firewall fingerprinting amir r. khakpour 1, joshua w. hulst 1, zhihui ge 2, alex x. liu 1, dan pei...
Post on 02-Jan-2016
213 Views
Preview:
TRANSCRIPT
Firewall FingerprintingAmir R. Khakpour1, Joshua W. Hulst1, Zhihui Ge2, Alex X. Liu1, Dan Pei2, Jia Wang2
1Michigan State University2AT&T Labs - Research
IEEE INFOCOM 2012
左昌國Seminar @ ADLab, NCU
• Introduction• Related Work• Background• Overview• Firewall Characteristics• Firewall Inference• Conclusion and Future Work
Outline
2
• Motivation• Firewalls are the first line of defense in network traffic• Firewalls also have vulnerabilities• The first step of attacks is to do firewall fingerprinting
• Previous Limitation• Mostly OS fingerprinting• Bridge mode makes firewalls not directly accessible
• Packet header analysis is useless in firewall fingerprinting
• Challenges• Closed source• Parameters and configuration details• Not remote accessible
• Difficult to infer firewall types
Introduction
3
• This paper …• Propose a set techniques that can collect information about
firewalls• Identify characteristics
• Packet classification algorithms• Performance in different traffic load
• Identify firewalls
Introduction
4
• OS fingerprinting tools• NMAP• xprobe2++• p0f
• OS fingerprinting research• Medeiros et al.• Snacktime
• Firewall performance• Lyu and Lau• Funke et al.
Related Work
5
• Firewall policies
• Caching• Rule caching:
• 4-tuple: source IP, dest. IP, dest. port, and protocol type
• Flow caching:• 5-tuple: +source port
Background
6
• Statefulness• A stateful firewall tracks TCP sessions in a state table by examining
the TCP flags of incoming TCP packets
• Packet Classification Solutions• Software based solutions
• Sequential search• Complex data structures
• Ternary Content Addressable Memory (TCAM)
Background
7
• Measurements based on probe packet processing time
Overview
8
• Probe packets• TCP Fix: A sequence of TCP packets with the same packet header• TCP Vary: A sequence of TCP packets with the same packet
header except the source port which is chosen randomly for each packet
• UDP Fix: A sequence of UDP packets with the same packet header
• UDP Vary: A sequence of UDP packets with the same packet header except the source port which is chosen randomly for each probe packet
Firewall Characteristics
9
• Background traffic load
• Measuring PPT• Local measurement• Remote measurement
• Packet Classification Algorithm• Whether a firewall adopts a sequential search based algorithm• Whether the performance of a firewall is sensitive to traffic load• How a firewall performs in terms of the PPT
Firewall Characteristics
10
• Generating a sequence of probe packets where each packet matches exactly one of the rules in the policy
• PPT measurement• Linear: probably sequential search• Different pattern (or lack of change) : not sequential search
Firewall Characteristics – Sequential Search
11
Firewall Characteristics – Sequential Search
12
0.1176
0.1645
0.1411
-0.0317
Firewall Characteristics – Sequential Search
13
0.1339
0.0208
0.3809
-0.0073
Firewall Characteristics – Sequential Search
14
0.0033
0.0082
60.3360
77.5470
151.7891
Firewall Characteristics – Sensitivity to Traffic Load
15
4.6034 2.7385
0.9874
Firewall Characteristics – Sensitivity to Traffic Load
16
50.3710
49.7796
126.735292.8078
• Cache effectiveness (C) : the ratio of the PPT for the first probe packet to the median PPT of the rest in the same sequence• C > 1: effective caching• C ~= 1: no caching or not effective
• Effective in TCP Fix and UDP Fix• Caching 5 fields in header flow caching
• Effective in TCP Vary and UDP Vary• Caching 4 fields (no source port) rule caching
Firewall Characteristics – Caching and Statefulness
17
Firewall Characteristics – Caching and Statefulness
18
Firewall Characteristics – Packet Protocol and Payload Size
19
Firewall Characteristics – Packet Protocol and Payload Size
20
• 2 consecutive probe packets• Each: TCP SYN flag set, and another TCP flag set
Firewall Inference – TCP Probe Packets
21
• A dataset• 3600 data points• Each point: 11 consecutive probe packets in 4 modes(TCP Fix,…)
with and w/o payload (total 8 times)• Packets collected in 3 load level: no load, medium load, full load• Point: x = <x1, x2 … x24> (24 features)
• x3i-2 : median
• x3i-1 : STD
• x3i : cache effectiveness
• Labels• Y1 = {‘FW1’, ‘FW2’, ‘FW3’}• Y2 = {‘stateful’, ‘stateless’}• Y3 = {‘FW1-SF’, ‘FW2-SF’, ‘FW3-SF’, ‘FW1-SL’, ‘FW2-SL’, ‘FW3-SL’}
Firewall Inference – Packet Processing Time
22
• SVM
Firewall Inference – Packet Processing Time
23
Firewall Inference – Packet Processing Time
24
Firewall Inference – Packet Processing Time
25
• A methods for finding the firewall characteristics• Using these characteristics, this paper show 2 methods
for inferring firewall implementation
• Future work• Defense mechanisms
Conclusion and Future Work
26
top related