View - ResearchGate

screechingagendaΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

109 εμφανίσεις

Methods of automated analysis of vendor specific
implementation of stateful
-
filtration

Evgeny
Abramov

PhD, Associate professor

College of Information Security

Taganrog Institute of Technology



Southern Federal University

Russia

abramoves@gmail.com

Elena Barannik

PhD

student

College of Information Security

Taganrog Institute of Technology



Southern Federal Universit
y

Russia

ele
-
barannik@yandex.ru

Oleg Makarevich

Doctor of science,
professor

College of Information Security

Taganrog Institute of Technology



Southern Federal University

Russia

mak@tsure.ru


ABSTRACT

In this paper we will consider the special research methodology of
stateful filtering in firewalls
. Analysis of TCP/IP protocols
,
which

connected with stateful filtering, was carried

out and particular
tests for different types of implementation were created. The
special software system which allows to test different firewalls
models and to detect stateful filtering in particular firewall model
was developed. Also, there are research
results for several
firewalls.

Categories and Subject Descriptors

C.2.0.f [
Communication/Networking and Information
Technology
]: General
-

Security and protection (e.g., firewalls).


General Terms

Security, Verification.

Keywords

firewalls, tcp/ip,
network security, computing networks, stateful

filtering


1.

INTRODUCTION


Now days,
firewall

is the best way to provide network security.
Internetw
ork security is based on the usage

of firewalls, which
protect internal hosts from attacks
which use

vulnerabilities of
ТСР
/IP.

Firewall
,

in turn
,

can carry out different function according to its
implementation. Firewalls
may

be created by using two main
methods. One of them it is packet filtering another it is proxy
servers.

[1]

Other methods are varie
ties

of previous. One of these
varieties it is a stateful filtering, which allow
es

to track packet
information in Layer4 and lower and connection state. Therefore
this method has its own specifics and
differs

from simple packet
filter

greatly

[7]
.

During t
his research
we
considered following articles. Article [2]
tells us about main problems with stateful firewalls and tries to
describe statefull firewall models. But there is not practical
solution in this paper. In [7] authors consider two ways of filterin
g
and compare them. We could get basic knowledge from it and to
learn more about the way of sta
teful filtering. But this paper

doesn’t give information about different problems with stateful
filtering and doesn’t take into account ways for handling different
protocols. In [8] they also tell us about different ways of filtering
and compare tracking of FTP protocol,
its

better but
not enough.


In [9] there
are no special tools

for these tests and this check
include only TCP protocol. Methodology
was
described in our
paper offer
s

special tools for testing stateful firewall and set of
different tests, besides this paper contain
s

ma
in concept of stateful
filtering.

Stateful inspection is a term originally coined by the security
product manufacturer Check Point, the maker of FireWall
-
1, for
the way FireWall
-
1 handles the tracking of state information.
Despite the fact that it is pret
ty new filtering method it is widely
used. Every present
-
day firewall supports this method. But
unfortunately there is no common model or specification for
stateful filtering. Therefore every vendor
realizes

such method
according its own rules and principl
es. Despite that stateful
filtering can be realize
d

by using common implementation
approaches, two firewalls are produced by different vendors have
their

own features. That’s why this problem is very topical and
special testing methodology for detection fe
atures and also
advantages and disadvantages of particular firewall, which allow
to detect following features, need to be created:

-

whether stateful filtering is supported by particular firewall
model;

-

whether internal network security is provided by pa
rticular
firewall;

-

firewall vulnerabilities and different types of attacks which could
affect firewall.


2.

STATEFUL FILTERING


The most common term for stateful filtering is that stateful
filtering it is special way of filtering which
allow
s

to track session
state and to store information about overall communication
session at the state table. Only packets which related with
established session are allowed to pass through th
e firewall others
are dropped.
When the first packet arrives to our n
etwork, firewall
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and

the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.

Conference’1
2
, Month 1

2, 201
2
, City, State, Country.

