Firewall Rule Modelling and Review Marc Ruef www

  • Slides: 28
Download presentation
Firewall Rule Modelling and Review Marc Ruef www. scip. ch Swi. NOG 24 10.

Firewall Rule Modelling and Review Marc Ruef www. scip. ch Swi. NOG 24 10. May 2012 Berne, Switzerland

Agenda | Firewall Rule Modelling and Review Intro Who? 1. Intro What? Introduction 2

Agenda | Firewall Rule Modelling and Review Intro Who? 1. Intro What? Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Firewall Rule Modelling and Review Modelling & Review Extract Parse Dissect Review Extraction 4 min Parsing 4 min Dissection 4 min Additional Settings Routing Criticality Statistical Analysis Outro Review 10 min Summary Additional Settings 10 min Questions Routing Criticality 7 min Statistical Analysis 5 min 3. Outro Summary 2 min Questions 5 min Swi. NOG 24 2/28

Introduction | Who am I? Intro Who? What? Name Marc Ruef Job Co-Owner /

Introduction | Who am I? Intro Who? What? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http: //www. computec. ch Parse Last Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3 -936546 -49 -5 Review Modelling & Review Extract Dissect Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Translation Swi. NOG 24 3/28

Introduction | What is our Goal? ◦ A Firewall Rule Review shall determine ◦

Introduction | What is our Goal? ◦ A Firewall Rule Review shall determine ◦ ◦ ◦ Insecure rules Wrong rules Inefficient rules Obsolete rules Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality I will show ◦ ◦ ◦ Intro Statistical Analysis Approaches Our methodology Possibilities Outro Summary Questions Swi. NOG 24 4/28

Introduction | Approach ◦ ◦ ◦ Who? What? Extract firewall rules Parse firewall rule

Introduction | Approach ◦ ◦ ◦ Who? What? Extract firewall rules Parse firewall rule sets Dissect ◦ ◦ ◦ Intro Modelling & Review Extract Parse Dissect Objects Services Actions Relations Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Determine settings Identify weaknesses Questions Swi. NOG 24 5/28

Introduction | Files vs. Screenshots ◦ ◦ Faster More reliable No GUI abstraction layer

Introduction | Files vs. Screenshots ◦ ◦ Faster More reliable No GUI abstraction layer (better insight) Still, screenshots might support the analysis ◦ ◦ Who? What? We prefer exported files ◦ ◦ ◦ Intro Easier walkthrough ( «quickview» ) Visual enhancment of documentation Verification of parsing (cross-check) Last hope (no export feature, quirky file format, . . . ) Swi. NOG 24 Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 6/28

Extraction | Get the Firewall Rulesets ◦ ◦ ◦ ◦ Intro Who? What? iptables

Extraction | Get the Firewall Rulesets ◦ ◦ ◦ ◦ Intro Who? What? iptables ◦ Backup: /usr/sbin/iptables-save Modelling & Review Astaro ◦ Export: /usr/local/bin/backup. plx ◦ iptables: /usr/sbin/iptables-save Extract ◦ Backup: Webadmin / Management / Backup/Restore Checkpoint Firewall-1 ◦ Copy: All files in %FWDIR%/conf/ (objects_5. C, rulebase. fws, *. W) ◦ Export: cpdb 2 html/cpdb 2 web Cisco IOS/PIX/ASA ◦ Backup: show mem, show conf Citrix Netscaler ◦ Backup: Copy file /nsconfig/ns. conf (via SCP) Juniper ◦ Backup: Admin / Update / Config / Copy&Paste ◦ Backup: request system configuration rescue save (via FTP) Mc. Afee Web Gateway ◦ Backup: Configuration / File Management / Configuration Data / Download Configuration Backup. . . Review Parse Swi. NOG 24 Dissect Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 7/28

Parsing | Handle Ruleset Structure ◦ ◦ ◦ Apache Directives ◦ Apache Reverse Proxies

Parsing | Handle Ruleset Structure ◦ ◦ ◦ Apache Directives ◦ Apache Reverse Proxies ◦ USP Secure Entry Server Arrays ◦ Astaro (backup. plx) ◦ Checkpoint (files) ◦ Fortigate Command-line ◦ iptables ◦ Cisco IOS/PIX/ASA ◦ Citrix Netscaler INI Files ◦ Mc. Afee Web Gateway ◦ Sonic. WALL XML Files ◦ Airlock ◦ Clearswift MIMEsweeper ◦ Totemo Trust. Mail. . . Intro Who? What? Modelling & Review (Apache-based) Extract Parse (alternative is with iptables) (. C, . fws, . W) Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary (base 64 encapsulated in XML? !) (base 64 encoded string) Swi. NOG 24 Questions 8/28

Parsing | Access Firewall Rule Attributes (Cisco ASA Example) Intro Who? What? Modelling &

