Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

Safire IEEE Policy 2004

advertisement 
Context Aware
Firewall Policies
Ravi Sahita
Priya Rajagopal, Pankaj Parmar
Intel Corp.
June 8th 2004
IEEE Policy (Security)
®
Overview
 Background
 Motivation
 Policy goals (example)
 Intrusion detection->Host<-firewalling
 Management
 SAFire
 Milestone conclusions
•2•
Communications Technology
Lab
Background
 Why firewall?
 Defense in depth against software flaws
(software complexity increasing)
 Control over services accessed/exposed
 Control over information flow across
boundaries (platform or network)
 Needed: Increased proactive response
instead of reactive
•3•
Communications Technology
Lab
Policy goals (example)
 Track flow only if the session is initiated by client
 By default, restrict all traffic other than allowed
services control traffic
 Create transient filters for the negotiated data flows
 On the negotiated port, restrict access to specific
allowed commands/capabilities for that service
 When transferring data, block/flag suspicious
content (so that it is checked) before it reaches apps
 All traffic that causes invalid protocol state
transitions must be blocked proactively
•4•
Communications Technology
Lab
Advantages of host based FWs
 Visibility into internal traffic – Can protect
against internal attacks
 Smaller number of flows, More state per flow
– Decreased load on aggregation points
 Enable finer access control in a mobile
environment – Carry your security
 Can use end-to-end protocol properties
 Allow true end-to-end encryption of traffic
which would otherwise be proxied by the
network devices
•5•
Communications Technology
Lab
IDS -> Host <- FW
Context aware packet
analysis (user, app,
protocol, OS aware)
Application
layer
gateways
IDS complexity
Firewall complexity
End-point has this
context information
Traffic
preprocessors,
heuristics
TCP level
Stateful
filtering
Protocol
analysis
Stateless
packet
filtering
blind
signature
detection
Attack complexity
Attack complexity
•6•
Communications Technology
Lab
Complex management
 Infrastructure firewalls are needed
 Host FWs=>number explosion, but valuable
 Make security policies easier to map
without sacrificing functionality
 Make components tend towards
autonomous behavior
 Make it easier to correlate events across
hosts and infrastructure
•7•
Communications Technology
Lab
Why SAFire?
 What are the sub-elements of such packet
analysis
 Allow building finer grain network access
control policies
 Rich enough to keep up with new network
services/changes
 Local remediation
Abstraction of FW / IDS rules for a host
•8•
Communications Technology
Lab
Capabilities identified
 Flow state table management
 Application layer rules
 Pattern manipulation
 Outsourcing policy decisions
 Reuse of definitions
 Dynamic rule management
•9•
|---------HOST CONTEXT--------|
 Packet data extraction and filtering
Communications Technology
Lab
Sequence of steps
 Express application protocol in a DFA
 Map protocol states to the Generic PSM
 Extract transition rules from the
normalized PSM naming <src, event,
dst, action>
 Map to SAFire primitives (using tools)
• 10 •
Communications Technology
Lab
Generic Protocol States
FIN
STOR|OK Extn
* -{SYN-ACK}
Suinit
ACK
SYNACK
RETR| OK
Extn
PORT
Sinit
FIN
Sde
STOR|
Not OK
Extn
* - {FIN}
Sctd
FIN
Ste r m
RETR| Not OK
e xtn
ACK
ACTIV E FTP CONTROL TRAFFIC
STATE TRANSITION DIAGRAM
Sabor t
*
FILE CONTENTS
M ALICIOUS
* -{SYN-ACK}
*{FIN}
ACK
Suinit
SYNACK
Sinit
Sde
FIN
* - {FIN}
Sctd
FIN
Ste r m
CLEAN FILE
FIN
ACK
Mapped to protocol specifics
ACTIV E FTP DATA TRAFFIC STATE TRANSITION
DIAGRAM
• 11 •
Communications Technology
Lab
Rule processing
X
Save State
in Flow
State Table
Extract
Packet Data
Is Field =?
Y
Z
Extract
Packet Data
Is Field ?
Extract
Packet
Data
Is Field X?
T
Get state
from Flow
State Table
Extract
Packet Data
Is Field =X?
Save state in
flow table
Extract
Packet Data
Is Field =Y?
Extract
Packet Data
Is Field =Z?
Extract
Packet Data
Is Field =?
Extract
Packet Data
Is Field =Y?
Extract
Packet Data
Is Field =T?
Get state
from flow
table
• 12 •
Communications Technology
Lab
Implementation
Local Firewall
Configuration
Application
SAFire
script in
XML
Remote
Mgmt.
Station
SAFire Parser
Static Filter
Rules
IOCTL
Calls
PSM Rules
PSM Database
Static
Rule
Mgr.
PAE
Core
Packet
Classifier
Flow State Table
Static
Filters
Filter
Database
Transient
Filters
• 13 •
Communications Technology
Lab
Conclusions
 United model can comprehend HIPS+FWs
 Language extensibility = parallel progress
 Model allows security policy verification
across implementations
 Minimal tradeoff is processing overhead for
mapping and translation
 Context information on the host can be
leveraged for finer access control
 Initial prototype shows minimal delay from
user POV
Communications Technology
• 14 •
Lab
Thank you!
 Questions/Comments to
ravi.sahita@intel.com
• 15 •
Communications Technology
Lab
Related documents
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
Chapter-1-Packet-Number-1-Packet-Check
Chapter-1-Packet-Number-1-Packet-Check
Warriors of the Net Questions:
Warriors of the Net Questions:
File
File
Summer Review Packet for Students Entering Algebra 2 Honors
Summer Review Packet for Students Entering Algebra 2 Honors
Download
advertisement