Design

Firewall Design Methods Alex X. Liu & Haipeng Dai

Description
Firewll Design Methos Alex X. Liu & Hipeng Di 313 CS Builing Deprtment of Computer Science n Technology Nnjing University Security Gur for Privte Builings 2 Security Gur for Privte Networks
Categories
Published
of 40
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
Firewll Design Methos Alex X. Liu & Hipeng Di 313 CS Builing Deprtment of Computer Science n Technology Nnjing University Security Gur for Privte Builings 2 Security Gur for Privte Networks Internet Firewll Privte Network Loction: connects Internet n privte network Function: mps every pcket to ecision - ccept or iscr Configurtion: sequence of rules written by ministrtor 3 Firewll Exmple Internet Firewll 0 1 Mil Server Host 1 Host 2 A Privte Network Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 ny mil server 25 TCP ccept 0 mlicious hosts ny ny ny iscr 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept Rules re conflicting First mtch: ecision for pcket = ecision of first mtching rule Orer mtters 4 Rel-life Firewlls re Complex Number of rules cn be lrge Legcy rules Csce impct of chnge 5 Problem As result, firewll rules re hr to specify correctly hr to unerstn correctly hr to chnge correctly Consequently, firewll configurtion errors re common Most firewlls re poorly esigne with errors [Wool'04] Firewll errors re uncceptble Accept mlicious pckets : lose security Discr legitimte pckets: isrupt business Problem: How to esign firewlls? 6 Inustry: twek n pry Stte-of-the-rt Go bless my rules Acemi: nlyze rules Such s conflict etection ([HSP 00] [EM 01] [BV 02]) nomly etection ([AH 03] [AH 04]) 7 Structure Firewll Design: Motivtion The convention of esigning firewll irectly s sequence of conflicting rules hs been tken for grnte We point out tht this convention is BAD. Why: this convention hs three mjor issues Consistency issue Completeness issue Compctness issue 8 Consistency Issue Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 ny mil server 25 TCP ccept 0 mlicious hosts ny ny ny iscr 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept This firewll ccepts emil from mlicious hosts! This is wrong (ssuming this firewll is require to iscr ll pckets from mlicious hosts) 9 Consistency Issue Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 ny mil server 25 TCP ccept 0 mlicious hosts ny ny ny iscr 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept This firewll ccepts emil from mlicious hosts! This is wrong (ssuming this firewll is require to iscr ll pckets from mlicious hosts) We shoul swp the first two rules Consistency issue: hr to ensure rules re orere correctly 10 Completeness Issue Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 mlicious hosts ny ny ny iscr 0 ny mil server 25 TCP ccept 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept This firewll ccepts non-emil pckets to the emil server! emil pckets to hosts other thn the emil server! This is wrong (ssuming this firewll is require to iscr the bove two types of pckets) 11 Completeness Issue Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 mlicious hosts ny ny ny iscr 0 ny mil server 25 TCP ccept 0 ny mil server ny ny iscr 0 ny ny 25 TCP iscr 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept This firewll ccepts non-emil pckets to the emil server! emil pckets to hosts other thn the emil server! This is wrong (ssuming this firewll is require to iscr the bove two types of pckets) Nee to two more rules Completeness issue: hr to ensure ll necessry rules re inclue 12 