Report Table (Measures)                                                 Intro                            ...
Review | Automated Analysis (Video)              Intro                                                   Who?             ...
Additional Settings | Global Settings                          Intro                                                      ...
Additional Settings | Example Report Table                                       Intro                                    ...
Routing Criticality | CVSSv2 Overview                                        Intro                                        ...
Routing Criticality | Weight Indexing (Example)Description                               Source     Destination   Port    ...
Statistical Analysis | Findings per Projects (Last 11 Projects)                                                         In...
Statistical Analysis | Top Findings (Median Last 11 Projects)                                                       Intro ...
Statistical Analysis | Reasons for Risks                     Intro                                                        ...
Outro | Summary                                                  Intro                                                    ...
Outro | Literature                                         Intro                                                          ...
Outro | Questions               Intro                                  Who?                                  What?        ...
Security is our Business!                         Intro                                                    Who?           ...
Upcoming SlideShare
Loading in...5
×

Firewall Rule Review and Modelling

4,029

Published on

This talk is discussing the idea, approach and possibilities of firewall rule reviews. These identify incorrect and inefficient settings in current firewall settings.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,029
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
83
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Firewall Rule Review and Modelling"

  1. 1. Firewall Rule Modelling and Review Marc Ruef www.scip.ch SwiNOG 24 10. May 2012 Berne, Switzerland
  2. 2. Agenda | Firewall Rule Modelling and Review Intro Who?1. Intro What? Modelling & Review Introduction 2 min Extract Who am I? 2 min Parse What is the Goal? 2 min Dissect2. Firewall Rule Modelling and Review Review Additional Settings Extraction 4 min Routing Criticality Parsing 4 min Statistical Analysis Dissection 4 min Outro Review 10 min Summary Questions Additional Settings 10 min Routing Criticality 7 min Statistical Analysis 5 min3. Outro Summary 2 min Questions 5 min SwiNOG 24 2/28
  3. 3. Introduction | Who am I? Intro Who? What?Name Marc Ruef Modelling & ReviewJob Co-Owner / CTO, scip AG, Zürich Extract ParsePrivate Website http://www.computec.ch DissectLast Book „The Art of Penetration Testing“, Review Computer & Literatur Böblingen, Additional Settings Routing Criticality ISBN 3-936546-49-5 Statistical Analysis Outro Summary Questions Translation SwiNOG 24 3/28
  4. 4. Introduction | What is our Goal? Intro Who? What?◦ A Firewall Rule Review shall determine Modelling & Review ◦ Insecure rules Extract ◦ Wrong rules Parse Dissect ◦ Inefficient rules Review ◦ Obsolete rules Additional Settings Routing Criticality◦ I will show Statistical Analysis ◦ Approaches Outro ◦ Our methodology Summary Questions ◦ Possibilities SwiNOG 24 4/28
  5. 5. Introduction | Approach Intro Who? What?◦ Extract firewall rules Modelling & Review◦ Parse firewall rule sets Extract Parse◦ Dissect Dissect ◦ Objects Review ◦ Services Additional Settings Routing Criticality ◦ Actions Statistical Analysis ◦ Relations Outro Summary◦ Determine settings Questions◦ Identify weaknesses SwiNOG 24 5/28
  6. 6. Introduction | Files vs. Screenshots Intro Who? What?◦ We prefer exported files Modelling & Review ◦ Faster Extract ◦ More reliable Parse Dissect ◦ No GUI abstraction layer (better insight) Review◦ Still, screenshots might support the analysis Additional Settings Routing Criticality ◦ Easier walkthrough («quickview») Statistical Analysis ◦ Visual enhancment of documentation Outro ◦ Verification of parsing (cross-check) Summary Questions ◦ Last hope (no export feature, quirky file format, ...) SwiNOG 24 6/28