Copyright 201
2

ACM 1
-
58113
-
000
-
0/0
0/0010…$10.00.

checks it according policy. Then if packet is good, the stateful
table entry will be created for this packet. This state table holds
entries that represent all the communication sessions of which the
device is aware. Every entry holds a la
undry list of information
that uniquely identifies the communication session
which
it
represents. Such information might include source and destination
IP address information, flags, sequence and acknowledgment
numbers, and more. Let’s consider figure 1 wh
ere

the
process of
creating stateful table entry is shown.


Figure 1.


The first packet is stored to state table

So, only 2 rules will be created for stateful firewall:

1. Outbound connection will allowed

2. Inbound connection (which wasn’t related with

established
session) will be dropped.

Information about established session is brought to the state table.
Then, when traffic returns, the device compares the packet’s
information
with

the state table information to determine whether
it is part of a curre
ntly logged commun
ication session, as it is
showen

at the figure 2. If the packet is rela
ted to a current table
entry,

is allowed to pass.
That’s

why the information
which holds
in the state table must be as specific and detailed as possible to
guarantee t
hat attackers will not be able to construct traffic that
will be ab
le to pass the state table test [2].


Figure 2


the second step of packet handling

So, it is clear that reception of subsequent packets depends on the
first package.

3.

THE SPECIAL RESEARCH

METHODOLOGY OF STATEFUL
FILTERING



We should choose special testing means for developing
methodical instructions. Such tool should allow to generate and
to
send packet and also user should has possibility to set up different
attri
butes manually.
According to the
s
e

principle
s

the program
nemesis was chosen, but unfortunately we can establish only half
-
opened connection session by using this program, that’s why we
chose tcping as adjuvant. The nemesis package generates packets
and packet data for AR
P, DNS, Ethernet, ICMP, IGMP, IP, RIP,
TCP, and UDP (OSPF remains out of commission)

[5]
. The set o
f
following scripts, that helpes

to automatize nemesis work by

using
bash
shell

were created
:

1. Scripts for UDP tests


-

sending bad UDP packet


-

sending U
DP packet for checking timeout value


-

sending UDP packet for checking return ICMP error
massages


-

DNS serves examination

2. Scripts for TCP tests


-

sending empty packets


-

sending packets with all flag is set


-

sending packets with different variet
ies of flags on
different IP addresses


-

sending SYN packets to attempt establish TCP session

3. Scripts for ICMP test


-

sending different types of ICMP messages


-

sending echo
-
requests to different IP addresses


-

sending abundance of echo
-
respond mes
sages

Scripts creating process was realized as follow:

1. We should clearly understand what we need to get as a result
after script was run.

2. In this example we need

to generate

packet

which

will be sent
to various ports until they run out (from 0 to 655
35).

3. Therefore, we will use cycle while, packet will be sent to all
ports until they run out.

4. Thus, we will use target port parameter (
-
y) as value of the
variable:



#!/bin/sh

TYPE=0

while [ $TYPE
-
le 65535 ] ; do

sudo nemesis tcp

-
S 192.168.1.196
-
D
192.168.1.197
-
fS
-
x 1077
-
y $TYPE

TYPE=`expr $TYPE + 1 `

done


This is the script which helps to send packet
into

different target
ports.

The t
ool tcping was used for application level traffic examination.
Testing is carried out as fol
lows:

a) Presetting the firewalls

1) If firewall is set up according policy you should go to the
next step

2) If firewall isn’t set up according policy you should setting
it up move to the next step.

b) Making experiments

1) External user needs to generate

packet and then he sent
this packet to internal user as shown in Figure 3. (Also don’t
forget about installation of components required for the
program nemesis)

2) Perhaps you need to use tcping tool for working with
application
-
level protocols.

c) Test
results analysis

1) Before you will start testing you should run sniffer
Wireshark, as in these experiments, to analyze internal host
responds, which should drop all packets from external host (
only if these packets doesn’t relate with established session
).
If host answered to request whether firewall setting will be
wrong or firewall cannot block such kind of packets. In this
case you need to analyze every event in greater details.

2) After testing will be ended also you
should use firewall
log
files for
analysis
.

