Firewall Conformance Testing

Size: px

Start display at page:

Download "Firewall Conformance Testing"

Anabel Caldwell
5 years ago
Views:

1 Firewall Conformance Testing Diana Senn Information Security ETH Zürich Switzerland joint work with David Basin & Germano Caronni Diana Senn 1 / 23 Firewall Conformance Testing,

2 Problem Our Solution Problem firewalls are widely deployed desired situation firewalls implement a company s security policy conformance to the security policy is tested situation today security policies are informal firewall testing is mostly penetration testing Diana Senn 2 / 23 Firewall Conformance Testing,

3 Problem Our Solution Our Solution test conformance of firewalls to security policy in detail: specify security policy in a formal language generate test cases from this policy execute the test cases directly on the network before deployment as well as after reconfiguration find bugs in the firewall configuration and implementation write the firewall rules by hand Diana Senn 3 / 23 Firewall Conformance Testing,

4 Problem Our Solution Contents of the Talk Overview Problem Policy Specification Test Case Generation Conclusions Diana Senn 4 / 23 Firewall Conformance Testing,

5 Firewalls Security Policies Simplifications A Firewall connects two or more networks filters traffic betweend the connected networks looks at single packets criteria are IP and port of source and destination action is forward (changed or unchanged), drop or reject often does Address Translation A stateful packet filter keeps track of the TCP connections and only accepts a packet (additional criterion) if it is allowed at the current state of the corresponding connection. An application layer firewall additionally knows some application level protocols (e.g. HTTP) and can use protocol-specific criteria for a finer-grained filtering. Diana Senn 5 / 23 Firewall Conformance Testing,

6 Firewalls Security Policies Simplifications Examples of Informal Policies The RMITCS data stored on RMITCS computer systems [...] should be protected from unauthorised access, removal or destruction. All departmental computers which are accessible on the public Internet should have all non-essential services disabled, to minimise the possibility of security compromises. However, the owner of a privately owned machine is responsible for the behaviour of the processes running on that machine and all the network traffic to and from the machine. Diana Senn 6 / 23 Firewall Conformance Testing,

7 Firewalls Security Policies Simplifications Our Scenario only stateful packet filters (no application level firewalls) no spoofing no changing of packets (NAT,...) no timing problems Diana Senn 7 / 23 Firewall Conformance Testing,

8 Network Layout Security Policy A Graphical Network Layout Diana Senn 8 / 23 Firewall Conformance Testing,

9 Network Layout Security Policy A Formal Network Security Connections to Private DMZ Private: Internet Connections to the DMZ Webserver: Connections to the Internet Private Internet: DMZ Internet: ACCEPT securetraffic DENY ACCEPT webtraffic ACCEPT mailtraffic ACCEPT DENY Diana Senn 9 / 23 Firewall Conformance Testing,

10 Network Layout Security Policy Keyword Definitions securetraffic = ssh, scp, https, imaps webtraffic = http, https mailtraffic = smtp, imap, imaps Diana Senn 10 / 23 Firewall Conformance Testing,

11 Test Tuples Test Setup Evaluation Combining policy, keyword definitions and network Connections to Private DMZ Private: Internet Connections to the DMZ Webserver: Connections to the Internet Private Internet: DMZ Internet: ACCEPT securetraffic DENY ACCEPT webtraffic ACCEPT mailtraffic ACCEPT DENY Diana Senn 11 / 23 Firewall Conformance Testing,

12 Test Tuples Test Setup Evaluation Combining policy, keyword definitions and network Connections to Private DMZ Private: Internet Connections to the DMZ Webserver: Connections to the Internet Private Internet: DMZ Internet: ACCEPT ssh, scp, https, imaps DENY ACCEPT http, https ACCEPT smtp, imap, imaps ACCEPT DENY Diana Senn 11 / 23 Firewall Conformance Testing,

13 Test Tuples Test Setup Evaluation Combining policy, keyword definitions and network Connections to Private / /24: ACCEPT ssh, scp, https, imaps! /27,! / /24: Connections to the DMZ : : ACCEPT http, https ACCEPT smtp, imap, Connections to the Internet /24! /27,! /24: ACCEPT /27! /27,! /24: DENY Diana Senn 11 / 23 Firewall Conformance Testing,

14 Test Tuples Test Setup Evaluation Test tuples for HTTPS Diana Senn 12 / 23 Firewall Conformance Testing,

15 Test Tuples Test Setup Evaluation Test Setup a test tuple: ( , , https, ACCEPT) TCP packet source IP: source port: 2345 destination IP: destination port: 443 flags: SYN?? FW under test Diana Senn 13 / 23 Firewall Conformance Testing,