  7. 7. Extraction | Get the Firewall Rulesets Intro Who?◦ iptables What? ◦ Backup: /usr/sbin/iptables-save Modelling & Review◦ Astaro Extract ◦ Export: /usr/local/bin/backup.plx Parse ◦ iptables: /usr/sbin/iptables-save Dissect ◦ Backup: Webadmin / Management / Backup/Restore Review◦ Checkpoint Firewall-1 Additional Settings ◦ Copy: All files in %FWDIR%/conf/ (objects_5.C, rulebase.fws, *.W) Routing Criticality ◦ Export: cpdb2html/cpdb2web Statistical Analysis◦ Cisco IOS/PIX/ASA Outro ◦ Backup: show mem, show conf Summary◦ Citrix Netscaler Questions ◦ Backup: Copy file /nsconfig/ns.conf (via SCP)◦ Juniper ◦ Backup: Admin / Update / Config / Copy&Paste ◦ Backup: request system configuration rescue save (via FTP)◦ McAfee Web Gateway ◦ Backup: Configuration / File Management / Configuration Data / Download Configuration Backup◦ ... SwiNOG 24 7/28
  8. 8. Parsing | Handle Ruleset Structure Intro Who?◦ Apache Directives What? ◦ Apache Reverse Proxies Modelling & Review ◦ USP Secure Entry Server (Apache-based) Extract◦ Arrays Parse ◦ Astaro (backup.plx) (alternative is with iptables) Dissect ◦ Checkpoint (files) (.C, .fws, .W) Review ◦ Fortigate Additional Settings◦ Command-line Routing Criticality ◦ iptables Statistical Analysis ◦ Cisco IOS/PIX/ASA Outro ◦ Citrix Netscaler Summary◦ INI Files Questions ◦ McAfee Web Gateway (base64 encapsulated in XML?!) ◦ SonicWALL (base64 encoded string)◦ XML Files ◦ Airlock ◦ Clearswift MIMEsweeper ◦ Totemo TrustMail◦ ... SwiNOG 24 8/28
  9. 9. Parsing | Access Firewall Rule Attributes (Cisco ASA Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions
  10. 10. Parsing | Access Firewall Rule Attributes (Firewall-1 Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions
  11. 11. Dissection | Access Rule Attributes Intro Who? What?◦ A packet filter rule consists of at least: Modelling & Review ◦ Source Host/Net [10.0.0.0/8] Extract ◦ Source Port [>1023] Parse ◦ Destination Host/Net [192.168.0.10/32] Dissect ◦ Destination Port [80] Review Additional Settings ◦ Protocol [TCP] Routing Criticality ◦ Action [ALLOW] Statistical Analysis◦ Additional rule attributes might be: Outro ◦ ID [42] Summary Questions ◦ Active [enabled] ◦ Timeframe [01/01/2012 – 12/31/2012] ◦ User [testuser2012] ◦ Logging [disabled] ◦ Priority (QoS) [bandwidth percent 30] ◦ ... SwiNOG 24 11/28
  12. 12. Dissection | Example Table Intro Who?Src Host Src Port Dst Host Dst Port Protocol Action What? Modelling & Review* >1023 192.168.0.10 80 (http) TCP ALLOW Extract /32 Parse10.0.0.0/8 >1023 * 80 (http) TCP ALLOW Dissect Review ... Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 12/28
  13. 13. Review | Weaknesses Checklist (1/2) Intro Who? What?◦ Allow Rules Modelling & Review ◦ ANY rules Extract ◦ Bi-directional rules Parse Dissect ◦ Broad definition of zones or port ranges Review ◦ Mash-up of objects Additional Settings Routing Criticality ◦ Blacklisted traffic (false-negatives) Statistical Analysis ◦ DROP-ALL rule missing Outro◦ Insecure Rules Summary Questions ◦ Insecure service used (e.g. telnet, ftp, snmp) ◦ Overlapping objects ◦ Nested objects SwiNOG 24 13/28
  14. 14. Review | Weaknesses Checklist (2/2) Intro Who? What?◦ Obsolete Rules Modelling & Review ◦ Inactive objects Extract ◦ Temporary rules Parse Dissect ◦ Test rules Review ◦ Obsolete rules Additional Settings Routing Criticality◦ Documentation Missing Statistical Analysis ◦ No comment/description Outro ◦ Whitelisted traffic (reasoning missing) Summary Questions ◦ Logging not enabled◦ Lockdown missing ◦ Lockdown rules missing ◦ Stealth rules missing ◦ DENY instead of DROP SwiNOG 24 14/28
  15. 15. Review | Example Report Table (Findings) Intro Who?Src Host Src Port Dst Host Dst Port Protocol Action What? Modelling & Review* >1023 192.168.0.10 80 TCP ALLOW Extract /32 Parse* * 192.168.0.10 23 TCP ALLOW Dissect [ANY Rule] /32 [Insecure] Review10.0.0.0/8 >1023 * 80 TCP ALLOW Additional Settings192.168.0.10 1024-50000 10.0.0.0/8 22,902,8443 TCP ALLOW Routing Criticality/24 [Inadequate] [Mash-Up] Statistical Analysis* * 192.168.0.10 3389 TCP ALLOW Outro[ANY Rule] [ANY Rule] /24 Summary10.0.0.0/8 0 * 0,8 ICMP ALLOW Questions [ANY Rule] [Insecure] ... SwiNOG 24 15/28
  16. 16. Review | Example Report Table (Measures) Intro Who?Src Host Src Port Dst Host Dst Port Protocol Action What? Modelling & Review* >1023 192.168.0.10 80 TCP ALLOW Extract /32 Parse* * 192.168.0.10 23 TCP ALLOW Dissect → >1023 /32 → 22 Review10.0.0.0/8 >1023 * 80 TCP ALLOW Additional Settings192.168.0.10 1024-50000 10.0.0.0/8 22,902,8443 TCP ALLOW Routing Criticality/24 → >1023 → 22|902|... Statistical Analysis* * 192.168.0.10 3389 TCP ALLOW Outro→ x.x.x.110 → >1023 /24 Summary10.0.0.0/8 0 * 0,8 ICMP ALLOW Questions → 192.168. → «Risk 0.10/24 Accepted» ... SwiNOG 24 16/28
