Firewall Rule Modelling and Review Marc Ruef www.scip.ch SwiNOG 24 10. May 2012 Berne, Switzerland Agenda | Firewall Rule Modelling and Review 1. Intro Introduction Who am I? What is the Goal? 2. Firewall Rule Modelling and Review Extraction Parsing Dissection Review Additional Settings Routing Criticality Statistical Analysis 3. Outro Summary Questions Intro Who? What? 2 min 2 min 2 min Modelling & Review Extract Parse Dissect Review 4 min 4 min 4 min 10 min 10 min 7 min Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 5 min 2 min 5 min SwiNOG 24 2/28 Introduction | Who am I? Intro Who? What? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Parse Last Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Review Modelling & Review Extract Dissect Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Translation SwiNOG 24 3/28 Introduction | What is our Goal? ◦ A Firewall Rule Review shall determine ◦ ◦ ◦ ◦ ◦ Insecure rules Wrong rules Inefficient rules Obsolete rules Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality I will show ◦ ◦ ◦ Intro Statistical Analysis Approaches Our methodology Possibilities Outro Summary Questions SwiNOG 24 4/28 Introduction | Approach ◦ ◦ ◦ Who? What? Extract firewall rules Parse firewall rule sets Dissect ◦ ◦ ◦ ◦ ◦ ◦ Intro Modelling & Review Extract Parse Dissect Objects Services Actions Relations Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Determine settings Identify weaknesses Questions SwiNOG 24 5/28 Introduction | Files vs. Screenshots ◦ ◦ Faster More reliable No GUI abstraction layer (better insight) Still, screenshots might support the analysis ◦ ◦ ◦ ◦ Who? What? We prefer exported files ◦ ◦ ◦ Intro Easier walkthrough («quickview») Visual enhancment of documentation Verification of parsing (cross-check) Last hope (no export feature, quirky file format, ...) SwiNOG 24 Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 6/28 Extraction | Get the Firewall Rulesets ◦ ◦ ◦ Who? What? iptables ◦ Backup: /usr/sbin/iptables-save Modelling & Review Astaro ◦ Export: /usr/local/bin/backup.plx ◦ iptables: /usr/sbin/iptables-save Extract ◦ Backup: Webadmin / Management / Backup/Restore Checkpoint Firewall-1 ◦ Copy: All files in %FWDIR%/conf/ (objects_5.C, rulebase.fws, *.W) ◦ Export: cpdb2html/cpdb2web Review Parse Dissect ◦ Cisco IOS/PIX/ASA ◦ Backup: show mem, show conf ◦ Citrix Netscaler ◦ Backup: Copy file /nsconfig/ns.conf (via SCP) ◦ Juniper ◦ Backup: Admin / Update / Config / Copy&Paste ◦ Backup: request system configuration rescue save (via FTP) ◦ McAfee Web Gateway ◦ Backup: Configuration / File Management / Configuration Data / Download Configuration Backup ... ◦ Intro Additional Settings Routing Criticality Statistical Analysis Outro SwiNOG 24 Summary Questions 7/28 Parsing | Handle Ruleset Structure ◦ ◦ ◦ ◦ ◦ ◦ Apache Directives ◦ Apache Reverse Proxies ◦ USP Secure Entry Server Arrays ◦ Astaro (backup.plx) ◦ Checkpoint (files) ◦ Fortigate Command-line ◦ iptables ◦ Cisco IOS/PIX/ASA ◦ Citrix Netscaler INI Files ◦ McAfee Web Gateway ◦ SonicWALL XML Files ◦ Airlock ◦ Clearswift MIMEsweeper ◦ Totemo TrustMail ... Intro Who? What? Modelling & Review (Apache-based) Extract Parse (alternative is with iptables) (.C, .fws, .W) Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary (base64 encapsulated in XML?!) (base64 encoded string) SwiNOG 24 Questions 8/28 Parsing | Access Firewall Rule Attributes (Cisco ASA Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Parsing | Access Firewall Rule Attributes (Firewall-1 