There s nothing like a Firewall. Olivier Paul, GET/INT MONAM 07, Toulouse, France

Transcription

1 There s nothing like a Firewall Olivier Paul, GET/INT MONAM 07, Toulouse, France

2 How does this relate to risk? From wikipedia Risk = (probability of incident) * (Cost of incident) From risk evaluation techniques Mehari, Octave, probability of incident depends on: Existing Vulnerabilities. Mitigation Measures Effectiveness. Attackers Ability/Will. How to evaluate Mitigation Measures Effectiveness? Page 2

3 Alternatives Use marketing information. Use the documentation. Use certifications/labels/awards. Page 3

4 Threat Example Traffic injection Known for decades Morris, R.T A Weakness in the 4.2BSD UNI TCP/IP Software. Computing Science Technical Report No. 117, AT&T Bell Laboratories. Bellovin,S Security problems in the TCP/IP protocol suite. ACM Computer Communications Review. volume 19:2. CERT Vulnerability Note VU# (TCP). CERT Vulnerability Note VU# (ICMP) Cannot be fully mitigated without using crypto. Can be partially mitigated using stateful filters. Restricting which packets can enter a network depending on exiting communications parameters. Page 4

5 Marketing says: Cisco IOS 12.3(T) When you configure the Cisco IOS Firewall on your Cisco router, you turn your router into an effective, robust firewall. Linksys WRT54g The Router protects your PC from most known Internet attacks with a powerful Stateful Packet Inspection firewall. IPFilter, IPFW, PF, Netfilter. Not so much marketing found. Page 5

6 Comparison Scenario 1. Setting filtering policy on stateful filter. 2. Generating traffic from Initiator to Receiver. TCP ICMP S tate f u l F il te r Ins e rte r 3. Trying to insert traffic from Inserter. Varying amount of information matching original communication. Initiator R e c e iv e r Disclaimer: Studied parameters are not comprehensive. Other stateful filtering operations might help mitigate traffic injection. Page 6

7 Comparing stateful filtering TCP Name Cisco Reflexive Access Lists (v 12.3(14)T2) Cisco Context Based Access Control (v 12.3(14)T2) IPFilter (v 4.1.8) Lynksys WRT54g (v ) PF (FreeBSD 6.1) IPFW (FreeBSD 6.1) Netfilter (v 1.3.4) Conntrack (v 0.81) Proto. Addr. Ports Flags Seq. Num. Page 7

8 Comparing stateful filtering ICMP Name Cisco Reflexive Access Lists (v 12.3(14)T2) Cisco Context Based Access Control (v 12.3(14)T2) IPFilter (v 4.1.8) Lynksys WRT54g (v ) PF (FreeBSD 6.1) IPFW (FreeBSD 6.1) Netfilter (v 1.3.4) Conntrack (v 0.81) Proto. Addr. Code Seq. Num. Data Page 8

9 How do you evaluate mitigation effectiveness? Match marketing buzzwords to real operations What is stateful? Match operations with threats/vulnerabilities What kind of vulnerabilities does stateful mitigate? Determine level of mitigation How much does stateful mitigates VU#222750? Page 9

10 What about the documentation? From man ipfw : N o t e t h a t n o a d d i t i o n a l a t t r i b u t e s o t h e r t h a n p r o t o c o l a n d I P a d d r e s s e s a n d p o r t s a r e c h e c k e d o n d y n a m i c r u l e s. Not as expected. From IOS 12.3(T) Security Command Reference W i t h T C P a n d U D P i n s p e c t i o n, p a c k e t s e n t e r i n g t h e n e t w o r k m u s t e x a c t l y m a t c h a n e x i s t i n g s e s s i o n : t h e e n t e r i n g p a c k e t s m u s t h a v e t h e s a m e s o u r c e o r d e s t i n a t i o n a d d r e s s e s a n d s o u r c e o r d e s t i n a t i o n p o r t n u m b e r s a s t h e e x i t i n g p a c k e t ( b u t r e v e r s e d ). Not as expected. What vulnerability does that mitigate? Page 10

