Evaluating IPv6 Firewalls & Verifying Firewall Security Performance

Transcription

1 Next Generation IPv6 Network Security IPv6 Summit Bonn 30 th June 2004 Evaluating IPv6 Firewalls & Verifying Firewall Security Performance [ Vital questions to ask your firewall vendor ] Yvon Rouault Agilent Technologies [email protected]

2 Objectives Appreciation for the complexities of evaluating IPv6-capable network security devices (such as firewalls) and testing performance under realistic conditions. Realistic conditions = Real, stateful application traffic using the same mix of application protocols as encountered (or expected to be encountered) within the network for which the firewall is intended. Page 2

3 Agenda Alarming Trends! Market and Technology Future Directions The new breed of IPv6-capable session- and content-aware devices and their complexities Scenarios for testing IPv6-capable network security devices Firewall test plan and testbed considerations Conclusion: Setting up your test lab and test network Page 3

4 Reminder What do firewalls do? Protect private network from public network Block incoming connection attempts, except to offered services Thwart Denial of Service attacks and protect hosts from exploits Perform deep packet inspection, application awareness Allow outgoing connections Prevent attacks from within (Trojans and file/print sharing exploits) Block prohibited sites and applications Internet Positive Traffic Positive Traffic Enterprise Network HTTP FTP Negative Traffic prohibited Negative Traffic prohibited Attack Traffic DoS attacks Attack traffic Trojan attacks from inside Page 4

5 Alarming trends Denial of Service (DoS) attacks are rising 1/2 of UK businesses suffered a virus or DoS attack in 2003 (25% more than 2002) 1/3 of companies are at risk of DoS attacks Attacks are costly 3 Financial Institutions lost over $30M each DoS attacks cost the UK 54M in 2002, rising to 270M by 2005 DoS attacks were major factor in Cloud Nine ISP failure, 2002 Slammer worm disrupted bank ATM networks, 911 service, and crashed routers Firewalls? 150, ,000 50,000 98% use firewalls, but 56% reported unauthorized network access (FBI report) Witty Worm exploited ISS firewall vulnerability, destroying 1000s of hard drives 84% of firewalls required critical patches in the last year CERT Coordination Center reported incidents Page 5

6 Firewall performance: What do I measure? Connection set up time Application transfer time SYN SYN ACK ACK HTTP GET HTTP response TCP sessions Connection set up rate TCP sessions/sec Max concurrent sessions time Session rate Disconnection time FIN FIN ACK ACK Basic TCP processing rate, IPv4 only, IPv6 only, Mixed and tunneled v4/v6 combinations Concurrent TCP connections Application transfer rate and throughput (Mb/s) DoS attack vulnerability - ability to block or limit the impact of attacks, and performance while under attack with existing IPv4 attacks and any new IPv6 DoS attacks Performance impact of URL/content filters transfers/sec: HTTP, FTP time Application transfer rate time Functional tests prove that the device can forward IPv6 packets but does not tell how the device will act under stress! Allow IPv6 packet to pass, block IPv6 packets eg. ICMPv6 Block out of state TCPv6 sessions, establish TCPv6 session Filter L7 transaction over IPv6, server respond to requests Page 6

7 Testing IPv6 network security device performance Emulated clients Positive Traffic HTTP, FTP Negative Traffic unwanted FTP Positive Traffic HTTP, FTP Negative Traffic undesirable HTTP Emulated Servers FTP HTTP Attack Traffic DoS attacks Attack traffic DoS attacks from inside Combine HTTP, FTP, SMTP, POP3 etc. transactions (realistic conditions) Simulate positive traffic & measure performance Add negative & attack traffic. Does good traffic performance suffer? Scalability: How many sessions, clients, or servers can be supported with reasonable performance? How does device/network performance vary with combinations of IPv4 and IPv6? Performance over access protocols used for tunneling and security: DHCP, PPPoE, 802.1x and IPsec (especially IPsec encryption & authentication) Page 7