Example) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Dissection | Access Rule Attributes ◦ A packet filter rule consists of at least: ◦ ◦ ◦ ◦ ◦ ◦ ◦ Source Host/Net [10.0.0.0/8] Source Port [>1023] Destination Host/Net [192.168.0.10/32] Destination Port [80] Protocol [TCP] Action [ALLOW] Additional rule attributes might be: ◦ ◦ ◦ ◦ ◦ ◦ ◦ ID [42] Active [enabled] Timeframe [01/01/2012 – 12/31/2012] User [testuser2012] Logging [disabled] Priority (QoS) [bandwidth percent 30] ... SwiNOG 24 Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions 11/28 Dissection | Example Table Intro Who? Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192.168.0.10 /32 80 (http) TCP ALLOW 10.0.0.0/8 >1023 * 80 (http) TCP ALLOW What? Modelling & Review Extract Parse Dissect Review ... Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 12/28 Review | Weaknesses Checklist (1/2) ◦ ◦ ANY rules Bi-directional rules Broad definition of zones or port ranges Mash-up of objects Blacklisted traffic (false-negatives) DROP-ALL rule missing Insecure Rules ◦ ◦ ◦ Who? What? Allow Rules ◦ ◦ ◦ ◦ ◦ ◦ Intro Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Insecure service used (e.g. telnet, ftp, snmp) Overlapping objects Nested objects SwiNOG 24 Questions 13/28 Review | Weaknesses Checklist (2/2) ◦ ◦ ◦ Modelling & Review Inactive objects Temporary rules Test rules Obsolete rules Extract Parse Dissect Review Additional Settings Routing Criticality Documentation Missing ◦ ◦ ◦ Who? What? Obsolete Rules ◦ ◦ ◦ ◦ Intro No comment/description Whitelisted traffic (reasoning missing) Logging not enabled Statistical Analysis Outro Summary Questions Lockdown missing ◦ ◦ ◦ Lockdown rules missing Stealth rules missing DENY instead of DROP SwiNOG 24 14/28 Review | Example Report Table (Findings) Intro Who? Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192.168.0.10 /32 80 TCP ALLOW * * [ANY Rule] 192.168.0.10 /32 23 [Insecure] TCP ALLOW 10.0.0.0/8 >1023 * 80 TCP ALLOW 192.168.0.10 /24 1024-50000 [Inadequate] 10.0.0.0/8 22,902,8443 [Mash-Up] TCP ALLOW * [ANY Rule] * [ANY Rule] 192.168.0.10 /24 3389 TCP 10.0.0.0/8 0 * [ANY Rule] 0,8 What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis ALLOW Outro Summary ICMP [Insecure] ALLOW Questions ... SwiNOG 24 15/28 Review | Example Report Table (Measures) Src Host Src Port Dst Host Dst Port Protocol Action * >1023 192.168.0.10 /32 80 TCP ALLOW * * → >1023 192.168.0.10 /32 23 → 22 TCP ALLOW 10.0.0.0/8 >1023 * 80 TCP ALLOW 192.168.0.10 /24 1024-50000 → >1023 10.0.0.0/8 22,902,8443 → 22|902|... TCP ALLOW * → x.x.x.110 * → >1023 192.168.0.10 /24 3389 TCP 10.0.0.0/8 0 * → 192.168. 0.10/24 0,8 Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis ALLOW Outro Summary ICMP → «Risk Accepted» ALLOW Questions ... SwiNOG 24 16/28 Review | Automated Analysis (Video) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Additional Settings | Global Settings ◦ Some FWs, especially proxies, introduce additional (global) settings, which might affect the rules. Example McAfee Web Gateway: ◦ Antivirus ◦ ◦ ◦ ◦ What? Modelling & Review Extract Parse [1=enabled] [0=disabled] [0=disabled] Review Additional Settings Routing Criticality Statistical Analysis [1=enabled] [536870912] [8192] Outro Summary Questions HTTP Proxy Settings ◦ ◦ ◦ ◦ Enabled CacheSize MaxObjectSize Who? Dissect Caching ◦ ◦ ◦ ◦ Enabled HeuristicWWScan AutoUpdate Intro Enabled AddViaHeader ClientIpHeader [1=enabled] [1=enabled] ['X-Forwarded-For'] ... SwiNOG 24 18/28 Additional Settings | Example Report Table ID Setting Value Recommend