firewall fingerprinting amir r. khakpour 1, joshua w. hulst 1, zhihui ge 2, alex x. liu 1, dan pei...

Firewall FingerprintingAmir R. Khakpour1, Joshua W. Hulst1, Zhihui Ge2, Alex X. Liu1, Dan Pei2, Jia Wang2

1Michigan State University2AT&T Labs - Research

IEEE INFOCOM 2012

左昌國Seminar @ ADLab, NCU

• Introduction• Related Work• Background• Overview• Firewall Characteristics• Firewall Inference• Conclusion and Future Work

Outline

2

• Motivation• Firewalls are the first line of defense in network traffic• Firewalls also have vulnerabilities• The first step of attacks is to do firewall fingerprinting

• Previous Limitation• Mostly OS fingerprinting• Bridge mode makes firewalls not directly accessible

• Packet header analysis is useless in firewall fingerprinting

• Challenges• Closed source• Parameters and configuration details• Not remote accessible

• Difficult to infer firewall types

Introduction

3

• This paper …• Propose a set techniques that can collect information about

firewalls• Identify characteristics

• Packet classification algorithms• Performance in different traffic load

• Identify firewalls

Introduction

4

• OS fingerprinting tools• NMAP• xprobe2++• p0f

• OS fingerprinting research• Medeiros et al.• Snacktime

• Firewall performance• Lyu and Lau• Funke et al.

Related Work

5

• Firewall policies

• Caching• Rule caching:

• 4-tuple: source IP, dest. IP, dest. port, and protocol type

• Flow caching:• 5-tuple: +source port

Background

6

• Statefulness• A stateful firewall tracks TCP sessions in a state table by examining

the TCP flags of incoming TCP packets

• Packet Classification Solutions• Software based solutions

• Sequential search• Complex data structures

• Ternary Content Addressable Memory (TCAM)

Background

7

• Measurements based on probe packet processing time

Overview

8

• Probe packets• TCP Fix: A sequence of TCP packets with the same packet header• TCP Vary: A sequence of TCP packets with the same packet

header except the source port which is chosen randomly for each packet

• UDP Fix: A sequence of UDP packets with the same packet header

• UDP Vary: A sequence of UDP packets with the same packet header except the source port which is chosen randomly for each probe packet

Firewall Characteristics

9

• Background traffic load

• Measuring PPT• Local measurement• Remote measurement

• Packet Classification Algorithm• Whether a firewall adopts a sequential search based algorithm• Whether the performance of a firewall is sensitive to traffic load• How a firewall performs in terms of the PPT

Firewall Characteristics

10

• Generating a sequence of probe packets where each packet matches exactly one of the rules in the policy

• PPT measurement• Linear: probably sequential search• Different pattern (or lack of change) : not sequential search

Firewall Characteristics – Sequential Search

11

Firewall Characteristics – Sequential Search

12

0.1176

0.1645

0.1411

-0.0317

Firewall Characteristics – Sequential Search

13

0.1339

0.0208

0.3809

-0.0073

Firewall Characteristics – Sequential Search

14

0.0033

0.0082

60.3360

77.5470

151.7891

Firewall Characteristics – Sensitivity to Traffic Load

15

4.6034 2.7385

0.9874

Firewall Characteristics – Sensitivity to Traffic Load

16

50.3710

49.7796

126.735292.8078

• Cache effectiveness (C) : the ratio of the PPT for the first probe packet to the median PPT of the rest in the same sequence• C > 1: effective caching• C ~= 1: no caching or not effective

• Effective in TCP Fix and UDP Fix• Caching 5 fields in header flow caching

• Effective in TCP Vary and UDP Vary• Caching 4 fields (no source port) rule caching

Firewall Characteristics – Caching and Statefulness

17

Firewall Characteristics – Caching and Statefulness

18

Firewall Characteristics – Packet Protocol and Payload Size

19

Firewall Characteristics – Packet Protocol and Payload Size

20

• 2 consecutive probe packets• Each: TCP SYN flag set, and another TCP flag set

Firewall Inference – TCP Probe Packets

21

• A dataset• 3600 data points• Each point: 11 consecutive probe packets in 4 modes(TCP Fix,…)

with and w/o payload (total 8 times)• Packets collected in 3 load level: no load, medium load, full load• Point: x = <x1, x2 … x24> (24 features)

• x3i-2 : median

• x3i-1 : STD

• x3i : cache effectiveness

• Labels• Y1 = {‘FW1’, ‘FW2’, ‘FW3’}• Y2 = {‘stateful’, ‘stateless’}• Y3 = {‘FW1-SF’, ‘FW2-SF’, ‘FW3-SF’, ‘FW1-SL’, ‘FW2-SL’, ‘FW3-SL’}

Firewall Inference – Packet Processing Time

22

• SVM

Firewall Inference – Packet Processing Time

23

Firewall Inference – Packet Processing Time

24

Firewall Inference – Packet Processing Time

25

• A methods for finding the firewall characteristics• Using these characteristics, this paper show 2 methods

for inferring firewall implementation

• Future work• Defense mechanisms

Conclusion and Future Work

26