Context Aware Firewall Policies

®

Context Aware Firewall PoliciesContext Aware Firewall Policies

Ravi SahitaRavi Sahita

Priya Rajagopal, Pankaj ParmarPriya Rajagopal, Pankaj Parmar

Intel Corp.Intel Corp.

June 8June 8thth 2004 2004

IEEE Policy (Security)IEEE Policy (Security)

• 2 •Communications TechnologyCommunications Technology

LabLab

OverviewOverview BackgroundBackground

MotivationMotivation Policy goals (example)Policy goals (example)

Intrusion detection->Host<-firewallingIntrusion detection->Host<-firewalling

ManagementManagement

SAFireSAFire

Milestone conclusionsMilestone conclusions


LabLab

BackgroundBackground Why firewall?Why firewall?

Defense in depth against software flaws Defense in depth against software flaws (software complexity increasing)(software complexity increasing)

Control over services accessed/exposedControl over services accessed/exposed

Control over information flow across Control over information flow across boundaries (platform or network)boundaries (platform or network)

NeededNeeded: Increased proactive response : Increased proactive response instead of reactiveinstead of reactive


LabLab

Policy goals (example)Policy goals (example) Track flow only if the session is initiated by clientTrack flow only if the session is initiated by client

By default, restrict all traffic other than allowed By default, restrict all traffic other than allowed services control trafficservices control traffic

Create transient filters for the negotiated data flowsCreate transient filters for the negotiated data flows

On the negotiated port, restrict access to specific On the negotiated port, restrict access to specific allowed commands/capabilities for that serviceallowed commands/capabilities for that service

When transferring data, block/flag suspicious When transferring data, block/flag suspicious content (so that it is checked) before it reaches appscontent (so that it is checked) before it reaches apps

All traffic that causes invalid protocol state All traffic that causes invalid protocol state transitions must be blocked transitions must be blocked proactivelyproactively


LabLab

Advantages of host based FWsAdvantages of host based FWs Visibility into internal traffic – Can protect Visibility into internal traffic – Can protect

against internal attacksagainst internal attacks Smaller number of flows, More state per flow Smaller number of flows, More state per flow

– Decreased load on aggregation points– Decreased load on aggregation points Enable finer access control in a mobile Enable finer access control in a mobile

environment – Carry your securityenvironment – Carry your security Can use end-to-end protocol propertiesCan use end-to-end protocol properties Allow true end-to-end encryption of traffic Allow true end-to-end encryption of traffic

which would otherwise be proxied by the which would otherwise be proxied by the network devicesnetwork devices


LabLab

IDS -> Host <- FWIDS -> Host <- FW

Attack complexity

Fire

wa

ll co

mp

lexity

Statelesspacketfiltering

TCP levelStatefulfiltering

Applicationlayer

gateways

IDS

co

mp

lexity

blindsignaturedetection

Protocolanalysis

Trafficpreprocessors,

heuristics

Attack complexity

Context aware packetanalysis (user, app,protocol, OS aware)

End-point has thiscontext information


LabLab

Complex managementComplex management Infrastructure firewalls are neededInfrastructure firewalls are needed

Host FWs=>number explosion, but valuableHost FWs=>number explosion, but valuable

Make security policies easier to map Make security policies easier to map without sacrificing functionalitywithout sacrificing functionality

Make components tend towards Make components tend towards autonomous behaviorautonomous behavior

Make it easier to correlate events across Make it easier to correlate events across hosts and infrastructurehosts and infrastructure


LabLab

Why SAFire?Why SAFire? What are the sub-elements of such packet What are the sub-elements of such packet

analysisanalysis

Allow building finer grain network access Allow building finer grain network access control policiescontrol policies

Rich enough to keep up with new network Rich enough to keep up with new network services/changesservices/changes

Local remediationLocal remediation

Abstraction of FW / IDS rules for a hostAbstraction of FW / IDS rules for a host


LabLab

Capabilities identifiedCapabilities identified Packet data extraction and filteringPacket data extraction and filtering

Flow state table managementFlow state table management

Application layer rulesApplication layer rules

Pattern manipulationPattern manipulation

Outsourcing policy decisions Outsourcing policy decisions

Reuse of definitionsReuse of definitions

Dynamic rule managementDynamic rule management

|---------HO

ST

CO

NT

EX

T--------|


LabLab

Sequence of stepsSequence of steps Express application protocol in a DFAExpress application protocol in a DFA

Map protocol states to the Generic PSMMap protocol states to the Generic PSM

Extract transition rules from the Extract transition rules from the normalized PSM naming <src, event, normalized PSM naming <src, event, dst, action>dst, action>

Map to SAFire primitives (using tools)Map to SAFire primitives (using tools)


LabLab

Generic Protocol StatesGeneric Protocol States

Suinit Sinit Sctd Sterm

Sabort

* -{SYN-ACK}

SYN-

ACK

ACK

FIN

* - {FIN}

FIN

*

ACTIVE FTP DATA TRAFFIC STATE TRANSITIONDIAGRAM

Sde

ACK

* -

{FIN}

FILE CONTENTSMALICIOUS

CLEAN FILE

Suinit Sinit Sctd Sterm

* -{SYN-ACK}

SYN-ACK

ACK

FIN

* - {FIN}

FIN

ACTIVE FTP CONTROL TRAFFICSTATE TRANSITION DIAGRAM

Sde

ACK

PORT

RETR| Not OKextn

STOR|OK Extn

RETR| OK Extn

FIN

FIN

STOR|Not OK

Extn

Mapped to protocol specificsMapped to protocol specifics


LabLab

Rule processingRule processing

ExtractPacket DataIs Field =?

Save Statein Flow

State Table

ExtractPacket Data

Is Field ?

ExtractPacketData

Is Field X?

Get statefrom Flow

State Table

ExtractPacket DataIs Field =X?

Save state inflow table

ExtractPacket DataIs Field =Y?

ExtractPacket DataIs Field =Z?

ExtractPacket DataIs Field =?

ExtractPacket DataIs Field =Y?

ExtractPacket DataIs Field =T?

Get statefrom flow

table


LabLab

ImplementationImplementation

SAFire Parser

StaticRuleMgr.

TransientFilters

StaticFilters

PAECore

Flow State Table

PSM Database

Static FilterRules

PSM Rules

FilterDatabase

PacketClassifier

Local FirewallConfiguration

Application

SAFirescript in

XML

IOCTLCalls

RemoteMgmt.Station


LabLab

ConclusionsConclusions United model can comprehend HIPS+FWs United model can comprehend HIPS+FWs

Language extensibility = parallel progressLanguage extensibility = parallel progress

Model allows security policy verification Model allows security policy verification across implementationsacross implementations

Minimal tradeoff is processing overhead for Minimal tradeoff is processing overhead for mapping and translationmapping and translation

Context information on the host can be Context information on the host can be leveraged for finer access controlleveraged for finer access control

Initial prototype shows minimal delay from Initial prototype shows minimal delay from user POVuser POV


LabLab

Thank you!Thank you! Questions/Comments to Questions/Comments to

[email protected]@intel.com

Documents

Context Aware Firewall Policies