16 Test Tuples Test Setup Evaluation Test Results We test if firewall configuration is correct SYN packets for all (,,, ACCEPT) test tuples got through SYN packets for all (,,, DROP) test tuples were blocked firewall implementation is correct connections can only be started with SYN only correct tcp connections are allowed test TCP automaton of firewall specify TCP as Mealy Automaton generate abstract test cases using the UIO sequences method instead of just sending a SYN, test whole connections (by instantiating the abstract test cases with the test tuples) Diana Senn 14 / 23 Firewall Conformance Testing,

17 Test Tuples Test Setup Evaluation an abstract test case: (rst: A B / rst: A B) (fin: A B / -) (syn & ack: B A / -) (syn: A B / syn: A B) An Example Test Case a test tuple: ( , , https, ACCEPT) the resulting concrete test case: (rst: :443 / rst :443) (fin: :443 / ) (syn & ack: : / ) (syn: :443 / syn: :443) Diana Senn 15 / 23 Firewall Conformance Testing,

18 Test Tuples Test Setup Evaluation Evaluation can find bugs in the firewall configuration e.g. if in the example the fourth packet is blocked can find bugs in the firewall implementation e.g. if in the example the second or third packet is let through the source of an error has to be searched by hand knowledge of the firewall rule language is needed here Diana Senn 16 / 23 Firewall Conformance Testing,

19 Conclusions Conclusions new approach to test conformance of firewalls to security policy We believe our method is good for showing conformance of firewalls to a security policy. We have a prototype tool which strengthened our belief. A real proof of concept is missing though. Future Work conduct practice tests get rid of simplifications look at application level make formal policy higher level Diana Senn 17 / 23 Firewall Conformance Testing,

20 Conclusions Thank you for your attention. Questions? Diana Senn 18 / 23 Firewall Conformance Testing,

21 Related Work Abstract Test Cases References Related Work Penetration Testing E. Schultz. How to perform effective firewall testing [Sch96] - focus on detecting known vulnerabilities Specification-based Testing Wool et al. simulate network under test [MWZ00, Woo01, BMNW03] - rely on correct firewall implementation - have to know firewall rule languages + do no harm + no interaction with a running system Generation of Firewall Rules from the Policy J.D. Guttman. Filtering Postures: Local enforcement for global policies [Gut97] - policy is very low-level Diana Senn 19 / 23 Firewall Conformance Testing,

22 Related Work Abstract Test Cases References A Mealy Automaton for TCP Diana Senn 20 / 23 Firewall Conformance Testing,

23 Related Work Abstract Test Cases References Abstract Test Cases for Mealy Automata Idea: Ensure that every transition of a specification automaton M spec is correctly implemented in the implementation automaton M imp. For every transition from state s i to state s j do: in general for TCP 1) Bring M imp to the initial state s 1 Use RST 2) Transfer M imp to state s i 3) Test the transition Use a Test Tree 4) Verify that M imp is in state s j Use UIO sequences Diana Senn 21 / 23 Firewall Conformance Testing,

24 Related Work Abstract Test Cases References References I Yair Bartal, Alain J. Mayer, Kobbi Nissim, and Avishai Wool. Firmato: A novel firewall management toolkit. Technical report, Dept. Electrical Engineering Systems, Tel Aviv University, Ramat Aviv Israel, February J. D. Guttman. Filtering postures: Local enforcement for global policies. In 1997 IEEE Symposium on Security and Privacy, pages , Oakland, CA, IEEE Computer Society Press. Alain Mayer, Avishai Wool, and Elisha Ziskind. Fang: A firewall analysis engine. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (S&P 2000), pages , May Diana Senn 22 / 23 Firewall Conformance Testing,

25 Related Work Abstract Test Cases References References II E. Schultz. How to perform effective firewall testing. In Computer Security Journal, vol. 12, no. 1, pages 47 54, A. Wool. Architecting the lumeta firewall analyzer. In Proceedings of the 10th USENIX Security Symposium, pages 85 97, August Diana Senn 23 / 23 Firewall Conformance Testing,

The 1st Workshop on Model-Based Verification & Validation. Directed Acyclic Graph Modeling of Security Policies for Firewall Testing

2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement The 1st Workshop on Model-Based Verification & Validation Directed Acyclic Graph Modeling of Security