Intro Who? Risk What? Modelling & Review ... Extract 1427 CheckFileSignatures 0 1 (=enabled) Medium 1428 ChecksumMismatchWeb 'Replace and Quarantine' 'Replace and Quarantine' Passed 'Allow' 'Block' Medium 1429 EmbdJavaAppletWeb Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis 1430 ExpiredContentWeb 'Block' 'Block' Passed 1431 JavaScriptWeb 'Allow' 'Block' Low 1432 MacroWeb 'Replace document and Quarantine' 'Block Document‘ (strict approach) Passed 1433 UnsignedEXEWeb 'Allow' 'Block' High Outro Summary Questions ... SwiNOG 24 19/28 Routing Criticality | CVSSv2 Overview Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Routing Criticality | Weight Indexing (Example) Description Source Destination Port AV AC Au CI II AI Score External Web to Web Server Internet DMZ t80 N L N N C C 9.4 External Web for Internal Clients (in) LAN Internet t80 N M N C C C 9.3 External Web to Customer Site Internet DMZ t443 N L S C C 9.0 External Mail to Public Mail Server Internet DMZ t110 N M S C C Intro C Who? C 8.5 External Remote Access to Servers Internet DMZ t22 N M S C Internal Access to DNS Servers LAN DMZ u53 L L N C Extract C C Parse 7.2 Intranet Access for Internal Clients LAN DMZ t80 L L N P Dissect C C 6.8 Review C C Settings 6.8 Additional External Web for Internal Clients (out) LAN Internet t80 L L S C Internal Remote Access to Servers LAN DMZ t3389 L M S P Internal ICMP Echo for Servers DMZ Internet i0,8 L M S P What? C C 8.5 Modelling & Review Routing Criticality C P 5.5 Statistical Analysis Outro P C Summary Questions 5.5 Statistical Analysis | Findings per Projects (Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Statistical Analysis | Top Findings (Median Last 11 Projects) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions Statistical Analysis | Reasons for Risks ◦ There are several possible reasons, why FWs are not configured in the most secure way: ◦ ◦ ◦ ◦ ◦ ◦ Mistakes (wrong click, wrong copy&paste, …) Forgotten/Laziness (“I will improve that later…”) Misinformation (vendor suggests ports 10000-50000) Misunderstanding (technical, conceptual) Unknown features (hidden settings) Technical failure (e.g. broken backup import) Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 24/28 Outro | Summary ◦ ◦ ◦ Intro Who? Firewall Rule Reviews help to determine weaknesses in firewall rulesets. The extraction, parsing and dissection of a ruleset allows to do the analysis. Common weaknesses are broad definition of objects, overlapping rules and unsafe protocols. What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 25/28 Outro | Literature ◦ ◦ Intro Who? Firewall Rule Parsing am Beispiel von SonicWALL, http://www.scip.ch/?labs.20110113 Common Vulnerability Scoring System und seine Probleme, http://www.scip.ch/?labs.20101209 What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions These slides and additional details will be published at http://www.scip.ch/?labs SwiNOG 24 26/28 Outro | Questions Intro Who? What? Modelling & Review Extract Parse Dissect Review Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions SwiNOG 24 27/28 Security is our Business! Intro Who? What? scip AG Badenerstrasse 551 CH-8048 Zürich Modelling & Review Extract Parse Dissect Tel Fax Mail Web Twitter Review +41 44 404 13 13 +41 44 404 13 14 [email protected] http://www.scip.ch http://twitter.com/scipag Strategy Auditing Forensics Additional Settings Routing Criticality Statistical Analysis Outro Summary Questions | Consulting | Testing | Analysis SwiNOG 24 28/28
© Copyright 2026 Paperzz