Firewall Design Methods Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Firewall Design Methods Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Security Guard for Private Buildings 5G0 2
2 Security Guard for Private Buildings
Security Guard for Private Networks Firewall Private. Internet Network Location:connects Internet and private network Function:maps every packet to a decision-accept or discard Configuration:a sequence of rules written by administrator 3
3 Security Guard for Private Networks Location: connects Internet and private network Function: maps every packet to a decision - accept or discard Configuration: a sequence of rules written by administrator Internet Private Network Firewall
Firewall Example Mail Server Host 1 Host 2 Firewall Internet A Private Network Interface Source IP Dest.IP Dest.Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard host1,host2) any 80 TCP accept any any any any any accept Rules are conflicting First match:decision for packet=decision of first matching rule ■Order matters 4
4 Firewall Example Interface Source IP Dest. IP Dest. Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard 1 {host1, host2} any 80 TCP accept any any any any any accept Internet Firewall 0 1 Mail Server Host 1 Host 2 A Private Network Rules are conflicting First match: decision for packet = decision of first matching rule Order matters
Real-life Firewalls are Complex 523:conduit pernit tep host 100.77.28.87 eq 8100 any 524:conduit pernit tcp host 100.77.28.87 eq 8110 any Number of rules can be large 525:conduit pernit tcp host 100.77.28.84 eq ftp host 207.115.175.244 526:conduit pernit tcp host 100.77.28.84 eq telnet host 198.215.163.20 527:conduit pernit tep host 100.77.28.84 eq ftp host 198.215.163.20 Legacy rules 528:conduit pernit tep host 100.77.28.84 eq telnet host 198.215.163.21 529:conduit permit tep host 100.77.28.84 eq ftp host 198.215.163.21 530:conduit pernit tcp host 100.77.28.87 eq www host 207.115.175.244 Cascade impact of change 531:conduit pernit tcp host 100.77.28.87 eq telnet host 207.115.175.244 532:conduit pernit tcp ho3t100.77.28.87eq443ho3t207.115.175.244 533:conduit pernit tep host 100.77.28.87 eq ftp host 207.115.175.244 534:conduit pernit tep host 100.77.28.87 eq www host 205.170.235.0 535:conduit pernit tcp host 100.77.28.87 eq 443 host 205.170.235.0 536:conduit pernit tep host 100.77.28.87 eq ftp host 198.215.163.20 537:conduit permit tcp host 100.77.28.87 eq ftp host 198.215.163.21 538:conduit pernit tcp host 100.77.28.88 eq telnet 12.20.51.0 255.255.255.0 539:conduit permit tcp host100.77.28.88 eq ftp12.20.51.0255.255.255.0 540:conduit pernit tcp host100.77.28.88 eq www12.20.51.0255.255.255.0 541:conduit pernit tcp hos3t100.77.28.88eg1329212.20.51.0255.255.255.0 542:conduit pernit tcp host100.77.28.88eq44312.20.51.0255.255.255.0 543:conduit pernit tcp host 100.77.28.84 eq telnet 12.20.51.0 255.255.255.0 544:conduit permit tep host100.77.28.84 eq ftp12.20.51.0255.255.255.0 545:conduit pernit tcp ho3t100.77.28.85 eq wwnw12.20.51.0255.255.255.0 546:conduit permit tcp host 100.77.28.85 eq telnet 12.20.51.0 255.255.255.0 547:conduit pernit tcp host100.77.28.85eq44312.20.51.0255.255.255.0 548:conduit pernit tcp host100.77.28.85 eq ftp12.20.51.0255.255.255.0 549:conduit permit tcp host100.77.28.87eqnw12.20.51.0255.255.255.0 550:conduit pernit tcp host 100.77.28.87 eq telnet 12.20.51.0 255.255.255.0 5E1.i+++100 77 29 97443 19 90 E1 0 255255 O55 n 5
5 Real-life Firewalls are Complex Number of rules can be large Legacy rules Cascade impact of change
Problem As a result,firewall rules are hard to specify correctly hard to understand correctly hard to change correctly ■ Consequently,firewall configuration errors are common -Most firewalls are poorly designed with errors [Wool04] Firewall errors are unacceptable -Accept malicious packets:lose security -Discard legitimate packets:disrupt business Problem:How to design firewalls? 6
6 Problem As a result, firewall rules are hard to specify correctly hard to understand correctly hard to change correctly Consequently, firewall configuration errors are common ─ Most firewalls are poorly designed with errors [Wool'04] Firewall errors are unacceptable ─ Accept malicious packets: lose security ─ Discard legitimate packets: disrupt business Problem: How to design firewalls?
State-of-the-art Industry:tweak and pray “God bless my rules" Academia:analyze rules -Such as conflict detection ([HSP 00][EM 01][BV 02]) anomaly detection ([AH 03][AH 041) 7
7 State-of-the-art Industry: tweak and pray Academia: analyze rules ─ Such as conflict detection ([HSP 00] [EM 01] [BV 02]) anomaly detection ([AH 03] [AH 04]) “God bless my rules
Structured Firewall Design:Motivation The convention of designing a firewall directly as a sequence of conflicting rules has been taken for granted We point out that this convention is BAD. Why:this convention has three major issues -Consistency issue Completeness issue -Compactness issue 8
8 Structured Firewall Design: Motivation The convention of designing a firewall directly as a sequence of conflicting rules has been taken for granted We point out that this convention is BAD. Why: this convention has three major issues ─ Consistency issue ─ Completeness issue ─ Compactness issue
Consistency Issue Interface Source IP Dest.IP Dest.Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard host1,host2) any 80 TCP accept any any any any any accept This firewall accepts email from malicious hosts! This is wrong(assuming this firewall is required to discard all packets from malicious hosts) 9
9 Consistency Issue This firewall accepts email from malicious hosts! This is wrong (assuming this firewall is required to discard all packets from malicious hosts) Interface Source IP Dest. IP Dest. Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard 1 {host1, host2} any 80 TCP accept any any any any any accept
Consistency Issue Interface Source IP Dest.IP Dest.Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard host1,host2) any 80 TCP accept any any any any any accept This firewall accepts email from malicious hosts! This is wrong (assuming this firewall is required to discard all packets from malicious hosts) We should swap the first two rules Consistency issue:hard to ensure rules are ordered correctly 10
10 Consistency Issue This firewall accepts email from malicious hosts! This is wrong (assuming this firewall is required to discard all packets from malicious hosts) We should swap the first two rules Consistency issue: hard to ensure rules are ordered correctly Interface Source IP Dest. IP Dest. Port Protocol Decision 0 any mail server 25 TCP accept 0 malicious hosts any any any discard 1 {host1, host2} any 80 TCP accept any any any any any accept