Parsing | Access Firewall Rule Attributes (Cisco ASA Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Parsing | Access Firewall Rule Attributes (Firewall-1 Example) Intro Who? What? Modelling & Review

Parsing | Access Firewall Rule Attributes (Firewall-1 Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Dissection | Access Rule Attributes ◦ A packet filter rule consists of at least:

Dissection | Access Rule Attributes ◦ A packet filter rule consists of at least: ◦ ◦ ◦ ◦ Source Host/Net [10. 0/8] Source Port [>1023] Destination Host/Net [192. 168. 0. 10/32] Destination Port [80] Protocol [TCP] Action [ALLOW] Additional rule attributes might be: ◦ ◦ ◦ ◦ ID [42] Active [enabled] Timeframe [01/01/2012 – 12/31/2012] User [testuser 2012] Logging [disabled] Priority (Qo. S) [bandwidth percent 30]. . . Swi. NOG 24 Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 11/28

Dissection | Example Table Intro Who? Src Host Src Port Dst Host Dst Port

Dissection | Example Table Intro Who? Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192. 168. 0. 10 /32 80 (http) TCP ALLOW 10. 0/8 >1023 * 80 (http) TCP ALLOW What? Modelling & Review Extract Parse Dissect Review . . . Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Swi. NOG 24 12/28

Review | Weaknesses Checklist (1/2) ◦ ◦ ANY rules Bi-directional rules Broad definition of

Review | Weaknesses Checklist (1/2) ◦ ◦ ANY rules Bi-directional rules Broad definition of zones or port ranges Mash-up of objects Blacklisted traffic (false-negatives) DROP-ALL rule missing Insecure Rules ◦ ◦ ◦ Who? What? Allow Rules ◦ ◦ ◦ Intro Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Insecure service used (e. g. telnet, ftp, snmp) Overlapping objects Nested objects Swi. NOG 24 Questions 13/28

Review | Weaknesses Checklist (2/2) ◦ ◦ ◦ Modelling & Review Inactive objects Temporary

Review | Weaknesses Checklist (2/2) ◦ ◦ ◦ Modelling & Review Inactive objects Temporary rules Test rules Obsolete rules Extract Parse Dissect Review Additional Settings Routing Criticality Documentation Missing ◦ ◦ ◦ Who? What? Obsolete Rules ◦ ◦ Intro No comment/description Whitelisted traffic (reasoning missing) Logging not enabled Statistical Analysis Outro Summary Questions Lockdown missing ◦ ◦ ◦ Lockdown rules missing Stealth rules missing DENY instead of DROP Swi. NOG 24 14/28

Review | Example Report Table (Findings) Intro Who? Src Host Src Port Dst Host

Review | Example Report Table (Findings) Intro Who? Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192. 168. 0. 10 /32 80 TCP ALLOW * * [ANY Rule] 192. 168. 0. 10 /32 23 [Insecure] TCP ALLOW 10. 0/8 >1023 * 80 TCP ALLOW 192. 168. 0. 10 /24 1024 -50000 [Inadequate] 10. 0/8 22, 902, 8443 [Mash-Up] TCP ALLOW * [ANY Rule] 192. 168. 0. 10 /24 3389 TCP 10. 0/8 0 * [ANY Rule] 0, 8 What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis ALLOW Outro Summary ICMP [Insecure] ALLOW Questions . . . Swi. NOG 24 15/28

Review | Example Report Table (Measures) Src Host Src Port Dst Host Dst Port

Review | Example Report Table (Measures) Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192. 168. 0. 10 /32 80 TCP ALLOW * * → >1023 192. 168. 0. 10 /32 23 → 22 TCP ALLOW 10. 0/8 >1023 * 80 TCP ALLOW 192. 168. 0. 10 /24 1024 -50000 → >1023 10. 0/8 22, 902, 8443 → 22|902|. . . TCP ALLOW * → x. x. x. 110 * → >1023 192. 168. 0. 10 /24 3389 TCP 10. 0/8 0 * → 192. 168. 0. 10/24 0, 8 Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis ALLOW Outro Summary ICMP → «Risk Accepted» ALLOW Questions . . . Swi. NOG 24 16/28

Review | Automated Analysis (Video) Intro Who? What? Modelling & Review Extract Parse Dissect

Review | Automated Analysis (Video) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Additional Settings | Global Settings ◦ Some FWs, especially proxies, introduce additional (global) settings,

Additional Settings | Global Settings ◦ Some FWs, especially proxies, introduce additional (global) settings, which might affect the rules. Example Mc. Afee Web Gateway: ◦ Antivirus ◦ ◦ What? Modelling & Review Extract Parse [1=enabled] [0=disabled] Review Additional Settings Routing Criticality Statistical Analysis [1=enabled] [536870912] [8192] Outro Summary Questions HTTP Proxy Settings ◦ ◦ Enabled Cache. Size Max. Object. Size Who? Dissect Caching ◦ ◦ Enabled Heuristic. WWScan Auto. Update Intro Enabled Add. Via. Header Client. Ip. Header [1=enabled] ['X-Forwarded-For'] . . . Swi. NOG 24 18/28

Additional Settings | Example Report Table ID Setting Value Recommend Intro Who? Risk What?