Next, we will present an example for TCP test for detection of
empty TCP packets (with no flags set
-
NULL scan).

Internal host А should not respond to empty TCP packets. Such
packet is abnormal and
could

be sent by an attacker to obtain
informati
on about the ports. This
package is sent from the outside
network

B to the internal network A to all victim ports from 0 to
655535. In this case the internal host A should not answer (use
script (NULL)).




#!/bin/sh

TYPE=1444

while

[ $TYPE
-
le 65535 ] ; do

sudo
nemesis tcp
-
S 192.168.1.198

D
192.168.1.194
-
x 1077
-
y $TYPE
-
fN

TYPE=`expr $TYPE + 1 `

done


While this procedure will be executed, you must run the sniffer to
monitor network traffic and host responses. Let’s consider Fig
ure
3.


Figure 3.
-

The testing process

While this procedure will be executed, you must run the sniffer to
monitor network traffic and host responses. If we receive RST
packet, port will be considered as closed but if there is no respond
from host, it’s
mean that port will be opened or filtered. Also the
port will be marked as filtered if ICMP error type message is
received. Let’s consider following example of TCP dump, as
shown in Figure 4.



Figure 4
-

A fragment of the intercepted
traffic after sending empty packets




So, we can see that host, which
was

scanned, respond with
RST/ACK packets
therefore we consider
ed

that ports
were

closed.

Such methodical instructions were created for other scripts.

As a result of thi
s work were performed the following tasks:

-

the main principles of firewalls with both stateful filtering, and
without it (packet filters, proxies) were considered;

-

general concept
s

of stateful filtering and test features of different
types of traffic w
ere studied;

-

TCP/IP vulnerabilities which could be used for intelligence
purposes and carrying out attacks were considered form point of
stateful filtering;

-

special testing means were chosen and software system for
system for research stateful filter
ing in the firewalls was
developed;

-

tests were realized on practice;

-

analysis of results for identifying the advantages and
disadvantages was carried out.

This methodology is based on vulnerabilities of TCP/IP. The main
aim is to find peculiar properti
es of stateful filtering and to
develop such tests that could uniquely identified whether
particular firewall model this type of filtering. Also, it should be
explored what type of protocols firewall can filter.

It should be mentioned that when tests
were

created special
attention paid to TCP session state. We examine
d

firewall’s
reaction on bad packets and also on attempt to establish TCP
session. These examinations
were

based on different types of port
scanning because simple packet filter cannot detect them but
stateful filtering can because of its ability to track TCP flags, and
determine related traffic.

We should paid special attention to ICMP protocol. Majority
dan
gerous attacks are implemented with the help of this protocol,
such as DDOS attacks. Therefore we should examine whether
firewall will block these attacks. ICMP, like UDP, really isn’t a
stateful protocol. The ICMP protocol is often used to return error
me
ssages when

a host or protocol can’t do
its own,
that

can be
described as a “response” message. ICMP response
-
type messages
are precipitated by requests by other protocols (TCP, UDP).
To
check such vulnerability we used following script, which sent a lot
o
f ICMP respond type messages:

#!/bin/sh

TYPE=0

while [ $TYPE
-
le 255 ] ; do

sudo nemesis icmp
-
S 192.168.1.198
-
D
192.168.1.194
-
i 0
-
c 0
-
I $TYPE

TYPE=`expr $TYPE + 1 `

done


Results of script work you can see in Figure 5




However, ICMP also has attributes that allow its connections
to be
pseudo
-
statefully tracked [4].
However, instead of being tracked
based on source and destination addresses, the ICMP message can
be tracked on request message type and reply message type.

Following script is used to determine how host handles different
types of ICMP
-
messages.

