®
Context Aware Firewall PoliciesContext Aware Firewall Policies
Ravi SahitaRavi Sahita
Priya Rajagopal, Pankaj ParmarPriya Rajagopal, Pankaj Parmar
Intel Corp.Intel Corp.
June 8June 8thth 2004 2004
IEEE Policy (Security)IEEE Policy (Security)
• 2 •Communications TechnologyCommunications Technology
LabLab
OverviewOverview BackgroundBackground
MotivationMotivation Policy goals (example)Policy goals (example)
Intrusion detection->Host<-firewallingIntrusion detection->Host<-firewalling
ManagementManagement
SAFireSAFire
Milestone conclusionsMilestone conclusions
• 3 •Communications TechnologyCommunications Technology
LabLab
BackgroundBackground Why firewall?Why firewall?
Defense in depth against software flaws Defense in depth against software flaws (software complexity increasing)(software complexity increasing)
Control over services accessed/exposedControl over services accessed/exposed
Control over information flow across Control over information flow across boundaries (platform or network)boundaries (platform or network)
NeededNeeded: Increased proactive response : Increased proactive response instead of reactiveinstead of reactive
• 4 •Communications TechnologyCommunications Technology
LabLab
Policy goals (example)Policy goals (example) Track flow only if the session is initiated by clientTrack flow only if the session is initiated by client
By default, restrict all traffic other than allowed By default, restrict all traffic other than allowed services control trafficservices control traffic
Create transient filters for the negotiated data flowsCreate transient filters for the negotiated data flows
On the negotiated port, restrict access to specific On the negotiated port, restrict access to specific allowed commands/capabilities for that serviceallowed commands/capabilities for that service
When transferring data, block/flag suspicious When transferring data, block/flag suspicious content (so that it is checked) before it reaches appscontent (so that it is checked) before it reaches apps
All traffic that causes invalid protocol state All traffic that causes invalid protocol state transitions must be blocked transitions must be blocked proactivelyproactively
• 5 •Communications TechnologyCommunications Technology
LabLab
Advantages of host based FWsAdvantages of host based FWs Visibility into internal traffic – Can protect Visibility into internal traffic – Can protect
against internal attacksagainst internal attacks Smaller number of flows, More state per flow Smaller number of flows, More state per flow
– Decreased load on aggregation points– Decreased load on aggregation points Enable finer access control in a mobile Enable finer access control in a mobile
environment – Carry your securityenvironment – Carry your security Can use end-to-end protocol propertiesCan use end-to-end protocol properties Allow true end-to-end encryption of traffic Allow true end-to-end encryption of traffic
which would otherwise be proxied by the which would otherwise be proxied by the network devicesnetwork devices
• 6 •Communications TechnologyCommunications Technology
LabLab
IDS -> Host <- FWIDS -> Host <- FW
Attack complexity
Fire
wa
ll co
mp
lexity
Statelesspacketfiltering
TCP levelStatefulfiltering
Applicationlayer
gateways
IDS
co
mp
lexity
blindsignaturedetection
Protocolanalysis
Trafficpreprocessors,
heuristics
Attack complexity
Context aware packetanalysis (user, app,protocol, OS aware)
End-point has thiscontext information
• 7 •Communications TechnologyCommunications Technology
LabLab
Complex managementComplex management Infrastructure firewalls are neededInfrastructure firewalls are needed
Host FWs=>number explosion, but valuableHost FWs=>number explosion, but valuable
Make security policies easier to map Make security policies easier to map without sacrificing functionalitywithout sacrificing functionality
Make components tend towards Make components tend towards autonomous behaviorautonomous behavior
