CS448/548 Sequence 28Case Study: Firewall!This section discusses an example of applying an eight-stage risk assessment methodology to firewalls!The reason for selecting this case study is to stimulate a discussion about the granularity of solutions.!Source –http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper012/nissc96.pdf–APPLYING THE EIGHT-STAGE RISK ASSESSMENT METHODOLOGY TO FIREWALLS–David L. Drake, et.al.–Figures and quoted material are directly adopted from the paper.1CS448/548 Sequence 28Risk Assessment: Firewall!Eight-Stage Methodology–squares: internal influences–triangle: external influence–circle: consequences–will occur if activities are insufficient2CS448/548 Sequence 28Risk Assessment: Firewall!Data gathering:–“Obtain the definition of the security boundary and the interfaces that will be defended by the firewall, both automatically and procedurally. The definition should be provided in the security policy”.–“Obtain »the list of system assets to be protected, »what constitutes a security breach, »the associated harm that could befall the assets, and »a quantitative loss per asset if it were compromised, modified by an unauthorized agent, or its availability were lost”. 3CS448/548 Sequence 28Risk Assessment: Firewall!Data gathering:–“Delineate »the attack scenarios that will (and will not) be defended against, »the likelihood of occurrence of each.” –“Delineate each of the system's countermeasures that protect it against attack. »A determination is made for each countermeasure if it is used to obstruct, detect or recover from an attack, or to detect or recover from a security breach. »This distinction is used to support the quantitative assessment of each countermeasure's effectiveness.”4CS448/548 Sequence 28Risk Assessment: Firewall!Example firewall uses amalgamation of actual system–firewall is a host using IP-based filtering–external router connected to the Internet–LAN supports various computer platforms–critical application data»company proprietary data»financial and privacy act data5CS448/548 Sequence 28Risk Assessment: Firewall–Data flow»“email in both directions»both internal and external hosts are allowed to "ping" the firewall (for»connectivity testing)»both in-coming and out-going Domain Name Service (DNS) requests»non-anonymous File Transfer Protocol (ftp)»World Wide Web”.6CS448/548 Sequence 28Table 1: Security Policy!Security Policy7CS448/548 Sequence 28Risk Assessment: Firewall8CS448/548 Sequence 28Risk Assessment: Firewall9CS448/548 Sequence 28Risk Assessment: Firewall10CS448/548 Sequence 28Risk Assessment: Firewall!Chains and Analysis–they demonstrate 2 chains –assume 80 chains for typical assessment »why 80 +- ?–1st chain is attack firewall is designed to protect against–2nd chain shows “human error” scenario»can not be handled by firewall11CS448/548 Sequence 28Risk Assessment: Firewall12CS448/548 Sequence 28Risk Assessment: Firewall13CS448/548 Sequence 28Risk Assessment: Firewall!False Sense of Security–firewalls make people happy»even if they don’t know what it can do»excuse for getting lazy w.r.t. enforcing security–still many problems, open doors–even though outside users might not be able to get in, inside users still have access to all resources!About this paper–seems interesting approach but unimplementable–seems to suffer from all problems associated with prob. risk assessment–scalability questionable14CS448/548 Sequence 28Risk Assessment: Firewall!Nice quote–“Firewalls are the wrong approach. They don’t solve the general problem, and they make it very difficult or impossible to do many things. On the other hand, if I were in charge of a corporate network, I’d never consider hooking into the Internet without one. And if I were looking for a likely financially successful security product to invest in, I’d pick firewalls.” - Charlie