COMS 4115 White Paper FIREDRL Firewall Integrity Review Exploit Description Report Language COMS 4115 Project White Paper Marvin J Rich e mail mjrich us ibm com MJR 9 27 05 Page 1 of 6 COMS 4115 White Paper Introduction The internet is a ubiquitous entity that touches all aspects of modern society The services provided by the underlying protocols have enhanced business and personal communication to a worldwide scope As the internet has integrated into the normal processes conducted by society security has emerged as a necessary component for providing services that can be accessed worldwide For example a Local Area Network LAN configuration representing a business typically has data online that must be protected from unauthorized access as well as data that must be accessible by everyone in order to conduct a competitive business These opposing requirements must co exist on a common set of applications and protocols which makes security of the resulting LAN configuration a complex undertaking for network administrators Firewalls are a first line of defense for LAN security They are not the only component of network security but an important one nonetheless A firewall imposes and enforces rules on the type of traffic and services allowed to flow in or out of a network Typically a firewall will be implemented at a router which is an entrance exit point for a LAN In order to implement the various levels of security and services for a typical LAN several routers are usually present which partition the total LAN into segments with varying degrees of access Firewalls will generally be implemented on each of these routers to enforce a degree of access rights but may be implemented on host machines also For large LANs it is difficult to determine the security imposed by various levels of firewalls such that the intended services controlled by the firwalls are indeed provided at each host on the LAN The Firewall Integrity Review Exploit Description Report Language FIREDRL pronounced fire drill is a rapid LAN configuration and exploitation test language This language is specific to the domain of firewalls It allows a network administrator to design the firewall aspects of a network by defining the network testing fundamental exploits and reporting the affects of the attack on hosts of the network This process can be repeated until the administrator is satisfied with the operation of the firewalls in the LAN The FIREDRL language provides the following capabilities Easy LAN Prototyping Easy Firewall rule specification Rapid Firewall Exploit Testing Flexible Exploit Result Reporting MJR 9 27 05 Page 2 of 6 COMS 4115 White Paper Overview For explaining the capabilities of the FIREDRL language a typical LAN configuration is depicted in Figure 1 The LAN contains 3 segments labeled X Y and Z respectively LAN segment X has two routers R1 R2 and 3 hosts A B C LAN Segment Y has two routers R2 R3 and also 3 hosts D E F LAN segment Z has 1 router R3 and 2 hosts G H Each LAN segment typically serves some functional requirement For this illustration the segments denote different security policies as to what can be accessed The firewalls are implemented on all the routers for this illustration though a firewall can also be implemented on a host machine I NTERNET LAN 175 23 0 0 16 R1 Segment X 175 23 3 0 24 A B R2 C Segment Y 175 23 7 0 24 D E F R3 Segment Z 175 23 10 0 24 G H Figure 1 Typical Multi Segment LAN Configuration MJR 9 27 05 Page 3 of 6 COMS 4115 White Paper Rapid LAN and Firewall Configuration The FIREDRL language can easily lay out the topology of a LAN which is the environment that an exploit attack is analyzed against Using the example in figure 1 the FIREDRL statements required to describe the LAN are as follows 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Define total lan segment topology MyLan Segments Segment X Segment Y Segment Z Segment X hostname A B R1 R2 C Segment Y hostname D E R2 R3 F Segment Z hostname G R3 H 17 18 19 Filter rules Segment X R1 filter IN PORT 80 YES Segment Y R2 filter IN PORT 25 NO Define host ids in each segment Segment X hostid 10 20 30 40 50 Segment Y hostid 2 3 41 25 61 Segment Z hostid 34 35 Define IP Addresses and Subnets of LAN MyLan ip 175 23 0 0 16 Segment X ip 175 23 3 0 24 Segment Y ip 175 23 7 0 24 Segment Z ip 175 23 10 0 24 Lines 2 5 establish the overall network topology by assigning names to key network hosts and routers a top down fashion FIREDRL can deduce the firewall hosts by nature that the host name will exist in multiple network segments Lines 7 10 assigns unique semantic check host IDs to the established hosts Finally lines 13 16 assign IP addresses to the topology Subnet mask information is appended to the IP address For example a 24 string appended to an IP address indicates that the first 24 bits are the network address which implies a 255 255 255 0 subnet mask Lines 18 19 configure firewall rules on routers R1 in Segment X and R2 in Segment Y respectively One can filter incoming or outgoing traffic based on the rules Of course the language is free format with line comments allowed lines 1 7 12 and 17 MJR 9 27 05 Page 4 of 6 COMS 4115 White Paper Rapid Exploit Testing and Reporting An exploit attack is a specific method used to attempt to penetrate the LAN from the internet FIREDRL provides control instructions which allow logical decisions that can be made to guide an attack sequence Common exploits are packaged with the support such that only control decisions need be mapped out in the test An example in FIREDRL is as follows 1 2 3 4 5 6 7 Issue ICMP TTL Probe Attack success 0 for TTL 2 to 20 by 1 ICMP echo TTL if resp success print Successful Probe for TTL TTL This attack uses ICMP echo requests with increasing TTL value to discover the routing depth in the LAN This information provides topology clues to an attacker Familiar programming control constructs such as for and if statements in lines 3 5 allow decisions to be made while progressing through an attack The control flow constructs are wrapped around an attack directive line 4 to realize a wide ranging probe of the network Print statements as depicted in line 6 provide a method for displaying the results of the attack on the network The user is free to print the status of interest based on the placement of print statements Implementation Model The underlying execution language is Java The FIRDRL language is compiled into Java executables that given a network topology and an
View Full Document
Unlocking...