Firewall Configuration Errors Revisited



Similar documents
Trends in Firewall Configuration Errors

Firewall Rulebase Analysis Tool

Firewall Configura/on Errors Revisited

Access Control Lists: Overview and Guidelines

Click on Start Control Panel Windows Firewall. This will open the main Windows Firewall configuration window.

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

ASA/PIX: Load balancing between two ISP - options

Avishai Wool, Ph.D. AlgoSec CTO & Co-Founder. AlgoSec Inc. 1

Firewall implementation and testing

Successful IP Video Conferencing White Paper

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Information Technology Center of Kabul(ITCK) Kabul University Prepared by: Humaira Saifi

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Network Configuration Manager

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Hardening the Soft Middle: Securing your IT Infrastructure through Configuration Baselining

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

GFI White Paper PCI-DSS compliance and GFI Software products

Overview - Using ADAMS With a Firewall

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Overview - Using ADAMS With a Firewall

Integrated SSL Scanning

SECURITY ADVISORY FROM PATTON ELECTRONICS

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Lab Configure IOS Firewall IDS

IT Assessment Procedures for Maxistar Medical Supplies Company. IT Assessment Procedures for Maxistar Medical Supplies Company

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

A Decision Maker s Guide to Securing an IT Infrastructure

Creating a VPN with overlapping subnets

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

IP Office - Job Aid Using a Dedicated T1/PRI PPP ISP Link

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

- Introduction to PIX/ASA Firewalls -

CONTENTS. PCI DSS Compliance Guide

Cisco PIX vs. Checkpoint Firewall

Best Practices for PCI DSS V3.0 Network Security Compliance

ACL Compliance Director FAQ

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

FIREWALL POLICY DOCUMENT

How To Manage Log Management

Firewall Design Principles Firewall Characteristics Types of Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Core Protection Suite

March

CSE543 - Computer and Network Security Module: Firewalls

Security Policies Tekenen? Florian Buijs

CSC574 - Computer and Network Security Module: Firewalls

Monitoring Load-Balancing Services

Campus-wide Firewall Project. Anne Oribello, Brown University

Technical Note. ForeScout CounterACT: Virtual Firewall

Cisco IOS Advanced Firewall

Chapter 3 LAN Configuration

Overview. Firewall Security. Perimeter Security Devices. Routers

How To Protect Your Data From Being Stolen

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Using IPsec VPN to provide communication between offices

Firewalls P+S Linux Router & Firewall 2013

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

SecureTrack. Securing Network Segments and Optimizing Permissive Rules with the Automatic Policy Generator.

INTRODUCTION TO FIREWALL SECURITY

What Is Ad-Aware Update Server?

Network Defense Tools

INLINE INGUARD GUARDIAN

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

CIS 433/533 - Computer and Network Security Firewalls

Opus One PAGE 1 1 COMPARING INDUSTRY-LEADING ANTI-SPAM SERVICES RESULTS FROM TWELVE MONTHS OF TESTING INTRODUCTION TEST METHODOLOGY

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

HP EVA to 3PAR Online Import for EVA-to-3PAR StoreServ Migration

Where can I install GFI EventsManager on my network?

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

Cyber Security RFP Template

How to Painlessly Audit Your Firewalls

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Using Tofino to control the spread of Stuxnet Malware

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

NATed Network Testing IxChariot

CS Computer and Network Security: Firewalls

Understanding Security Testing

Firewall Evolution - Deep Packet Inspection by Ido Dubrawsky last updated July 29, 2003

Transcription:

Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University AlgoSec Inc. 1 Agenda Introduction Data sources and procedures Configuration errors Highlights of 2004 study Results and discussion AlgoSec Inc. 2

Firewalls seem to be badly configured: 45% of companies worldwide suffered attacks from viruses and worms in the last 12 months (this is a made up statistic, true in every year ) A properly configured firewall could easily block attacks such as: Sasser worm: attacked port 445 (Netbios) Saphire SQL worm: attacked port 1431 Blaster worm: attacked ports 135/137 (Netbios) Firewall configs are deemed sensitive why? Admins know they have holes Security by obscurity? AlgoSec Inc. 3 Can we quantify the problem? 1. Need firewall configuration data Not available publicly 2. Need to understand the configurations Complex vendor-dependent configuration languages 3. What is an error? Subjective, organization-dependent AlgoSec Inc. 4