Compctness Issue Interfce Source IP Dest. IP Dest. Port Protocol Decision 0 mlicious hosts ny ny ny iscr 0 ny mil server 25 TCP ccept 0 ny mil server ny ny iscr 0 ny ny 25 TCP iscr 1 {host1, host2} ny 80 TCP ccept ny ny ny ny ny ccept This rule is reunnt! Compctness issue: hr to ensure ll rules re neee 13 Consistency, Completeness, n Compctness Consistency n completeness issues cuse firewll errors Compctness issue cuses low firewll performnce pcket Firewll ( sequence of rules) ecision Less rules, fster ecision Fst firewlls use TCAM (Ternry Content Aressble Memory) Solution: Structure Firewll Design 14 Structure Firewll Design Step 1: Formlly specify the function of firewll using Firewll Decision Digrm (FDD) Step 2: Use series of 3 lgorithms to utomticlly convert the FDD to compct sequence of rules 15 Firewll Decision Digrm (FDD) incoming S mlicious ~mlicious TCP P 25 N I D outgoing mil server ~mil server ~TCP N ~25 ~25 25 TCP P ~TCP I: Interfce S: Source IP ress D: Dest. IP ress N: Dest. port number P: Protocol type : ccept : iscr Two importnt properties: 1. Consistency Property: resses the consistency issue 2. Completeness Property: resses the completeness issue 16 FDD vs. A Sequence of Conflicting Rules incoming S mlicious ~mlicious TCP P 25 N I D outgoing mil server ~mil server ~TCP N ~25 ~25 25 TCP P ~TCP I Source IP Dest. IP 0 mlicious hosts 0 ny mil server 0 ny mil server Dest. Port Proto col ny ny ny 25 TCP ny ny 0 ny ny 25 TCP ny ny ny ny ny FDD: esy to unerstn esy to upte Deci sion Goto Sttement Consiere Hrmful Esger W. Dijkstr (1968) 17 Comptible with Existing Firewlls Current firewll hrwre n softwre tkes sequence of rules pcket Firewll ( sequence of rules) ecision We cn convert n FDD to sequence of rules 18 FDD n Rules [30,50] F1 [51,70] [1,29] [71,100] F 1, F 2 : pcket fiels [20,40] [60,80] [1,19] [20,40] [41,59] [81,100][60,80] [1,19] [41,59] [81,100] [1,50] [51,100] F 1 s omin =F 2 s omin =[1,100] F 1 [30,50] F 2 [20,40] F 1 [30,50] F 2 [60,80] Totl: 14 simple rules Generl rule formt: F 1 S 1 F S / Simple rule: ech S i is one intervl Firewll implementtions requires simple rules. 19 Three techniques: Reuce Number of Rules FDD reuction FDD mrking Reunncy removl 20 Optimiztion Ⅰ: FDD Reuction [20,40] [60,80] [30,50] F1 [51,70] [1,19] [20,40] [41,59] [81,100][60,80] [1,19] [41,59] [81,100] [1,29] [71,100] [1,50] [51,100] [20,40] [60,80] [30,70] F1 [1,29] [71,100] [1,19] [41,59][81,100] 14 simple rules 7 simple rules Similr to BDD (Binry Decision Digrm) reuction [Brynt 1986] 21 Optimiztion Ⅱ: FDD Mrking For ech non-terminl noe, mrk one of its outgoing eges ALL. In epth-first trversl, mrke eges re trverse lst: F 1 [30, 70] F 2 [20, 40] F 1 [30, 70] F 2 [60, 80] F 1 [30, 70] F 2 ALL F 1 ALL F 2 [1, 100] [20,40] [60,80] [30,70] F1 [1,29] [1,19] [41,59][81,100] ALL [71,100] ALL 7 simple rules 4 simple rules We hve n optiml mrking lgorithm (complexity: O(V+E)) 22 Optimiztion Ⅲ: Reunncy Removl [20,40] [60,80] [30,70] F1 [1,29] [1,19] [41,59][81,100] ALL [71,100] ALL F 1 [30, 70] F 2 [20, 40] F 1 [30, 70] F 2 [60, 80] F 1 [30, 70] F 2 ALL F 1 ALL F 2 [1, 100] This rule is reunnt! 4 simple rules 3 simple rules We hve n lgorithm tht cn remove ll reunnt rules 23 Summry of Structure Firewll Design Step 1: Formlly specify the function of firewll using n FDD Humn Mchine Step 2: FDD (consistent) (complete) FDD Reuction FDD Mrking & Rule Genertion Rule Compction sequence of rules (compct) 24 Not Just Firewlls Routers hve pcket clssifiers too. Access control Accounting Qulity of Service 25 Diverse Firewll Design Two steps: Diverse Firewll Design Step 1: give sme requirement to multiple tems to esign firewlls Step 2: compre multiple firewlls to iscover ll functionl iscrepncies Inspire by N-version progrmming [Avizienis 77] Only eploy one firewll becuse we cn iscover ll iscrepncies Technicl Chllenge: How to iscover ll the iscrepncies between two given firewlls? 