Semantics-Preserving Simplification of Real-World Firewall Rule Sets



Similar documents
20% more formulas. Verified Firewall Ruleset Verification. Now with. with Isabelle/HOL. Cornelius Diekmann

Semantics-Preserving Simplification of Real-World Firewall Rule Sets

Main functions of Linux Netfilter

+ iptables. packet filtering && firewall

Packet filtering with Linux

Deterministic Discrete Modeling

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

CIT 480: Securing Computer Systems. Firewalls

Linux Routers and Community Networks

Linux: 20 Iptables Examples For New SysAdmins

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls (IPTABLES)

Firewalls. Chien-Chung Shen

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Lab Objectives & Turn In

How to Secure RHEL 6.2 Part 2

Network Security Management

Firewall Examples. Using a firewall to control traffic in networks

Linux Networking: IP Packet Filter Firewalling

Certifying Spoofing-Protection of Firewalls

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

TECHNICAL NOTES. Security Firewall IP Tables

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Architecture. Dual homed box Internet /8

Intro to Linux Kernel Firewall

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Assignment 3 Firewalls

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Firewalls. October 23, 2015

How to protect your home/office network?

CIT 480: Securing Computer Systems. Firewalls

IP Address: the per-network unique identifier used to find you on a network

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

ipchains and iptables for Firewalling and Routing

How to Turn a Unix Computer into a Router and Firewall Using IPTables

Linux Firewalls (Ubuntu IPTables) II

Chapter 7. Firewalls

Linux Firewall Wizardry. By Nemus

Network Security Informik Version

Linux Firewall. Linux workshop #2.

Packet Filtering Firewall

Innominate mguard Version 6

Network Security Exercise 10 How to build a wall of fire

IP Filter/Firewall Setup

OpenBSD in the wild...a personal journey

Network security Exercise 9 How to build a wall of fire Linux Netfilter

How To Understand A Firewall

Manuale Turtle Firewall

Project 2: Firewall Design (Phase I)

CS Computer and Network Security: Firewalls

About this talk: Keywords. Network Security Policy Stateful Firewalls Isabelle/HOL

Inferring Higher Level Policies from Firewall Rules

Linux Networking Basics

Network Security CS 192

Case Study 2 SPR500 Fall 2009

From Network Security To Content Filtering

What is Firewall Builder

Netfilter / IPtables

CS Computer and Network Security: Firewalls

FIREWALL AND NAT Lecture 7a

Firewalls P+S Linux Router & Firewall 2013

Firewalls. Pehr Söderman KTH-CSC

A Tool for Automated iptables Firewall Analysis

CSE/ISE 311: Systems Administra5on Network Firewalls

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Host Discovery with nmap

Firewall implementation and testing

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Advanced routing scenarios POLICY BASED ROUTING: CONCEPTS AND LINUX IMPLEMENTATION

AN INTRODUCTION TO LINUX POLICY ROUTING. Tom Eastep SeaGL Seattle, Washington

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Stateful Firewalls. Hank and Foo

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

CSC574 - Computer and Network Security Module: Firewalls

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Cisco Configuring Commonly Used IP ACLs

Install and configure a Debian based UniFi controller

Development of an Educational Data Acquisition System to Profile Cyber Attacks

Demonstrating topos: Theorem-Prover-Based Synthesis of Secure Network Configurations

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

Load Balancing SIP Quick Reference Guide v1.3.1

Firewalls 1 / 43. Firewalls

Load Balancing Smoothwall Secure Web Gateway

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CIS 433/533 - Computer and Network Security Firewalls

Rapid Access Cloud: Se1ng up a Proxy Host

Linux Administrator (Advance)

CSE543 - Computer and Network Security Module: Firewalls

Introduction TELE 301. Routers. Firewalls

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Transcription:

Semantics-Preserving Simplification of Real-World Firewall Rule Sets Formal Methods 2015 Cornelius Diekmann * Lars Hupel Georg Carle * * Chair for Network Architectures and Services Chair for Logic and Verification Munich, Germany With contributions by Lars Noschinski, Julius Michaelis *, Andreas Korsten *, Manuel Eberl, Lukas Schwaighofer *, and Fabian Immler. FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets 1