#!/bin/sh

TYPE=0

while [ $TYPE
-
le 255 ] ; do

sudo nemesis icmp
-
S 192.168.1.198
-
D
192.168.1.194
-
i $TYPE
-
c 0

TYPE=`expr $TYPE + 1 `

done


Also we need to create th
e set of tests for UDP protocol. They
connected with sending
of
bad packets, that is, so
-
called UDP
scans. Also we should test services which use UDP protocol to
transfer data. Such examination implemented with using DNS
serves, which is the most important

and vulnerable.
Such test
needs usage following type of script:

#!/bin/sh

TYPE=0

while [ $TYPE
-
le 255 ] ; do

sudo nemesis dns
-
i $TYPE
-
A 7
-
r 3
-
S
192.168.2.1
-
D 192.168.1.3

sudo nemesis dns
-
i $TYPE
-
A 7
-
r 3
-
S
192.168.2.1
-
D 192.168.1.3


TYPE=`expr $
TYPE + 1 `

done

Besides, we can learn how much time is devoted to a particular
connection by increasing timeout value.

!/bin/sh

TYPE=0

while [ $TYPE
-
le 699 ] ; do

sleep $TYPE; sudo nemesis udp
-
v
-
S
192.168.2.1
-
D 192.168.1.3
-
x 6666
-
y 135


TYPE=`expr

$TYPE + 1 `

done

Another point of concern with UDP traffic is that because it
cannot correct communication issues on its own, it relies entirely
on ICMP as its error handler, making ICMP an important part of a
UDP session to be considered when tracking
its overall state.
Firewall shouldn’t block ICMP messages that related with
established UDP connection

[3]
.

As mentioned previously, stateful firewall can track application
-
level information. In this paper, the protocols HTTP and FTP are
considered. Work w
ith HTTP is quite simple but work with the
FTP protocol is much more complicated. HTTP use
s

TCP to
establish session therefore stateful firewall can to track behavior
of this protocol. The FTP protocol also establishes a TCP
connection, but it uses port 21

for control session, and port 20 for
data channel. Firewall shouldn’t block incoming traffic flow from
outside server.

We need to congregate and set up special stand to implement a
number of these c
hecks as illustrated in Figure 6
.


Figure 6
.
-

Network topology for the experiments


It is necessary to install OS Linux on external host.


4.

EXPERIMENTAL FIREWALLS
RESEARCH



After system for research stateful filtering in the
firewalls was developed and debugged we need to test in on
practice. Both software and hardware firewalls
were
used for
testing. The main tasks
were

to examine quality of firewall and to
detect stateful f
iltering in particular firewall model. Also we
compare
d

testing results without firewall and with its presence to
prove its necessity. We used two firewalls models
that

wer
e
Netfilter/IPTables
and D
-
link DFL 800. These models are
interesting because in the

first firewall

special

rules should be
set

before

testing, the rules allow flexible configuration of
firewall, but at the same time they may be insufficient for a good
network security. The last model is interesting because it has not
documented stateful
filtering function. Tests were carried out
according to the Methodical instructions.


5.

ANALYSIS OF EXPERIMENTAL
RESULTS


After firewalls testing were completed some results
had been

summarized. First, firewall managed well with the majority of
tests. Malicious packets were blocked. Second, the firewall
IPTables, despite the fact that attempt establishing connection
initiated by an external host with SYN packet was blocked, host
answe
red by RST packet, which is not acceptable.

Third, the D
-
link Firewall does not block a large number of ping
requests and request with payload file. Of course, this
vulnerability can be resolved by banning incoming echo requests
with the help of packet fil
ter, but it
went

beyond the stateful
filtering.

Also, it should be mentioned that in a case with D
-
link we should
not only to know quality of stateful filtering but to detect this
function in this particular product, because initially it was not
declared.

As a result we found out that firewall blocked all bad
packets. After log files
had been

analyzed it was clear that there
were

default rule which
drop
ped

packets.

Opposite rules
were

set manually in IPTables. That’s why we
should test not only its ability

to prevent malicious traffic but also
to examine building rules

[6]
. As a result all malicious packets
were blocked but there
was

some problem with handling of SYN
packets. Despite that
this product
is

software
it also
should

be
used for protection of cor
porative

networks.


6.