  17. 17. Review | Automated Analysis (Video) Intro Who? What?◦ Go to Modelling & Review http://www.youtube.com/watch?v=P62Z4vqX5nA Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 17/28
  18. 18. Additional Settings | Global Settings Intro Who? What?◦ Some FWs, especially proxies, introduce additional Modelling & Review (global) settings, which might affect the rules. Example Extract McAfee Web Gateway: Parse ◦ Antivirus Dissect ◦ Enabled [1=enabled] Review ◦ HeuristicWWScan [0=disabled] Additional Settings ◦ AutoUpdate [0=disabled] Routing Criticality ◦ Caching Statistical Analysis ◦ Enabled [1=enabled] Outro ◦ CacheSize [536870912] Summary ◦ MaxObjectSize [8192] Questions ◦ HTTP Proxy Settings ◦ Enabled [1=enabled] ◦ AddViaHeader [1=enabled] ◦ ClientIpHeader [X-Forwarded-For] ◦ ... SwiNOG 24 18/28
  19. 19. Additional Settings | Example Report Table Intro Who?ID Setting Value Recommend Risk What? Modelling & Review ... Extract Parse1427 CheckFileSignatures 0 1 (=enabled) Medium Dissect1428 ChecksumMismatchWeb Replace and Replace and Passed Review Quarantine Quarantine Additional Settings1429 EmbdJavaAppletWeb Allow Block Medium Routing Criticality Statistical Analysis1430 ExpiredContentWeb Block Block Passed Outro Summary1431 JavaScriptWeb Allow Block Low Questions1432 MacroWeb Replace document Block Document„ Passed and Quarantine (strict approach)1433 UnsignedEXEWeb Allow Block High ... SwiNOG 24 19/28
  20. 20. Routing Criticality | CVSSv2 Overview Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions
  21. 21. Routing Criticality | Weight Indexing (Example)Description Source Destination Port AV AC Au CI II AI ScoreExternal Web to Web Server Internet DMZ t80 N L N N C C 9.4External Web for Internal Clients (in) LAN Internet t80 N M N C C C 9.3External Web to Customer Site Internet DMZ t443 N L S C C C 9.0 IntroExternal Mail to Public Mail Server Internet DMZ t110 N M S C C Who? C 8.5 What?External Remote Access to Servers Internet DMZ t22 N M S C C C 8.5 Modelling & Review ExtractInternal Access to DNS Servers LAN DMZ u53 L L N C C C 7.2 ParseIntranet Access for Internal Clients LAN DMZ t80 L L N P Dissect C C 6.8 ReviewExternal Web for Internal Clients (out) LAN Internet t80 L L S C C C 6.8 Additional Settings Routing CriticalityInternal Remote Access to Servers LAN DMZ t3389 L M S P C P 5.5 Statistical Analysis OutroInternal ICMP Echo for Servers DMZ Internet i0,8 L M S P P C 5.5 Summary Questions
  22. 22. Statistical Analysis | Findings per Projects (Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions
  23. 23. Statistical Analysis | Top Findings (Median Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions
  24. 24. Statistical Analysis | Reasons for Risks Intro Who? What?◦ There are several possible reasons, why FWs are Modelling & Review not configured in the most secure way: Extract ◦ Mistakes (wrong click, wrong copy&paste, …) Parse Dissect ◦ Forgotten/Laziness (“I will improve that later…”) Review ◦ Misinformation (vendor suggests ports 10000-50000) Additional Settings ◦ Misunderstanding (technical, conceptual) Routing Criticality Statistical Analysis ◦ Unknown features (hidden settings) Outro ◦ Technical failure (e.g. broken backup import) Summary Questions SwiNOG 24 24/28
  25. 25. Outro | Summary Intro Who? What?◦ Firewall Rule Reviews help to determine weaknesses in Modelling & Review firewall rulesets. Extract◦ The extraction, parsing and dissection of a ruleset allows Parse to do the analysis. Dissect Review◦ Common weaknesses are broad definition of objects, Additional Settings overlapping rules and unsafe protocols. Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 25/28
  26. 26. Outro | Literature Intro Who? What?◦ Firewall Rule Parsing am Beispiel von SonicWALL, Modelling & Review http://www.scip.ch/?labs.20110113 Extract◦ Common Vulnerability Scoring System und seine Parse Dissect Probleme, http://www.scip.ch/?labs.20101209 Review Additional Settings Routing Criticality Statistical Analysis Outro Summary QuestionsThese slides and additional details will be published athttp://www.scip.ch/?labs SwiNOG 24 26/28
  27. 27. Outro | Questions Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 27/28
  28. 28. Security is our Business! Intro Who? What?scip AG Modelling & ReviewBadenerstrasse 551 ExtractCH-8048 Zürich Parse Dissect ReviewTel +41 44 404 13 13 Additional SettingsFax +41 44 404 13 14 Routing Criticality Statistical AnalysisMail info@scip.ch OutroWeb http://www.scip.ch SummaryTwitter http://twitter.com/scipag Questions Strategy | Consulting Auditing | Testing Forensics | Analysis SwiNOG 24 28/28
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×