11 What about certification using Common Criteria PPs? U.S. Government Traffic-Filter Firewall Protection Profile For Medium Robustness Environments v 1.1, January FDP_IFF.1-NIAP-0417(1-2) Simple security attributes Stateful packet attributes: Connection-oriented protocols: sequence number; acknowledgement number; Flags: SYN; ACK; RST; FIN; Connectionless protocols: source and destination network identifiers; source and destination service identifiers; None of my filters is certified against a PP! Page 11

12 What about certification using Common Criteria PPs? Mapping Requirement to Security Objectives FDP_IFF.1-NIAP-0417(1-2) O.MEDIATE: The TOE must mediate the flow of information between sets of TOE network interfaces or between a network interface and the TOE itself in accordance with its security policy. Mapping Security Objectives to Threats O.MEDIATE T.ADDRESS_MASQUERADE: A user on one interface may masquerade as a user on another interface to circumvent the TOE policy. T.UNAUTHORIZED_ACCESS: A user may gain access to services (by sending data through the TOE) for which they are not authorized according to the TOE security policy. What vulnerability does that mitigate? Page 12

13 Conclusion Not all mitigation devices are alike. 1 marketing term = many levels of mitigation. That s ok as long as you only care about VU# But what about 20k other vulnerabilities? And filtering software changes every other month. Testing Costly (buy devices & software). Time consuming Setting up testbed, Learning filtering language, Running the test Alternatives? Page 13

14 Conclusion Documentation Often out of sync with true features. Does not tell you which threats/vulnerabilities are mitigated. Common Criteria Protection Profiles Lack of certified products (5/83 with PPs, 1 for 06 version). Time gap between Products, PPs and Certification. Loose mapping between threats mitigated and actual vulnerabilities. Page 14

15 What I d like A clear description of mitigated vulnerabilities. An estimate for the level of mitigation. VUL# None Weak Medium Strong Page 15

16 Couldn t I find such a thing with a Nessus like tester? Most vulnerability testers require open ports. From Using Nessus to scan hosts behind a firewall, Ron Gula, August 2006 : The firewall policy will dictate which ports you can scan and which you can't. Unfortunately, this requires that you know the policy of the firewall across all hosts to judge the impact to your scan. For stateful filtering evaluation you need cooperation between victim and testing device. Page 16

17 Comparing stateful filtering Cisco Reflexive Access Lists Since IOS TCP IP alice-em > : P : (48) ack win IP > alice-em0.2222:. ack win IP alice-em > : : (20) ack win 512 IP alice-em > : : (20) ack win 512 ICMP IP alice-em0 > : ICMP echo reply, id 58114, seq 16, length 64 IP > alice-em0: ICMP echo request, id 58114, seq 17, length 64 IP alice-em0 > : ICMP echo reply, id 58114, seq 17, length 64 IP > alice-em0: ICMP echo reply, id 60162, seq 0, length 8 IP > alice-em0: ICMP echo reply, id 60162, seq 256, length 8 Page 17

18 Comparing stateful filtering Cisco Context Base Access Control Since IOS 11.2(P). TCP IP alice-em > : P : (48) ack win IP > alice-em0.2222:. ack win IP alice-em > : F : (20) ack win 512 IP alice-em > : F : (20) ack win 512 ICMP IP > alice-em0: ICMP echo request, id 27305, seq 19, length 64 IP alice-em0 > : ICMP echo reply, id 27305, seq 19, length 64 IP alice-em0 > : ICMP echo reply, id 28841, seq 6144, length 8 Page 18

19 Comparing stateful filtering Linksys WRT54G Version TCP IP alice-em > : P : (48) ack win IP > alice-em0.2222:. ack win IP alice-em > : : (20) ack win 512 IP alice-em > : : (20) ack win 512 IP alice-em > : S : (20) win 512 IP alice-em > : S : (20) win 512 Page 19

20 Comparing stateful filtering IPFW (here with FreeBSD 6.1) TCP IP alice-em > : P : (48) ack win IP > alice-em0.2222:. ack win IP alice-em > : S : (20) ack win 512 IP alice-em > : E : (20) win 512 Page 20