Distributed Firewall Policy Validation

1
Distributed Firewall Policy Validation

• by Kyle Wheeler

2
Outline

• 1. Introduction
• Justification
• Requirements
• 2. Design
• Approaches
• Architecture

• 3. Implementation
• Requirements
• Graphing Example
• Policy Example
• 4. Conclusions

3
Security is IMPORTANT

• Computer-based attacks are increasing
• Code Red 2000 hosts/minute (2001)
• Slammer 55 million scans/second (2003)
• Attacks are becoming more damaging
• CISCOs IOS code stolen
• Valves HalfLife 2 code stolen
• Trend Micro says
• 13 billion in 2001
• 20 billion in 2002
• 55 billion in 2003 (source)

4
Security is HARD

• Firewalls
• Most popular security method
• Rules can and do become very complex
• Not only method, however
• Large networks have
• Many different administrators
• Diverse software
• Security of large networks requires
• Centralized control
• Uniform software
• No unified method of verifying security policy
  implementation
• For example, The University of Notre Dame network

5
Rules for the Solution

• Few Requirements
• Network-connectivity independent
• Mostly system-setup independent
• Cannot require root access
• Independent of firewall implementations
• Flexible Testing
• Out-of-order data collection (some support)
• Non-uniform distribution of testing nodes
• Define a testable security policy language

6
Analysis Approaches

• Static Vulnerability Analysis
• Splint
• Threat Modeling
• Regression Testing

7
Static Vulnerability Analysis

• The Good
• Avoids logical ambiguity
• Avoids common loopholes and mistakes
• Easy to understand

• The Bad
• Requires detailed knowledge of the implementation
• Implementation-specific
• Does not address system interactions

8
Threat Modeling

• The Good
• Models entire system
• Views system as an attacker would
• Determines vulnerability surface

• The Bad
• Requires full knowledge of all system details

9
Regression Testing

• The Good
• Does not need implementation-specific details
• Easy to understand

• The Bad
• Effectiveness is tied to the completeness of the
  policy
• Can miss some vulnerabilities

10
Data Collection Framework

• Hierarchical organization
• Handles complex networks
• Allows asynchronous operation
• Wizard
• Big picture management, handles policy testing
  setup
• Manager
• Organization, Coordination, Retrieval
• Prober
• Low-level testing, yes/no answers

11
Managers Probers

• Good Features
• Subordinate Managers
• Commands can be any length
• Key Features
• Hierarchical Naming
• Maildir-like communication

12
Hierarchical Naming

• Names contain routing information
• Names are given or assigned
• Network must be laid out intelligently
• No auto-discovery
• Manually connectable
• Must be a root to the tree (base)
• Three kinds of sub-names
• base.m1.m1.p2.t1.t
• Example, slide 17, 12

13
Maildir-like Algorithm

• Benefits
• No locks NFS safe
• No partial-files
• No new communication server to secure
• Two-step file creation
• Create in tmp, then move to new
• Need unique new name
• Use pid and random
• Could use more (inode, for example)
• Waiting For Results Requires Polling

14
Given a complex network
Administrators Console
Firewall
Firewall
Prober Manager
Prober Manager
Firewall
Prober
Prober
Prober
Prober
Prober
Prober
Prober Manager
Prober
Prober
15
Handled Nicely
Administrators Console
Firewall
Firewall
Prober Manager
Prober Manager
Firewall
Prober Manager
Prober
Prober
Prober
Prober
Prober
Prober
Prober
Prober
16
Or, More Realistically
192.168.0.131
192.168.0.131
192.168.0.131
24.11.249.68
internet
129.74.152.6
129.74.152.2
129.74.155.226
172.16.0.16
172.16.0.17
17
... Which Can be Organized
192.168.0.130 Wizard Manager base
129.74.155.226 Manager - base.m1 Prober - base.p3
192.168.0.132 Prober base.p1
192.168.0.131 Prober base.p2
24.11.249.68 Prober base.p4
129.7.152.6 Manager - base.m1.m1 Prober -
base.m1.p1
129.74.152.2 Prober base.m1.p2
172.16.0.17 Prober base.m1.m1.p2
172.16.0.16 Prober base.m1.m1.p1
18
The Implementation

• Requirements
• ttcp installed in PATH
• Binary connection testing
• bash available, in PATH
• Written in bash
• SSH access, without password
• Security issue
• Impact can be reduced with careful administration
• Graphing with Graphviz

19
Raw Manager Capability

• Hosts, fully connected
• wopr.memoryhole.net
• iss.cse.nd.edu
• salinan.cse.nd.edu
• itisfast.cse.nd.edu
• Legend
• Black line confirmed connection
• Dotted line one side reported connection
• Red line one side reported, one side denied

20
The Wizard

• Interchangeable element
• Interprets policy language
• Generates and spawns tests
• At least three per assertion
• Otherwise 50 of all possible
• Interprets results of tests
• Must have control of base Manager

21
Example Policy

• network iss 172.16.0.0 255.255.0.0
• network nd 127.74.0.0 255.255.0.0
• network brk 192.168.0.0 255.255.0.0
• brk -gt nd
• brk -gt iss via 129.74.152.6
• nd -gt brk via 24.11.249.168
• nd -gt iss via 129.74.152.6
• iss -X nd
• iss -X brk

16
22
Conclusions

• Design is feasible
• Implementation works as expected
• Being generic is hard
• Future Work
• Investigate long-running continuous testing
• Policy language needs further flexibility
• Speed of testing

23

• Any Questions?