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Chain INPUT (policy ACCEPT) DOS_PROTECT all 0.0.0.0/0 0.0.0.0/0 ACCEPT all 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp 0.0.0.0/0 0.0.0.0/0 multiport dports 21,873,5005,... DROP udp 0.0.0.0/0 0.0.0.0/0 multiport dports 123,111,2049,... ACCEPT all 192.168.0.0/16 0.0.0.0/0 DROP all 0.0.0.0/0 0.0.0.0/0 Chain DOS_PROTECT (1 references) RETURN icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec... DROP icmp 0.0.0.0/0 0.0.0.0/0 icmptype 8 RETURN tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit:... DROP tcp 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 2

Introduction to Firewalls Firewalls are usually managed manually FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

Introduction to Firewalls Firewalls are usually managed manually... which is extremely error-prone FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

Introduction to Firewalls Firewalls are usually managed manually... which is extremely error-prone There are tools to analyze rulesets and discover errors Margrave ITVal FIREMAN Firewall Builder Firewall Policy Advisor ConfigChecker... FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 3

Example: IPSpace Partition Ruleset from the introduction... treats all packets equally... except for the last two rules FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 4

Example: IPSpace Partition Ruleset from the introduction... treats all packets equally... except for the last two rules Expected output 192.168.0.0/16 is accepted Everything else is dropped ITVal output There is 1 class: The Universe FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 4

Problems in Firewall Analysis Tools This talk is not about ITVal Many tools have similar problems 1 Complex Chain model Calling to and returning from user-defined chains May lead to errors in tools FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 5

Problems in Firewall Analysis Tools This talk is not about ITVal Many tools have similar problems 2 Vast amount of primitive matches Check man iptables Now check man iptables-extensions Now check if you have custom extensions running Now think about future features Supporting everything is infeasible Certain features cannot be supported by some tool s algorithm FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 5

Summary Problem Tools cannot understand complex real-word rulesets Our Solution Semantics-preserving simplification λ β A α FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Introduction to Firewalls 6

Agenda 1 Semantics 2 Simplification 3 Evaluation FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Agenda 7

Agenda 1 Semantics 2 Simplification 3 Evaluation FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 8

Syntax Rule: ( mexpr, action ) Example: ( icmp icmptype 8 limit : avg1/sec..., Return ) Ruleset: rule list Firewall state:!, %,? Primitive matcher: γ Primitive Packet Bool FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

Syntax Rule: ( mexpr, action ) Example: ( icmp icmptype 8 limit : avg1/sec..., Return ) Ruleset: rule list Firewall state:!, %,? Primitive matcher: γ Semantics: Primitive Packet Bool γ, p rs, s t FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

Syntax Rule: ( mexpr, action ) Example: ( icmp icmptype 8 limit : avg1/sec..., Return ) Ruleset: rule list Firewall state:!, %,? Primitive matcher: γ Primitive Packet Bool Semantics: γ }{{} primitive matcher, p }{{} packet rs }{{} ruleset, s }{{} start state t }{{} final state FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 9

Determinism If γ, p rs, s t and γ, p rs, s t then t = t FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Semantics 10

Agenda 1 Semantics 2 Simplification 3 Evaluation FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 11

Rewriting simple actions Remove Log actions Unfolding custom chains Eliminates Call/Return Linux kernel only accepts acyclic call graphs unfolding terminates FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 12

Rewriting simple actions Unfolding custom chains Example Chain INPUT X a Chain X Return Accept b c Result [( a ( b) c, Accept )] FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 13

Simplification Summary Actions left: Accept, Drop Semantics are preserved γ, p simplify rs, t t iff γ, p rs, t t FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 14

Simplification Summary Actions left: Accept, Drop Semantics are preserved γ, p simplify rs, t t iff γ, p rs, t t Remaining problems 1 Unknown primitives matches 2 Complex nested match-expressions after unfolding unsupported by iptables FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 14