8 Limitations of layer 3-4 packet inspection (Why deep packet inspection at L7?) Applications like HTTP follow this simple session model Client Server TCP Port x TCP Port 80 time SYN SYN ACK ACK HTTP GET HTTP response TCP connection set up from client to server HTTP TCP IP 2-way application traffic on single TCP connection Layer 7 Layer 4 Layer 3 Some applications use server-initiated sessions and dynamic port allocation SPI is insufficient! Application-aware firewalls use deep packet inspection (layer 7) Page 8

9 Firewall Test Examples Application Transfers/sec Telnet RTSP DNS FTP actv FTP pasv HTTP 1.0 SMTP POP3 HTTP 1.1 Page 9

10 Firewall test plan design and tools (1) Client and server emulation of a broad range of protocols Application-aware firewalls must be tested with stateful application traffic Ability to mix protocols on a single port Measure the firewall s ability to cope with realistic, mixed traffic representative of network traffic a vendor s specifications won t reveal this Integrated access protocols (DHCP, IPsec, 802.1x, PPPoE) and VLAN support Realistic testing requires emulation of both network access and stateful traffic Flexibility to create any test scenario rapidly, without scripting Firewall test scenarios can be complex. Page 10

11 Firewall test plan design and tools (2) Layer 4-7 stateful application traffic. Full TCP emulation. Not a packet blaster. Firewalls implement real TCP and perform packet inspection requiring real traffic High performance and rapid configuration single application (versus wall of PCs ) Scalability The ability to scale the test up easily to reach the limits of the firewall Realism the ability to vary the test Randomize and cycle through parameters such as URLs and address ranges Change parameters while the test is running Page 11

12 Agilent L2-7 Testing at Moonv6 phase II (Mar 04) Agilent N2X Agilent N2X Internet2 Extreme Hitachi Agilent N2X Area Agilent N2X 6Wind Cisco Cisco Cisco Agilent N2X NEC Foundry NetworkTester Area Hitachi Procket Foundry NEC Agilent N2X Nokia Procket Fujitsu Cisco Extreme NetworkTester CheckPoint Netscreen NetworkTester Area I-BGP and OSPF OSPF OSPFv3 and BGP4+ functional and convergence testing [Agilent N2X] Simultaneous IPv4/IPv6 traffic generation, routing and analysis to verify dual-stack routers [Agilent N2X] Real-time, per stream throughput, latency and packet loss statistics to measure router performance [Agilent N2X] Firewall Testing security policy and packet filtering, stateful packet inspection, application traffic performance [NetworkTester] Page 12

13 Conclusion IPv6 adds new complexity to L4-7 security devices: IPv4 and IPv6 packets must be reassembled up to L7 so that the contents of packets can be examined; Almost everyone has a firewall, but not all firewalls are created equal - becoming increasingly more sophisticated and complex to characterize: Performance highly dependent on the traffic profiles and configuration If you enable all of the firewall capabilities, set up dozens of filter rules, your traffic uses many TCP and UDP sessions, and you are prone to DoS and Trojan attacks, then you can expect your firewall s performance to be substantially less than advertised You must test using your own configuration and expected traffic profiles, or those of your users. Consider network design questions based on performance limits of the new IPv6-capable firewalls? More devices to support the same level of traffic? It is business critical to understand and test the security of your IPv6 networks and the performance of your firewalls Page 13

14 Additional Information For more information about Agilent Testers : Moonv6 Phase II test report : Local Contact : Enrique Labarta Boeblingen, Germany tel [email protected] Page 14

15 Agilent NetworkTester Firewall performance test capabilities Broad range of protocol bricks Web, , news, file transfer/sharing, instant messaging, streaming Mix multiple protocols on a single port to create realistic and complex tests Client and server emulation - one system, one user interface Simulate millions of real users and services Powerful "Test Plan" design and management environment Set-up tests in minutes; no need for scripting! Scalability Scale the test up easily to reach the limits of the firewall Stateful traffic over integrated IPsec, PPPoE, DHCP and 802.1x Integrated access protocols for faster and easier test set-up Integrated VLAN support Rapidly test VLAN-capable devices and virtual firewalls Transaction Variability and Real-Time Control Randomize and cycle parameters such as address lists, and attach real files Dynamically change parameters while the test is running Page 15