Firewall Policy Reconstruction by Active Probing: An Attacker's View

Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.

[1]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[2]  John Wack,et al.  Guidelines on Firewalls and Firewall Policy , 2002 .

[3]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Terry Martin,et al.  Benchmarking Methodology for Firewall Performance , 2003, RFC.

[5]  Yongyuth Permpoontanalarp,et al.  A graph-based methodology for analyzing IP spoofing attack , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[6]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[7]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[8]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..