Unknown primitives Lifting to ternary logic Kleene s 3-valued logic Primitive matcher may now return unknown Default decision strategy: in-doubt-allow or in-doubt-deny γ, p rs, s allow t γ, p rs, s deny t FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 15

Unknown primitives Let m u be an unknown match. in-doubt-allow more permissive ruleset (m u, Accept) (True, Accept) (m u, Drop) (False, Drop) Example ( icmp icmptype 8 limit : avg1/sec..., Drop ) ( icmp icmptype 8 False, Drop ) FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 16

Closure Property { p γ, p rs,? deny! } { p γ, p rs,?! } { p γ, p rs,? allow! } We continue with one of the approximations FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 17

Normalization Impossible: # iptables (tcp udp) -j ACCEPT Impossible: # iptables (src ip tcp) -j ACCEPT FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 18

Normalization Problem iptables supports only negation-normal form with the connective Solution normalize: rule rule list where all rules share the same action Example (exclude ip from accessing an HTTP server) [( src ip (tcp port 80), Accept )] [( src ip ( tcp port 80), Accept )] [( src ip tcp, Accept ), ( src ip port 80, Accept )] FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Simplification 19

Agenda 1 Semantics 2 Simplification 3 Evaluation FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 20

Evaluation Ruleset 1 Shorewall firewall on a home router; 500 rules. Unfolding: firewall does not unconditionally drop packets from private IP ranges FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

Evaluation Ruleset 1 Shorewall firewall on a home router; 500 rules. Unfolding: firewall does not unconditionally drop packets from private IP ranges Ruleset 2 Small firewall script found online (networking.ringofsaturn.com) Most rules are dead; contrary to documented behavior Author probably confused: -I (insert at top) and -A (append at tail) FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

Evaluation Ruleset 1 Shorewall firewall on a home router; 500 rules. Unfolding: firewall does not unconditionally drop packets from private IP ranges Ruleset 2 Small firewall script found online (networking.ringofsaturn.com) Most rules are dead; contrary to documented behavior Author probably confused: -I (insert at top) and -A (append at tail) Ruleset 3 & 4 & 5 Main firewall of our lab Snapshot 2013: 2800 rules Firewall Builder: import errors ITVal: erroneous results After simplification: success Upper closure: 1000 rules Lower closure: 500 rules Snapshot 2014: 4000 rules Snapshot 2015: almost 5000 rules FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Evaluation 21

Fakulta t fu r Informatik Technische Universita t Mu nchen Future Work FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Future Work 22

Q & A FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Q & A 23

Backup Slides FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 24

Specifying Primitive Matchers in Ternary Logic Very easy: Specify what you know/want, the rest in unknown FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 23

Semantics (1) SKIP γ, p [], t t ACCEPT DROP REJECT match m p γ, p [(m, Accept)],?! match m p γ, p [(m, Drop)],? % match m p γ, p [(m, Reject)],? % NOMATCH match m p γ, p [(m, a)],?? DECISION t? FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 24

Semantics (2) γ, p rs 1,? t γ, p rs2, t t SEQ γ, p rs 1 ::: rs 2,? t LOG EMPTY match m p γ, p [(m, Log)],?? match m p γ, p [(m, Empty)],?? FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 25

Semantics (3) Background ruleset Γ : chain name rule list CALLRESULT match m p γ, p Γ c,? t γ, p [(m, Call c)],? t CALLRETURN match m p Γ c = rs 1 ::: (m, Return) :: rs 2 match m p γ, p rs 1,?? γ, p [(m, Call c)],?? FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 26

