FireCracker: A Framework for Inferring Firewall Policies using Smart Probing

A firewall policy that is correct and complete is crucial to the safety of a computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper, we propose a framework that could be used to blindly discover a firewall policy remotely as a black box and without prior knowledge about the network configuration. We show how an attacker can reconstruct a firewall's policy by probing the firewall with tailored packets into a network and forming an idea of what the policy looks like. The proposed methodology shows how to discover a policy that is semantically equivalent to the original one used in the deployed firewall. Three techniques are proposed for reconstructing the policy as well as to intelligently choose the probing packets adaptively based on the firewall response. We show the possibility of obtaining the deployed policy in a feasible time with acceptable accuracy.

[1]  Karen A. Scarfone,et al.  Guidelines on Firewalls and Firewall Policy , 2009 .

[2]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Terry Martin,et al.  Benchmarking Methodology for Firewall Performance , 2003, RFC.

[4]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[5]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[6]  R. Rivest Learning Decision Lists , 1987, Machine Learning.

[7]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[8]  Ehab Al-Shaer,et al.  Adaptive Statistical Optimization Techniques for Firewall Packet Filtering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[10]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[11]  D. E. Goldberg,et al.  Genetic Algorithms in Search , 1989 .

[12]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[13]  Ran El-Yaniv,et al.  On Online Learning of Decision Lists , 2002, J. Mach. Learn. Res..

[14]  T. Samak,et al.  Firewall Policy Reconstruction by Active Probing: An Attacker's View , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[15]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  Leslie G. Valiant,et al.  On the learnability of Boolean formulae , 1987, STOC.

[17]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[18]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[19]  Martin Anthony,et al.  Computational learning theory: an introduction , 1992 .

[20]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[21]  Yongyuth Permpoontanalarp,et al.  A graph-based methodology for analyzing IP spoofing attack , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..