#1 : We have the data AlgoSec performed firewall analysis for hundreds of customers since 2000 Data is under non-disclosure agreements but we can publish statistics AlgoSec Inc. 5 #2 : We have the technology Firewall Analyzer software can parse configuration languages (Check Point, Cisco PIX, Cisco Router Access-lists) AlgoSec Inc. 6

#3 : What is an error? Idea: only count obvious errors Rely on best practices : SANS Top 20 CERT PCI DSS (Payment Card Industry) NIST 800-41 AlgoSec Inc. 7 Plan of action First study (2004): Check Point Firewall-1 configurations Select 12 severe errors Analyze available configurations Count number of errors Statistical analysis to identify causes and trends Current study: Both Check Point and Cisco PIX Larger - 2x number of configurations More in-depth: 36 severe errors, Check whether 2004 findings are still valid AlgoSec Inc. 8

Timeline of data collection Configuration files were collected between 2000-2005 Check Point Firewall-1 versions: 3.0, 4.0 end-of-life 4.1 was still supported NG released in 2001, minor versions FP3, R54, R55 Cisco PIX PIX versions 4.x, 5.x, 6.x, 7.0 AlgoSec Inc. 9 Highlights of the 2004 study AlgoSec Inc. 10

54% AlgoSec Inc. 11 Firewall-1 version helps On average, 2 risks less AlgoSec Inc. 12

Why did the version matter? Some risks are the result of Check Point implicit rules Changed default values in v4.1 New policy wizard to create a reasonable initial configuration AlgoSec Inc. 13 How to measure complexity Complexity = #Rules + #Network Objects + (#interfaces choose 2) 2 interfaces 1 data path 3 interfaces 3 data paths 4 interfaces 6 data paths, etc AlgoSec Inc. 14

Small is Beautiful AlgoSec Inc. 15 Current Results AlgoSec Inc. 16

Why should anything change? Regulation and Compliance: Sarbanes-Oxley Payment Card Industry (PCI DSS) NIST 800-41 Different vendors different issues? New software versions continue the trend? AlgoSec Inc. 17 Differences from 2004 report Both Check Point and PIX 2x configurations tested Newer software versions Vendor-neutral risk items 8 of 12 properties in 2004 study were specific to Check Point Pick a new set of 36 risk items Inbound / Outbound / Internal traffic AlgoSec Inc. 18

Firewalls still badly configured 42% AlgoSec Inc. 19 Version does not matter (Check Point) 30 25 Number of Risks 20 15 10 5 0 4.0 4.1 NG/NG FP3 NG R55 AlgoSec Inc. 20

Version does not matter (PIX) 30 25 Number of Risks 20 15 10 5 0 4.4 5.1-5.2 6.0-6.2 6.3-7.0 AlgoSec Inc. 21 Why? Vendor-neutral risks are controlled by basic filtering functionality Basic filtering controlled by explicit user-defined rules, rather than check boxes with vendor know-how (??) Neither vendor has changed the basic filtering capabilities in years (and it s unlikely that they will) AlgoSec Inc. 22

How to measure complexity of a PIX? Check Point: Single rule-base Separate object database Cisco PIX: Separate rule-base per interface No object database (almost) Old RC metric not very suitable for PIX! AlgoSec Inc. 23 Issues with old RC metric (even on Check Point) Not enough weight to #interfaces: #rules: 100s 1000s #objects 1000s #interfaces 2-20 dwarfed (even quadratically) Example: A firewall with 12 interfaces should be much more complex than with 3 RC contribution by interfaces is only 66 AlgoSec Inc. 24

A New Firewall Complexity Measure Idea: pretend to compile Check Point configuration into a PIX configuration Duplicate the rule-base, once per interface Add the object database once Count the resulting number of lines Compare with PIX config number of lines (minus some PIX boilerplate) Check Point: FC = (#rules * #interfaces) + #objects PIX: FC = #lines - 50 AlgoSec Inc. 25 Complexity distributions 8192 4096 2048 Firewall Complexity (FC) 1024 512 256 128 64 32 The range of complexity is comparable 16 Check Point Firewall-1 Cisco PIX AlgoSec Inc. 26

Small is Still Beautiful AlgoSec Inc. 27 Check Point vs PIX AlgoSec Inc. 28

Questions? E-mail: yash@eng.tau.ac.il avishai.wool@algosec.com http://www.algosec.com 2004 study: IEEE Computer, 37(6):62-67, 2004 AlgoSec Inc. 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information