PERSPECTIVES OF THE
DEVELOPMENT


Nowadays network technologies are very popular and data rate is
increasing that’s why bandwidth should be increased too. At the
same time network security is very important point. Therefore
firewall shou
ld filter packets rapidly and efficiently.

Stateful firewall can manage with all these tasks. But at present
there is no common methodology, rules or etc. which could help
to examine stateful filtering. System for examine stateful filtering
in the firewall
s which was developed in this paper were
implemented such tests, which have not yet been implemented, as
well as for easy conducting experiments special software was
created. Unfortunately, this system is not made. Development of
test systems can go on thr
ough the following points:

-

you need to use Linux kernel system, that could be
uncomfortable;

-

there is GUI and tests are run manually$

-

developed tests are not exhaustive, there are many vulnerabilities
in the TCP/IP, which weren’t considered;

-

new pr
otocols vulnerabilities appear constantly and you need to
know whether firewall block them.

-

need to develop a
set of recommendations for configuring and
use stateful firewall.

But, despite these disadvantages, the testing system is working
well and can
be used by enterprises for testing their equipment.
This test system can be used as part of a penetration test.
Penetration test is as close to reality and allows auditors to
simulate a large part of information security threats that affect
information sys
tem. In fact, presented in this paper, a software
system testing stateful firewall performs the same function.


7.

CONCLUSIONS


There are not only practical reasons for the relevance test system
presented in this paper, but also scientific research. Despite t
he
fact that the method of stateful filtering is widely used, i
t is still
not fully understood [8].

In this paper, it has been investigated and
summarized the area of filtering. These results could help in the
further study of the filtering method and its
improvements and the
creation of a single model of stateful filtering. Technologies are
developing and companies are actively using new technologies,
and the attackers are not as actively working to find vulnerability
and exploitation. Therefore, the infor
mation security specialists
must keep pace with the times and keep up with the progress, they
need to create new testing systems or use existing. Thanks to
software testing system take into account various factors that can
break system security and make de
al only with stateful filtering
and could be used on practice.


8.

REFERENCES


[
1
]
.
Terry William Ogletree. Practical Firewalls.
QUE,.
June 2000.

[2]
. Mohamed G. Gouda, Alex X. Liu. A Model of
Stateful Firewalls and its Properties.

Department of Computer
Sciences,

The University of Texas at Austin,Austin, Texas, U.S.A,
2001.

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1467787&
url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F9904%2F3
1476%2F01467787.pdf

[
3
]
. Northcutt, S., Nova
k
, J., and McLaclan,
Network
Intrusion Detection. An Analyst's Handbook.

New Riders,
Indianapolis.
D
. (2001)


448 p.


[
4
]
.
Stephen Northcutt, Lenny Zeltser, Scott Winters,
Karen Kent, Ronald W. Ritchey

Inside Network Perimeter
Security
, Sams Publishing,
March, 2005

[
5
]
.

Eli

Fulkerson

[Electronic resource].
URL
:
http
://
www
.
elifulkerson
.
com
/
projects
/
tcping
.
php
-

(date of
treatment: 16.07.2011).

[
6
]
.

Fabrice Marie.
«Netfilter Extensions HOWTO»
[Electronic resource]
URL
:
http://netfilter.samba.org/documentation/HOWTO//netfilter
-
extensions
-
HOWTO.html.

[
7
]
.

Avishai Wool, Ph.D., School of Electrical
Engineering, Tel Aviv University, Packet Filtering and Stateful
Firewalls
http://www.eng.tau.ac.il/~yash/hinsec
-
171.pdf

[8].
Aca
demia
.
edu
. «
Stateful

Inspection

Technology

Tech

Note
» [Electronic resource].
URL
:
http
://
iitg
-
in
.
academia
.
edu
/
AjayShankarBidyarthy
/
Papers
/584480/
-

(date of
treatment 17.08.20011).

[9]

Е. А. Vasilyeva, N V. Medvedev
,
Method of testing of
a
firewall. Magazine

«
Security of Information Technology
»

[Electronic resource]
URL
:
http://vniipvti.corbina.ru/izd/bit/BIT_1_2008_5.pdf