algosec inc.1 firewall configuration errors revisited avishai wool cto & co-founder, algosec and...
TRANSCRIPT
![Page 1: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/1.jpg)
AlgoSec Inc. 1
Firewall Configuration Errors Revisited
Avishai WoolCTO & Co-Founder, AlgoSec
andProf., Tel Aviv University
![Page 2: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/2.jpg)
AlgoSec Inc. 2
Agenda
Introduction Data sources and procedures Configuration errors Highlights of 2004 study Results and discussion
![Page 3: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/3.jpg)
AlgoSec Inc. 3
Firewalls seem to be badly configured:
45% of companies worldwide suffered attacks from viruses and worms in the last 12 months • (this is a made up statistic, true in every year …)
A properly configured firewall could easily block attacks such as:• Sasser worm: attacked port 445 (Netbios)• Saphire SQL worm: attacked port 1431• Blaster worm: attacked ports 135/137 (Netbios)
Firewall configs are deemed sensitive – why?• Admins know they have holes…• Security by obscurity?
![Page 4: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/4.jpg)
AlgoSec Inc. 4
Can we quantify the problem?
1. Need firewall configuration data• Not available publicly
2. Need to understand the configurations• Complex vendor-dependent configuration languages
3. What is an error?• Subjective, organization-dependent
![Page 5: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/5.jpg)
AlgoSec Inc. 5
#1 : We have the data
AlgoSec performed firewall analysis for hundreds of customers since 2000
Data is under non-disclosure agreements – but we can publish statistics
![Page 6: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/6.jpg)
AlgoSec Inc. 6
#2 : We have the technology
Firewall Analyzer software can parse configuration languages
• (Check Point, Cisco PIX, Cisco Router Access-lists)
![Page 7: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/7.jpg)
AlgoSec Inc. 7
#3 : What is an error?
Idea: only count “obvious” errors
Rely on “best practices”:• SANS Top 20• CERT• PCI DSS (Payment Card Industry)• NIST 800-41• …
![Page 8: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/8.jpg)
AlgoSec Inc. 8
Plan of action
First study (2004):• Check Point Firewall-1 configurations• Select 12 severe errors• Analyze available configurations• Count number of errors• Statistical analysis to identify causes and trends
Current study:• Both Check Point and Cisco PIX• Larger - 2x number of configurations• More in-depth: 36 severe errors, • Check whether 2004 findings are still valid
![Page 9: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/9.jpg)
AlgoSec Inc. 9
Timeline of data collection
Configuration files were collected between 2000-2005
Check Point Firewall-1 versions:• 3.0, 4.0 – “end-of-life”• 4.1 – was still supported• NG – released in 2001, minor versions FP3, R54, R55
Cisco PIX• PIX versions 4.x, 5.x, 6.x, 7.0
![Page 10: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/10.jpg)
AlgoSec Inc. 10
Highlights of the 2004 study
![Page 11: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/11.jpg)
AlgoSec Inc. 11
54%
![Page 12: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/12.jpg)
AlgoSec Inc. 12
Firewall-1 version helps
On average, 2 risks less
![Page 13: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/13.jpg)
AlgoSec Inc. 13
Why did the version matter?
Some risks are the result of Check Point “implicit rules”
Changed default values in v4.1 New policy wizard to create a reasonable initial
configuration
![Page 14: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/14.jpg)
AlgoSec Inc. 14
How to measure complexity
RC (Rule Complexity) =
#Rules +
#Network Objects +
(#interfaces choose 2)
2 interfaces 1 data path 3 interfaces 3 data paths 4 interfaces 6 data paths, etc
![Page 15: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/15.jpg)
AlgoSec Inc. 15
Small is Beautiful
![Page 16: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/16.jpg)
AlgoSec Inc. 16
Current Results
![Page 17: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/17.jpg)
AlgoSec Inc. 17
Why should anything change?
Regulation and Compliance:• Sarbanes-Oxley / Basel-II / CobiT / ISO 27001• Payment Card Industry (PCI DSS)• NIST 800-41• …
Different vendors – different issues? New software versions – continue the trend?
![Page 18: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/18.jpg)
AlgoSec Inc. 18
Differences from 2004 report
Both Check Point and PIX 2x configurations tested Newer software versions
Vendor-neutral risk items• 8 of 12 properties in 2004 study were specific to Check
Point
Pick a new set of 36 risk itemsInbound / Outbound / Internal traffic
![Page 19: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/19.jpg)
AlgoSec Inc. 19
Firewalls still badly configured
42%
![Page 20: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/20.jpg)
AlgoSec Inc. 20
Version does not matter … (Check Point)
![Page 21: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/21.jpg)
AlgoSec Inc. 21
Version does not matter … (PIX)
![Page 22: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/22.jpg)
AlgoSec Inc. 22
Why?
Vendor-neutral risks are controlled by basic filtering functionality
Basic filtering controlled by explicit user-defined rules, rather than “check boxes” with vendor “know-how” (??)
Neither vendor has changed the basic filtering capabilities in years (and it’s unlikely that they will)
![Page 23: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/23.jpg)
AlgoSec Inc. 23
How to measure complexity of a PIX?
Check Point:• Single rule-base• Separate object database
Cisco PIX:• Separate rule-base per interface• No object database (almost)
Old RC metric not very suitable for PIX!
![Page 24: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/24.jpg)
AlgoSec Inc. 24
Issues with old RC metric (even on Check Point)
Not enough weight to #interfaces:• #rules: 100s – 1000s• #objects: 1000s• #interfaces: 2-20 – dwarfed (even when quadratic)
Example:• A firewall with 12 interfaces should be much more
complex than with 3 …• RC contribution by interfaces is only 66
![Page 25: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/25.jpg)
AlgoSec Inc. 25
A New Firewall Complexity Measure
Idea: pretend to “compile” Check Point configuration into a PIX configuration• Duplicate the rule-base, once per interface• Add the object database once• Count the resulting “number of lines”• Compare with PIX config “number of lines”
(minus some PIX boilerplate)
Check Point: FC = (#rules * #interfaces) + #objectsPIX: FC = #lines - 50
![Page 26: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/26.jpg)
AlgoSec Inc. 26
Complexity distributions
The range of complexity
is comparable
![Page 27: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/27.jpg)
AlgoSec Inc. 27Confidential
Small is Still Beautiful
![Page 28: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/28.jpg)
AlgoSec Inc. 28
Check Point vs PIX
![Page 29: AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e865503460f94b89204/html5/thumbnails/29.jpg)
AlgoSec Inc. 29
Questions?
E-mail:• [email protected]• [email protected]• http://www.algosec.com
Published in: IEEE Internet Computing, 14(4):58-65, 2010
2004 study: IEEE Computer, 37(6):62-67, 2004