This talk is discussing the idea, approach and possibilities of firewall rule reviews. These identify incorrect and inefficient settings in current firewall settings.
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Firewall Rule Review and Modelling
1. Firewall Rule Modelling and Review
Marc Ruef
www.scip.ch
SwiNOG 24
10. May 2012
Berne, Switzerland
2. Agenda | Firewall Rule Modelling and Review Intro
Who?
1. Intro What?
Modelling & Review
Introduction 2 min
Extract
Who am I? 2 min Parse
What is the Goal? 2 min Dissect
2. Firewall Rule Modelling and Review Review
Additional Settings
Extraction 4 min
Routing Criticality
Parsing 4 min Statistical Analysis
Dissection 4 min Outro
Review 10 min Summary
Questions
Additional Settings 10 min
Routing Criticality 7 min
Statistical Analysis 5 min
3. Outro
Summary 2 min
Questions 5 min
SwiNOG 24 2/28
3. Introduction | Who am I? Intro
Who?
What?
Name Marc Ruef
Modelling & Review
Job Co-Owner / CTO, scip AG, Zürich Extract
Parse
Private Website http://www.computec.ch Dissect
Last Book „The Art of Penetration Testing“, Review
Computer & Literatur Böblingen, Additional Settings
Routing Criticality
ISBN 3-936546-49-5
Statistical Analysis
Outro
Summary
Questions
Translation
SwiNOG 24 3/28
4. Introduction | What is our Goal? Intro
Who?
What?
◦ A Firewall Rule Review shall determine Modelling & Review
◦ Insecure rules Extract
◦ Wrong rules Parse
Dissect
◦ Inefficient rules Review
◦ Obsolete rules Additional Settings
Routing Criticality
◦ I will show Statistical Analysis
◦ Approaches Outro
◦ Our methodology Summary
Questions
◦ Possibilities
SwiNOG 24 4/28
21. Routing Criticality | Weight Indexing (Example)
Description Source Destination Port AV AC Au CI II AI Score
External Web to Web Server Internet DMZ t80 N L N N C C 9.4
External Web for Internal Clients (in) LAN Internet t80 N M N C C C 9.3
External Web to Customer Site Internet DMZ t443 N L S C C C 9.0
Intro
External Mail to Public Mail Server Internet DMZ t110 N M S C C
Who? C 8.5
What?
External Remote Access to Servers Internet DMZ t22 N M S C C C 8.5
Modelling & Review
Extract
Internal Access to DNS Servers LAN DMZ u53 L L N C C C 7.2
Parse
Intranet Access for Internal Clients LAN DMZ t80 L L N P Dissect C
C 6.8
Review
External Web for Internal Clients (out) LAN Internet t80 L L S C C C 6.8
Additional Settings
Routing Criticality
Internal Remote Access to Servers LAN DMZ t3389 L M S P C P 5.5
Statistical Analysis
Outro
Internal ICMP Echo for Servers DMZ Internet i0,8 L M S P P C 5.5
Summary
Questions
23. Statistical Analysis | Top Findings (Median Last 11 Projects)
Intro
Who?
What?
Modelling & Review
Extract
Parse
Dissect
Review
Additional Settings
Routing Criticality
Statistical Analysis
Outro
Summary
Questions
24. Statistical Analysis | Reasons for Risks Intro
Who?
What?
◦ There are several possible reasons, why FWs are Modelling & Review
not configured in the most secure way: Extract
◦ Mistakes (wrong click, wrong copy&paste, …) Parse
Dissect
◦ Forgotten/Laziness (“I will improve that later…”) Review
◦ Misinformation (vendor suggests ports 10000-50000) Additional Settings
◦ Misunderstanding (technical, conceptual) Routing Criticality
Statistical Analysis
◦ Unknown features (hidden settings) Outro
◦ Technical failure (e.g. broken backup import) Summary
Questions
SwiNOG 24 24/28
25. Outro | Summary Intro
Who?
What?
◦ Firewall Rule Reviews help to determine weaknesses in
Modelling & Review
firewall rulesets.
Extract
◦ The extraction, parsing and dissection of a ruleset allows Parse
to do the analysis. Dissect
Review
◦ Common weaknesses are broad definition of objects,
Additional Settings
overlapping rules and unsafe protocols. Routing Criticality
Statistical Analysis
Outro
Summary
Questions
SwiNOG 24 25/28
26. Outro | Literature Intro
Who?
What?
◦ Firewall Rule Parsing am Beispiel von SonicWALL, Modelling & Review
http://www.scip.ch/?labs.20110113 Extract
◦ Common Vulnerability Scoring System und seine Parse
Dissect
Probleme, http://www.scip.ch/?labs.20101209 Review
Additional Settings
Routing Criticality
Statistical Analysis
Outro
Summary
Questions
These slides and additional details will be published at
http://www.scip.ch/?labs
SwiNOG 24 26/28