COMS 4115 White PaperMJR 9/27/05 Page 1 of 6FIREDRL:Firewall Integrity ReviewExploit Description Report LanguageCOMS 4115Project White PaperMarvin J. Riche-mail: [email protected] 4115 White PaperMJR 9/27/05 Page 2 of 6IntroductionThe internet is a ubiquitous entity that touches all aspects of modern society. The services pro-vided by the underlying protocols have enhanced business and personal communication to aworldwide scope. As the internet has integrated into the normal processes conducted by society,security has emerged as a necessary component for providing services that can be accessedworldwide. For example, a Local Area Network (LAN) configuration representing a businesstypically has data online that must be protected from unauthorized access, as well as data thatmust be accessible by everyone, in order to conduct a competitive business. These opposingrequirements must co-exist on a common set of applications and protocols, which makes securityof the resulting LAN configuration a complex undertaking for network administrators.Firewalls are a first line of defense for LAN security. They are not the only component of networksecurity, but an important one nonetheless. A firewall imposes and enforces rules on the type oftraffic and services allowed to flow in or out of a network. Typically a firewall will be imple-mented at a router, which is an entrance/exit point for a LAN. In order to implement the variouslevels of security and services for a typical LAN, several routers are usually present, which parti-tion the total LAN into segments with varying degrees of access. Firewalls will generally beimplemented on each of these routers to enforce a degree of access rights, but may be imple-mented on host machines also. For large LANs, it is difficult to determine the security imposedby various levels of firewalls, such that the intended services controlled by the firwalls are indeedprovided at each host on the LAN.The Firewall Integrity Review Exploit Description Report Language, FIREDRL (pronounced“fire drill”), is a rapid LAN configuration and exploitation test language. This language is specificto the domain of firewalls. It allows a network administrator, to design the firewall aspects of anetwork by defining the network, testing fundamental exploits, and reporting the affects of theattack on hosts of the network. This process can be repeated until the administrator is satisfiedwith the operation of the firewalls in the LAN. The FIREDRL language provides the followingcapabilities:• Easy LAN Prototyping• Easy Firewall rule specification• Rapid Firewall Exploit Testing• Flexible Exploit Result ReportingCOMS 4115 White PaperMJR 9/27/05 Page 3 of 6OverviewFor explaining the capabilities of the FIREDRL language, a typical LAN configuration isdepicted in Figure 1. The LAN contains 3 segments labeled X,Y and Z respectively. LAN seg-ment X has two routers (R1,R2), and 3 hosts (A,B,C). LAN Segment Y has two routers (R2,R3)and also 3 hosts (D,E,F). LAN segment Z has 1 router (R3) and 2 hosts (G,H). Each LAN segmenttypically serves some functional requirement. For this illustration, the segments denote differentsecurity policies as to what can be accessed. The firewalls are implemented on all the routers forthis illustration (though a firewall can also be implemented on a host machine).Figure 1: Typical Multi-Segment LAN ConfigurationI N T E R N E TABR2CDEG HR1R3Segment XSegment YSegment ZFLAN (175.23.0.0/16)175.23.3.0/24175.23.7.0/24175.23.10.0/24COMS 4115 White PaperMJR 9/27/05 Page 4 of 6Rapid LAN and Firewall ConfigurationThe FIREDRL language can easily lay out the topology of a LAN, which is the environment thatan exploit attack is analyzed against. Using the example in figure 1, the FIREDRL statementsrequired to describe the LAN are as follows: 1 //Define total lan segment topology 2 MyLan = Segments{Segment_X,Segment_Y,Segment_Z}; 3 Segment_X = hostname{A,B,R1,R2,C}; 4 Segment_Y = hostname{D,E,R2,R3,F}; 5 Segment_Z = hostname{G,R3,H}; 6 7 //Define host_ids in each segment 8 Segment_X = hostid{10,20,30,40,50}; 9 Segment_Y = hostid{2,3,41,25,61,}; 10 Segment_Z = hostid{34,35}; 11 12 //Define IP Addresses and Subnets of LAN 13 MyLan = ip(175.23.0.0/16); 14 Segment_X = ip(175.23.3.0/24); 15 Segment_Y = ip(175.23.7.0/24); 16 Segment_Z = ip(175.23.10.0/24); 17 //Filter rules 18 Segment_X.R1 = filter(IN,PORT=80, YES); 19 Segment_Y.R2 = filter(IN,PORT=25,NO);Lines (2-5) establish the overall network topology by assigning names to key network hosts androuters a top-down fashion. FIREDRL can deduce the firewall hosts by nature that the host namewill exist in multiple network segments. Lines (7-10) assigns unique (semantic check) host IDs tothe established hosts. Finally lines 13-16 assign IP addresses to the topology. Subnet mask infor-mation is appended to the IP address. For example a “/24” string appended to an IP address indi-cates that the first 24 bits are the network address, which implies a 255.255.255.0 subnet mask.Lines 18-19 configure firewall rules on routers R1 in Segment_X and R2 in Segment_Y respec-tively. One can filter incoming or outgoing traffic based on the rules. Of course the language isfree format with line comments allowed (lines 1,7,12 and 17).COMS 4115 White PaperMJR 9/27/05 Page 5 of 6Rapid Exploit Testing and ReportingAn exploit attack is a specific method used to attempt to penetrate the LAN from the internet.FIREDRL provides control instructions which allow logical decisions that can be made to guidean attack sequence. Common exploits are packaged with the support such that only control deci-sions need be mapped out in the test. An example in FIREDRL is as follows: 1 //Issue ICMP TTL Probe Attack 2 success = 0; 3 for (TTL = 2 to 20 by 1) { 4 ICMP(echo,TTL); 5 if (resp.success) 6 print(“Successful Probe for TTL=”, TTL); 7 }This attack uses ICMP echo requests, with increasing TTL value, to discover the routing depth inthe LAN. This information provides topology clues to an attacker. Familiar programming controlconstructs such as “for” and “if” statements in lines 3 & 5 allow decisions to be made while pro-gressing through an attack. The control flow constructs are wrapped around an
View Full Document
Unlocking...