syst 699 gmu firewall assessment · 2015-12-08 · gmu network engineering & technology (net)...
TRANSCRIPT
SYST 699GMU Firewall
AssessmentPresented: 12/11/2015
Chris Grubb, Ray KeplerSponsorBen AllenGMU DirectorNetwork Engineering & Technology
Presentation Outline● Firewall basics● Problem description● Approach● Results
○ Change Control Process Analysis○ Impact Testing Methods○ Auditing Process Analysis
● Further research
2
Firewall Basics - Functional View● Definition: “…a security structure that creates a barrier – or firewall –
between a secure network and another network that is not known to be secure.” - CompTIA
Untrusted part of the internet Firewall Allowed
Denied
Trusted part of the internet
3
Firewall Basics - Traffic Attributes● Source IP address● Destination IP address● Source port● Destination port● Application / communication protocol
Source IP: 192.123.1.1
Source port: 80
Destination IP: 192.123.10.10
Destination port: 80Protocol: TCP/IP
4
Firewall Basics - Defining a Rule
Untrusted part of the internet
Trusted part of the internetFirewall
Denied
Source IP Dest. IP Source Port Dest. Port Protocol Policy
192.123.1.1 192.123.*.* Any 80 TCP Deny
Source IP: 192.123.1.1Source port: 80
Destination IP: 192.123.10.10Destination port: 80
Protocol: TCP/IP
5
Firewall Basics - Security Zones● Definition: a grouping of computer resources by any combination of location,
IP addresses, communication protocol, etc.● Purpose: manage resources that are similar in function or security risk● GMU manages ~250 network security zones
Untrusted part of the internet Firewall
Allowed
Zone 1: VSE web servers
Zone 2: GMU email servers
Denied
Source IP: 192.123.1.1Source port: 80
Protocol: TCP/IP6
● Multiple rules are sequentially applied (to a zone)
● Engineers manage the entire rule set
● GMU has ~2700 firewall rules
Firewall Basics - Rule Sets
Example:sample of a collection of firewall rules (i.e. a ‘rule set’)
7
Firewall Basics - Rule ‘Anomalies’1
(1) Firewall Policy Advisor for Anomaly Discovery and Rule Editing, Ehab S. Al-Shaer and Hazem H. Hamed, Integrated Network Management VIII, pp. 17-30
8
Problem Statements● GMU Network Engineering & Technology (NET) does not have a defined
process for managing the creation, change, and retirement of firewall rules, which can lead to bloated rule sets or rule set ‘anomalies’.
● GMU NET does not have a defined audit process for their firewall rule set, which prevents them from being able to verify rules accurately implement GMU’s network security policies.
9
ApproachMain
● Conduct client and stakeholder interviews ● Review literature relevant to the management of firewall rules● Develop criteria based on literature for assessing GMU NET’s firewall rules
configuration management● Assess GMU NETs firewall configuration management activities● Provide recommendations
Supporting analysis
● Analysis of GMU firewall traffic logs to demonstrate ‘impact analysis’● Propose a modeling framework for detecting ‘anomalies’ 10
Deliverables1. Analysis of GMU’s change control process including methods for impact
testing and documentation of the as-is system.
2. Analysis of GMU’s firewall ruleset auditing process including documentation of the as-is system.
3. Recommendations for improving GMU’s firewall ruleset management
11
Configuration Management Standards
12
GMU Configuration Management● Purpose: “Configuration Management [CM] is essential to Systems Engineering and to Software
Engineering. CM establishes and protects the integrity of a product or product component throughout its lifespan “ - IEEE 828 2012
● Benefits:○ Know the state of the system under configuration control○ Effectively manage changes to the system under configuration control
13
Configuration Management Standards
14
GMU Help Desk Ticketing System
15
Change Control and Audit Findings● GMU Network Engineering & Technology (NET) has no documented
firewall management requirements, firewall change management policies and procedures, or defined roles and responsibilities
● Balancing the burden of change control activities and the responsibility to provide timely, effective service is critical to effective process
● Lack of documented requirements, policies, and procedures poses several risks to GMU, GMU NET, and its stakeholders
● Service ticketing system is not a single purpose system and makes review and auditing of services that affect firewall rules challenging 16
Change Control Recommendations
17
● Establish a cross-functional, ‘tiger team’ of stakeholders to quickly develop documentation of ‘as-is’ firewall change management activities and proposals for critical ‘to be’ procedures
● Identify which of firewall rules (if not all) should be brought under a configuration management and change control process
● Develop method for tagging service tickets that result in new or edited firewall rules that are or would be under configuration control
● Develop method of retrieving service tickets for review and auditing
Configuration Management Standards
18
19
Review Change Process
● Who is authorized? Changes well-documented?
Review Rule Base● Policy Maintenance
○ How many rules? Uncommented rules? Archaic rules?
● Risk○ Risky Services? Adhere to organizational security policy?
● Compliance○ FERPA? FISMA? HIPAA? DMCA? FACTA?
