Firewall Policy Reconstruction by Active Probing: An Attacker's View

  • Authors:

  • Taghrid Samak;Adel El-Atawy;Ehab Al-Shaer;Hong Li

  • Affiliations:

  • School of Computer Science, Telecommunication, and Information Systems, DePaul University, Chicago, Illinois 60604. taghrid@cs.depaul.edu;School of Computer Science, Telecommunication, and Information Systems, DePaul University, Chicago, Illinois 60604. aelatawy@cs.depaul.edu;School of Computer Science, Telecommunication, and Information Systems, DePaul University, Chicago, Illinois 60604. ehab@cs.depaul.edu;Information Technology Research, Intel Corporation, Folsom, CA 95630. hong.c.li@intel.com

  • Venue:
  • NPSEC '06 Proceedings of the 2006 2nd IEEE Workshop on Secure Network Protocols
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.