This talk is discussing the idea, approach and possibilities of firewall rule reviews. These identify incorrect and inefficient settings in current firewall settings.
1. Firewall Rule Modelling and Review
Marc Ruef
www.scip.ch
SwiNOG 24
10. May 2012
Berne, Switzerland
2. Agenda | Firewall Rule Modelling and Review Intro
Who?
1. Intro What?
Modelling & Review
Introduction 2 min
Extract
Who am I? 2 min Parse
What is the Goal? 2 min Dissect
2. Firewall Rule Modelling and Review Review
Additional Settings
Extraction 4 min
Routing Criticality
Parsing 4 min Statistical Analysis
Dissection 4 min Outro
Review 10 min Summary
Questions
Additional Settings 10 min
Routing Criticality 7 min
Statistical Analysis 5 min
3. Outro
Summary 2 min
Questions 5 min
SwiNOG 24 2/28
3. Introduction | Who am I? Intro
Who?
What?
Name Marc Ruef
Modelling & Review
Job Co-Owner / CTO, scip AG, Zürich Extract
Parse
Private Website http://www.computec.ch Dissect
Last Book „The Art of Penetration Testing“, Review
Computer & Literatur Böblingen, Additional Settings
Routing Criticality
ISBN 3-936546-49-5
Statistical Analysis
Outro
Summary
Questions
Translation
SwiNOG 24 3/28
4. Introduction | What is our Goal? Intro
Who?
What?
◦ A Firewall Rule Review shall determine Modelling & Review
◦ Insecure rules Extract
◦ Wrong rules Parse
Dissect
◦ Inefficient rules Review
◦ Obsolete rules Additional Settings
Routing Criticality
◦ I will show Statistical Analysis
◦ Approaches Outro
◦ Our methodology Summary
Questions
◦ Possibilities
SwiNOG 24 4/28
21. Routing Criticality | Weight Indexing (Example)
Description Source Destination Port AV AC Au CI II AI Score
External Web to Web Server Internet DMZ t80 N L N N C C 9.4
External Web for Internal Clients (in) LAN Internet t80 N M N C C C 9.3
External Web to Customer Site Internet DMZ t443 N L S C C C 9.0
Intro
External Mail to Public Mail Server Internet DMZ t110 N M S C C
Who? C 8.5
What?
External Remote Access to Servers Internet DMZ t22 N M S C C C 8.5
Modelling & Review
Extract
Internal Access to DNS Servers LAN DMZ u53 L L N C C C 7.2
Parse
Intranet Access for Internal Clients LAN DMZ t80 L L N P Dissect C
C 6.8
Review
External Web for Internal Clients (out) LAN Internet t80 L L S C C C 6.8
Additional Settings
Routing Criticality
Internal Remote Access to Servers LAN DMZ t3389 L M S P C P 5.5
Statistical Analysis
Outro
Internal ICMP Echo for Servers DMZ Internet i0,8 L M S P P C 5.5
Summary
Questions
23. Statistical Analysis | Top Findings (Median Last 11 Projects)
Intro
Who?
What?
Modelling & Review
Extract
Parse
Dissect
Review
Additional Settings
Routing Criticality
Statistical Analysis
Outro
Summary
Questions
24. Statistical Analysis | Reasons for Risks Intro
Who?
What?
◦ There are several possible reasons, why FWs are Modelling & Review
not configured in the most secure way: Extract
◦ Mistakes (wrong click, wrong copy&paste, …) Parse
Dissect
◦ Forgotten/Laziness (“I will improve that later…”) Review
◦ Misinformation (vendor suggests ports 10000-50000) Additional Settings
◦ Misunderstanding (technical, conceptual) Routing Criticality
Statistical Analysis
◦ Unknown features (hidden settings) Outro
◦ Technical failure (e.g. broken backup import) Summary
Questions
SwiNOG 24 24/28
25. Outro | Summary Intro
Who?
What?
◦ Firewall Rule Reviews help to determine weaknesses in
Modelling & Review
firewall rulesets.
Extract
◦ The extraction, parsing and dissection of a ruleset allows Parse
to do the analysis. Dissect
Review
◦ Common weaknesses are broad definition of objects,
Additional Settings
overlapping rules and unsafe protocols. Routing Criticality
Statistical Analysis
Outro
Summary
Questions
SwiNOG 24 25/28
26. Outro | Literature Intro
Who?
What?
◦ Firewall Rule Parsing am Beispiel von SonicWALL, Modelling & Review
http://www.scip.ch/?labs.20110113 Extract
◦ Common Vulnerability Scoring System und seine Parse
Dissect
Probleme, http://www.scip.ch/?labs.20101209 Review
Additional Settings
Routing Criticality
Statistical Analysis
Outro
Summary
Questions
These slides and additional details will be published at
http://www.scip.ch/?labs
SwiNOG 24 26/28