Additional Settings | Example Report Table ID Setting Value Recommend Intro Who? Risk What? Modelling & Review . . . Extract 1427 Check. File. Signatures 0 1 (=enabled) Medium 1428 Checksum. Mismatch. Web 'Replace and Quarantine' Passed 'Allow' 'Block' Medium 1429 Embd. Java. Applet. Web Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis 1430 Expired. Content. Web 'Block' Passed 1431 Java. Script. Web 'Allow' 'Block' Low 1432 Macro. Web 'Replace document and Quarantine' 'Block Document‘ (strict approach) Passed 1433 Unsigned. EXEWeb 'Allow' 'Block' High Outro Summary Questions . . . Swi. NOG 24 19/28

Routing Criticality | CVSSv 2 Overview Intro Who? What? Modelling & Review Extract Parse

Routing Criticality | CVSSv 2 Overview Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Routing Criticality | Weight Indexing (Example) Description Source Destination Port AV AC Au CI

Routing Criticality | Weight Indexing (Example) Description Source Destination Port AV AC Au CI II AI Score External Web to Web Server Internet DMZ t 80 N L N N C C 9. 4 External Web for Internal Clients (in) LAN Internet t 80 N M N C C C 9. 3 External Web to Customer Site Internet DMZ t 443 N L S C C 9. 0 External Mail to Public Mail Server Internet DMZ t 110 N M S C C Intro C Who? C 8. 5 External Remote Access to Servers Internet DMZ t 22 N M S C Internal Access to DNS Servers LAN DMZ u 53 L L N C Intranet Access for Internal Clients LAN DMZ t 80 L L N P External Web for Internal Clients (out) LAN Internet t 80 L L S C Internal Remote Access to Servers LAN DMZ t 3389 L M S P Internal ICMP Echo for Servers DMZ Internet i 0, 8 L M S P What? C C 8. 5 Modelling & Review Extract C C Parse 7. 2 Dissect C C 6. 8 Review C C Settings 6. 8 Additional Routing Criticality C P 5. 5 Statistical Analysis Outro P C Summary Questions 5. 5

Statistical Analysis | Findings per Projects (Last 11 Projects) Intro Who? What? Modelling &

Statistical Analysis | Findings per Projects (Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Statistical Analysis | Top Findings (Median Last 11 Projects) Intro Who? What? Modelling &

Statistical Analysis | Top Findings (Median Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions

Statistical Analysis | Reasons for Risks ◦ There are several possible reasons, why FWs

Statistical Analysis | Reasons for Risks ◦ There are several possible reasons, why FWs are not configured in the most secure way: ◦ ◦ ◦ Mistakes (wrong click, wrong copy&paste, …) Forgotten/Laziness (“I will improve that later…”) Misinformation (vendor suggests ports 10000 -50000) Misunderstanding (technical, conceptual) Unknown features (hidden settings) Technical failure (e. g. broken backup import) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Swi. NOG 24 24/28

Outro | Summary ◦ ◦ ◦ Intro Who? Firewall Rule Reviews help to determine

Outro | Summary ◦ ◦ ◦ Intro Who? Firewall Rule Reviews help to determine weaknesses in firewall rulesets. The extraction, parsing and dissection of a ruleset allows to do the analysis. Common weaknesses are broad definition of objects, overlapping rules and unsafe protocols. What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Swi. NOG 24 25/28

Outro | Literature ◦ ◦ Intro Who? Firewall Rule Parsing am Beispiel von Sonic.

Outro | Literature ◦ ◦ Intro Who? Firewall Rule Parsing am Beispiel von Sonic. WALL, http: //www. scip. ch/? labs. 20110113 Common Vulnerability Scoring System und seine Probleme, http: //www. scip. ch/? labs. 20101209 What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions These slides and additional details will be published at http: //www. scip. ch/? labs Swi. NOG 24 26/28

Outro | Questions Intro Who? ? Swi. NOG 24 What? Modelling & Review Extract

Outro | Questions Intro Who? ? Swi. NOG 24 What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 27/28

Security is our Business! Intro Who? What? scip AG Badenerstrasse 551 CH-8048 Zürich Modelling

Security is our Business! Intro Who? What? scip AG Badenerstrasse 551 CH-8048 Zürich Modelling & Review Extract Parse Dissect Tel Fax Mail Web Twitter Review +41 44 404 13 13 +41 44 404 13 14 info@scip. ch http: //www. scip. ch http: //twitter. com/scipag Strategy Auditing Forensics Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions | Consulting | Testing | Analysis Swi. NOG 24 28/28