Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei...
-
Upload
angelina-white -
Category
Documents
-
view
213 -
download
0
Transcript of Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei...
Firewall FingerprintingAmir R. Khakpour1, Joshua W. Hulst1, Zhihui Ge2, Alex X. Liu1, Dan Pei2, Jia Wang2
1Michigan State University2AT&T Labs - Research
IEEE INFOCOM 2012
左昌國Seminar @ ADLab, NCU
• Introduction• Related Work• Background• Overview• Firewall Characteristics• Firewall Inference• Conclusion and Future Work
Outline
2
• Motivation• Firewalls are the first line of defense in network traffic• Firewalls also have vulnerabilities• The first step of attacks is to do firewall fingerprinting
• Previous Limitation• Mostly OS fingerprinting• Bridge mode makes firewalls not directly accessible
• Packet header analysis is useless in firewall fingerprinting
• Challenges• Closed source• Parameters and configuration details• Not remote accessible
• Difficult to infer firewall types
Introduction
3
• This paper …• Propose a set techniques that can collect information about
firewalls• Identify characteristics
• Packet classification algorithms• Performance in different traffic load
• Identify firewalls
Introduction
4
• OS fingerprinting tools• NMAP• xprobe2++• p0f
• OS fingerprinting research• Medeiros et al.• Snacktime
• Firewall performance• Lyu and Lau• Funke et al.
Related Work
5
• Firewall policies
• Caching• Rule caching:
• 4-tuple: source IP, dest. IP, dest. port, and protocol type
• Flow caching:• 5-tuple: +source port
Background
6
• Statefulness• A stateful firewall tracks TCP sessions in a state table by examining
the TCP flags of incoming TCP packets
• Packet Classification Solutions• Software based solutions
• Sequential search• Complex data structures
• Ternary Content Addressable Memory (TCAM)
Background
7
• Measurements based on probe packet processing time
Overview
8
• Probe packets• TCP Fix: A sequence of TCP packets with the same packet header• TCP Vary: A sequence of TCP packets with the same packet
header except the source port which is chosen randomly for each packet
• UDP Fix: A sequence of UDP packets with the same packet header
• UDP Vary: A sequence of UDP packets with the same packet header except the source port which is chosen randomly for each probe packet
Firewall Characteristics
9
• Background traffic load
• Measuring PPT• Local measurement• Remote measurement
• Packet Classification Algorithm• Whether a firewall adopts a sequential search based algorithm• Whether the performance of a firewall is sensitive to traffic load• How a firewall performs in terms of the PPT
Firewall Characteristics
10
• Generating a sequence of probe packets where each packet matches exactly one of the rules in the policy
• PPT measurement• Linear: probably sequential search• Different pattern (or lack of change) : not sequential search
Firewall Characteristics – Sequential Search
11
Firewall Characteristics – Sequential Search
12
0.1176
0.1645
0.1411
-0.0317
Firewall Characteristics – Sequential Search
13
0.1339
0.0208
0.3809
-0.0073
Firewall Characteristics – Sequential Search
14
0.0033
0.0082
60.3360
77.5470
151.7891
Firewall Characteristics – Sensitivity to Traffic Load
15
4.6034 2.7385
0.9874
Firewall Characteristics – Sensitivity to Traffic Load
16
50.3710
49.7796
126.735292.8078
• Cache effectiveness (C) : the ratio of the PPT for the first probe packet to the median PPT of the rest in the same sequence• C > 1: effective caching• C ~= 1: no caching or not effective
• Effective in TCP Fix and UDP Fix• Caching 5 fields in header flow caching
• Effective in TCP Vary and UDP Vary• Caching 4 fields (no source port) rule caching
Firewall Characteristics – Caching and Statefulness
17
Firewall Characteristics – Caching and Statefulness
18
Firewall Characteristics – Packet Protocol and Payload Size
19
Firewall Characteristics – Packet Protocol and Payload Size
20
• 2 consecutive probe packets• Each: TCP SYN flag set, and another TCP flag set
Firewall Inference – TCP Probe Packets
21
• A dataset• 3600 data points• Each point: 11 consecutive probe packets in 4 modes(TCP Fix,…)
with and w/o payload (total 8 times)• Packets collected in 3 load level: no load, medium load, full load• Point: x = <x1, x2 … x24> (24 features)
• x3i-2 : median
• x3i-1 : STD
• x3i : cache effectiveness
• Labels• Y1 = {‘FW1’, ‘FW2’, ‘FW3’}• Y2 = {‘stateful’, ‘stateless’}• Y3 = {‘FW1-SF’, ‘FW2-SF’, ‘FW3-SF’, ‘FW1-SL’, ‘FW2-SL’, ‘FW3-SL’}
Firewall Inference – Packet Processing Time
22
• SVM
Firewall Inference – Packet Processing Time
23
Firewall Inference – Packet Processing Time
24
Firewall Inference – Packet Processing Time
25
• A methods for finding the firewall characteristics• Using these characteristics, this paper show 2 methods
for inferring firewall implementation
• Future work• Defense mechanisms
Conclusion and Future Work
26