Self-Auditing Process
Configuration Management Standards
20
Firewall Rule Impact Analysis● Purpose of impact analysis: assess the impact of firewall rule additions or
changes prior to placing them into a production environment
● Data: data was acquired from GMU NET and IT Security Office after lengthy process to discover and explore possible arrangements for data
● Approach: demonstrate how network traffic log data (or similar data) can be used to assess impact of changes to firewall rules
● CAUTION: data is for 5 zones (out of ~250) and based on ~10 minutes of traffic data → WE DO NOT CONTEND THESE RESULTS GENERALIZE
21
Method 1 - Descriptive Statistics
221 2 3 4 5
Method 2 - Network Analysis
Zone 5 Communication Network by IP Address
23
Zone 5 Communication Network by IP Address
There’s a dot there
24
Method 2 - Network Analysis
Configuration Management Standards
25
Method 3 - AnomalyDetectionGoals
● Identify rule anomalies● Evaluate and resolve
anomalous rules
Benefits● Maintain a smaller rule set● Reduced number of
unexpected behaviors● Increased efficiency● Improved performance
Objectives● Model rule set’s structural
and behavioral aspects● Design framework for
handling the detections 26
Method 3 - Approach using Petri NetsPetri Nets● Formal analysis method
○ Discrete event systems
○ Process algebra, production systems,
business process modeling
● Graphical representation● Structure and behavior modeling● State space analysis
27
Method 3 - Petri Net Basics
28
1. Build Petri Neta. Add Places and Triggersb. Map Precedences
11
Method 3 - Petri Net Basics
29
1. Build Petri Net2. Execute a simulation
a. Place Tokensb. Fire Triggers
11
Method 3 - Petri Net Basics
30
1. Build Petri Net2. Execute a simulation
a. Place Tokensb. Fire Triggers
11
Method 3 - Petri Net Basics
31
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterations
Method 3 - Petri Net Basics
32
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterations
Method 3 - Petri Net Basics
33
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterations
Method 3 - Petri Net Basics
34
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterations
Method 3 - Petri Net Basics
35
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterationsb. State Space
Method 3 - Petri Net Basics
36
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterationsb. State Space
Method 3 - Petri Net Basics
37
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterationsb. State Space
Method 3 - Petri Net Basics
38
1. Build Petri Net2. Execute a simulation3. Analyze
a. Run Iterationsb. State Space
Method 3 - Petri Net Anomaly DetectionShadowing, Generalization, and Irrelevance Anomalies can be Identified, given the Network Architecture and Rule Set
39
Source Dest. Action
Rule 1 * * Drop
Rule 2 ip1 ip2 Allow
Impact Analysis Methods Summary● Descriptive Statistics
a. Received from GMU: Network Log Trafficb. Benefit: Showed how descriptive statistics can be used to assess impact of
candidate firewall rulesc.
● Network Analysisa. Received from GMU: Network Log Trafficb. Benefit: Identify important features of GMU’s network traffic patterns and how
these features can be used to assess impact of candidate firewall rulesc.
● Anomaly Detectiona. Provided: Firewall Rule Set, Network Architectureb. Benefit: Showed how Petri Nets can be used to detect firewall rule anomalies 40
Further Research● Develop the Anomaly Detection proof of concept into an executable program that
automates anomaly detection given a firewall rule set and network architecture
● Conduct detailed modeling and analysis of GMU’s service ticketing system
● Using larger sample of firewall traffic data, conduct detailed statistical or network analysis in support of analyzing the impact of candidate firewall rules
41
Thanks● Sponsor: Ben Allen Director GMU, Network Engineering & Technology (NET)● Advisor: Dr. Karla Hoffman● Faculty and Staff:
○ Jon Goldman, VSE Director, Computing Resources○ Dr. Abbas Zaidi○ Dr. Peggy Brouse○ Dr. Edward Huang
● GMU NET Engineers○ Larry Song
● GMU IT Security Office, especially○ Ryon Saenz○ Tony Houdek
● Others○ Ankit Shah
42
Backup
43
Problem ProposalDevelopment of Problem Origin, Selection, and Scope
Security Risks
Firewall Ruleset Growth
44
Other Observations● Analysis of firewall activities are hampered by security sensitivities
● Non-disclosure agreements or other access provisions should be obtained prior to starting additional research
● Palo Alto Networks provides firewall traffic data analysis tools, however access to those tools are limited to GMU NET engineers
45
Contributions1. Analysis of GMU’s change control process including methods for impact
testing and documentation of the as-is system.
2. Analysis of GMU’s firewall ruleset auditing process including documentation of the as-is system.
3. Recommendations for improving GMU’s firewall ruleset management4. Researched and provided scrutinized self-audit questionnaire5. Designed an anomaly detection proof of concept for a firewall rule set
46
Firewall Basics - Defining a Rule
Untrusted part of the internet
Trusted part of the internetFirewall
Denied
Source IP Dest. IP Source Port Dest. Port Protocol Policy
192.123.1.1 192.123.10.10 Any 80 TCP Deny
Source IP: 192.123.1.1Source port: 80
Destination IP: 192.123.10.10Destination port: 80
Protocol: TCP/IP
47
Variability of Dropped Traffic
48
Reasons Traffic was Dropped
49
Reasons Traffic was Dropped
50
Reasons Traffic was Dropped
51