Make it easier to correlate events across Make it easier to correlate events across hosts and infrastructurehosts and infrastructure
• 8 •Communications TechnologyCommunications Technology
LabLab
Why SAFire?Why SAFire? What are the sub-elements of such packet What are the sub-elements of such packet
analysisanalysis
Allow building finer grain network access Allow building finer grain network access control policiescontrol policies
Rich enough to keep up with new network Rich enough to keep up with new network services/changesservices/changes
Local remediationLocal remediation
Abstraction of FW / IDS rules for a hostAbstraction of FW / IDS rules for a host
• 9 •Communications TechnologyCommunications Technology
LabLab
Capabilities identifiedCapabilities identified Packet data extraction and filteringPacket data extraction and filtering
Flow state table managementFlow state table management
Application layer rulesApplication layer rules
Pattern manipulationPattern manipulation
Outsourcing policy decisions Outsourcing policy decisions
Reuse of definitionsReuse of definitions
Dynamic rule managementDynamic rule management
|---------HO
ST
CO
NT
EX
T--------|
• 10 •Communications TechnologyCommunications Technology
LabLab
Sequence of stepsSequence of steps Express application protocol in a DFAExpress application protocol in a DFA
Map protocol states to the Generic PSMMap protocol states to the Generic PSM
Extract transition rules from the Extract transition rules from the normalized PSM naming <src, event, normalized PSM naming <src, event, dst, action>dst, action>
Map to SAFire primitives (using tools)Map to SAFire primitives (using tools)
• 11 •Communications TechnologyCommunications Technology
LabLab
Generic Protocol StatesGeneric Protocol States
Suinit Sinit Sctd Sterm
Sabort
* -{SYN-ACK}
SYN-
ACK
ACK
FIN
* - {FIN}
FIN
*
ACTIVE FTP DATA TRAFFIC STATE TRANSITIONDIAGRAM
Sde
ACK
* -
{FIN}
FILE CONTENTSMALICIOUS
CLEAN FILE
Suinit Sinit Sctd Sterm
* -{SYN-ACK}
SYN-ACK
ACK
FIN
* - {FIN}
FIN
ACTIVE FTP CONTROL TRAFFICSTATE TRANSITION DIAGRAM
Sde
ACK
PORT
RETR| Not OKextn
STOR|OK Extn
RETR| OK Extn
FIN
FIN
STOR|Not OK
Extn
Mapped to protocol specificsMapped to protocol specifics
• 12 •Communications TechnologyCommunications Technology
LabLab
Rule processingRule processing
ExtractPacket DataIs Field =?
Save Statein Flow
State Table
ExtractPacket Data
Is Field ?
ExtractPacketData
Is Field X?
Get statefrom Flow
State Table
ExtractPacket DataIs Field =X?
Save state inflow table
ExtractPacket DataIs Field =Y?
ExtractPacket DataIs Field =Z?
ExtractPacket DataIs Field =?
ExtractPacket DataIs Field =Y?
ExtractPacket DataIs Field =T?
Get statefrom flow
table
• 13 •Communications TechnologyCommunications Technology
LabLab
ImplementationImplementation
SAFire Parser
StaticRuleMgr.
TransientFilters
StaticFilters
PAECore
Flow State Table
PSM Database
Static FilterRules
PSM Rules
FilterDatabase
PacketClassifier
Local FirewallConfiguration
Application
SAFirescript in
XML
IOCTLCalls
RemoteMgmt.Station
• 14 •Communications TechnologyCommunications Technology
LabLab
ConclusionsConclusions United model can comprehend HIPS+FWs United model can comprehend HIPS+FWs
Language extensibility = parallel progressLanguage extensibility = parallel progress
Model allows security policy verification Model allows security policy verification across implementationsacross implementations
Minimal tradeoff is processing overhead for Minimal tradeoff is processing overhead for mapping and translationmapping and translation
Context information on the host can be Context information on the host can be leveraged for finer access controlleveraged for finer access control
Initial prototype shows minimal delay from Initial prototype shows minimal delay from user POVuser POV
• 15 •Communications TechnologyCommunications Technology
LabLab
Thank you!Thank you! Questions/Comments to Questions/Comments to
[email protected]@intel.com