Ruleset 3 (excerpt, 22 of 2800 rules displayed) 1 Chain FORWARD ( policy ACCEPT ) 2 target prot opt source destination 3 LOG_DROP all -- 127.0.0.0/8 0.0.0.0/0 4 ACCEPT tcp -- 131.159.14.206 0.0.0.0/0 multiport sports 389,636 5 ACCEPT tcp -- 131.159.14.208 0.0.0.0/0 multiport sports 389,636 6 ACCEPT udp -- 131.159.14.206 0.0.0.0/0 udp spt :88 7 ACCEPT udp -- 131.159.14.208 0.0.0.0/0 udp spt :88 8 ACCEPT tcp -- 131.159.14.192/27 0.0.0.0/0 tcp spt :3260 9 ACCEPT tcp -- 131.159.14.0/23 131.159.14.192/27 tcp dpt :3260 10 ACCEPT tcp -- 131.159.20.0/24 131.159.14.192/27 tcp dpt :3260 11 ACCEPT udp -- 131.159.15.252 0.0.0.0/0 12 ACCEPT udp -- 0.0.0.0/0 131.159.15.252 multiport dports 4569,5000:65535 13 ACCEPT all -- 131.159.15.247 0.0.0.0/0 14 ACCEPT all -- 0.0.0.0/0 131.159.15.247 15 ACCEPT all -- 131.159.15.248 0.0.0.0/0 16 ACCEPT all -- 0.0.0.0/0 131.159.15.248 17 tcp -- 0.0.0.0/0 131.159.14.0/23 state NEW tcp dpt :22 flags : 0x17/0x02 recent : SET name : ratessh side : source 18 tcp -- 0.0.0.0/0 131.159.20.0/23 state NEW tcp dpt :22 flags : 0x17/0x02 recent : SET name : ratessh side : source 19 mac_ 96 all -- 131.159.14.0/25 0.0.0.0/0 20 LOG_DROP all --!131.159.14.0/25 0.0.0.0/0 21 22 Chain LOG_DROP (21 references ) 23 target prot opt source destination 24 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit : avg 100/ min burst 5 LOG flags 0 level 4 prefix "[ IPT_DROP ]:" 25 DROP all -- 0.0.0.0/0 0.0.0.0/0 26 27 Chain mac_ 96 (1 references ) 28 target prot opt source destination 29 RETURN all -- 131.159.14.92 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX 30 DROP all -- 131.159.14.92 0.0.0.0/0 FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 27

Ruleset 3 Upper Closure (excerpt) 1 Chain FORWARD ( policy ACCEPT ) 2 3 DROP all 127.0.0.0/8 0.0.0.0/0 4 ACCEPT tcp 131.159.14.206/32 0.0.0.0/0 5 ACCEPT tcp 131.159.14.208/32 0.0.0.0/0 6 ACCEPT udp 131.159.14.206/32 0.0.0.0/0 7 ACCEPT udp 131.159.14.208/32 0.0.0.0/0 8 ACCEPT tcp 131.159.14.192/27 0.0.0.0/0 9 ACCEPT tcp 131.159.14.0/23 131.159.14.192/27 10 ACCEPT tcp 131.159.20.0/24 131.159.14.192/27 11 ACCEPT udp 131.159.15.252/32 0.0.0.0/0 12 ACCEPT udp 0.0.0.0/0 131.159.15.252/32 13 ACCEPT all 131.159.15.247/32 0.0.0.0/0 14 ACCEPT all 0.0.0.0/0 131.159.15.247/32 15 ACCEPT all 131.159.15.248/32 0.0.0.0/0 16 ACCEPT all 0.0.0.0/0 131.159.15.248/32 17 DROP all!131.159.14.0/25 0.0.0.0/0 FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 28

Ruleset 3 Lower Closure (excerpt) 1 Chain FORWARD ( policy ACCEPT ) 2 3 DROP all 127.0.0.0/8 0.0.0.0/0 4 ACCEPT udp 131.159.15.252/32 0.0.0.0/0 5 ACCEPT all 131.159.15.247/32 0.0.0.0/0 6 ACCEPT all 0.0.0.0/0 131.159.15.247/32 7 ACCEPT all 131.159.15.248/32 0.0.0.0/0 8 ACCEPT all 0.0.0.0/0 131.159.15.248/32 9 DROP all 131.159.14.92/32 0.0.0.0/0 10 DROP all 131.159.14.65/32 0.0.0.0/0 11... (unfolded DROPs from chain mac 96) 12 DROP all!131.159.14.0/25 0.0.0.0/0 FM15, Semantics-Preserving Simplification of Real-World Firewall Rule Sets: Backup Slides 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information