27 Exmple Firewll A: Firewll B: F 1 [1, 50] F 2 [1, 60] F 1 [1, 100] F 2 [1, 100] F 1 [1, 30] F 2 [1, 20] F 1 [1, 30] F 2 [1, 100] F 1 [1, 100] F 2 [1, 40] F 1 [1, 100] F 2 [1, 100] Discrepncies between A n B: F 1 [1, 30] F 2 [21, 60] / F 1 [31, 50] F 2 [41, 60] / F 1 [51,100] F 2 [1, 40] / 28 Compring Two Firewlls Step 1: FDD construction construct n equivlent FDD from ech firewll Step 2: FDD shping mke the two FDDs semi-isomorphic Step 3: FDD comprison compre the two semi-isomorphic FDDs for iscrepncies 29 Step 1: FDD Construction FDD Construction Algorithm Input: firewll of sequence of rules Output: n equivlent FDD Firewll A: [1,50] F1 [51,100] F 1 [1, 50] F 2 [1, 60] [1,60] [61,100] F 1 [1, 100] F 2 [1, 100] Firewll B: F 1 [1, 30] F 2 [1, 20] F 1 [1, 30] F 2 [1, 100] F 1 [1, 100] F 2 [1, 40] F 1 [1, 100] F 2 [1, 100] [1,30] F1 [31,100] [1,20] [21,100] [1,40] [41,100] 30 Constructing FDD (1) [1,30] F1 (2) [1,30] F1 [1,20] [1,20] [21,100] F 1 [1,30] F 2 [1,20] F 1 [1,30] F 2 [1,20] F 1 [1,30] F 2 [1,100 ] (3) [1,30] F1 [31,100] (4) [1,30] F1 [31,100] [1,20] [21,100] [1,40] [1,20] [21,100] [1,40] [41,100] F 1 [1,30] F 2 [1,20] F 1 [1,30] F 2 [1,100 ] F 1 [1,100 ] F 2 [1,40] F 1 [1,30] F 2 [1,20] F 1 [1,30] F 2 [1,100 ] F 1 [1,100 ] F 2 [1,40] F 1 [1,100 ] F 2 [1,100 ] 31 Step 2: FDD Shping Mke two FDDs semi-isomorphic Semi-isomorphic FDDs: exctly sme except lbels of terminl noes [1,30] F1 [31,50] [51,100] [1,20] [61,100] [1,40] [61,100] [21,60] [41,60] [1,40] [41,100] [1,30] F1 [31,50] [51,100] [1,20] [61,100] [1,40] [61,100] [21,60] [41,60] [1,40] [41,100] 32 FDD Shping Exmple: mke these FDDs semi-isomorphic [1,50] F1 [51,100] [1,30] F1 [31,100] [1,60] [61,100] [1,20] [21,100] [1,40] [41,100] 33 FDD Shping [1,30] [1,50] F1 [51,100] [31,50] [1,30] F1 [31,100] [51,100] [31,50] 34 FDD Shping [1,30] F1 [51,100] [31,50] [1,60] [1,20] [61,100] [21,60] [1,30] F1 [51,100] [31,50] [1,20] [61,100] [21,100] [21,60] 35 FDD Shping [1,30] F1 [51,100] [31,50] [1,20] [61,100] [1,40] [1,60] [61,100] [21,60] [41,60] [1,30] F1 [51,100] [31,50] [1,20] [61,100] [1,40] [61,100] [41,100] [21,60] [41,60] 36 FDD Shping [1,30] F1 [51,100] [31,50] [1,20] [61,100] [21,60] [1,40] [61,100] [41,60] [1,40] [41,100] [1,100] [1,30] F1 [51,100] [31,50] [1,20] [61,100] [21,60] [1,40] [61,100] [41,60] [1,40] [41,100] 37 Step 3: FDD Comprison Compre two semi-isomorphic FDDs for iscrepncies [1,30] F1 [51,100] [31,50] [1,20] [61,100] [21,60] [1,40] [61,100] [41,60] [1,40] [41,100] [1,30] F1 [51,100] [31,50] [1,20] [61,100] [21,60] [1,40] [61,100] [41,60] [1,40] [41,100] 38 Complexity Anlysis n: totl number of rules, : totl number of fiels Size of constructe FDD: O(n ), is constnt For IP pckets, is usully 4 Fiels: Source IP, Dest. IP, Dest. Port, Protocol Type In prctice, this worst cse is very unlikely to hppen becuse firewll rules re not rbitrry 39 Summry of Diverse Firewll Design Step 1: give sme requirement to multiple tems to esign firewlls Step 2: compre multiple firewlls to iscover ll functionl iscrepncies Two firewlls FDD Construction Two FDDs FDD Shping Two semi-isomorphic FDDs FDD Comprison ll iscrepncies 40
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks