1 / 20

OWASP Speed Talks – Build A Simple Risk Calculator for the Firewall

OWASP Speed Talks – Build A Simple Risk Calculator for the Firewall. Yang Li OWASP Assistant Organizer NJ Chapter yang.li@owasp.org (917) 667-1972. March 13, 2012. Build A Simple Risk Calculator. Introduction

radwan
Download Presentation

OWASP Speed Talks – Build A Simple Risk Calculator for the Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Speed Talks – Build A Simple Risk Calculator for the Firewall Yang Li OWASP Assistant Organizer NJ Chapter yang.li@owasp.org (917) 667-1972 March 13, 2012

  2. Build A Simple Risk Calculator • Introduction The talk will demonstrate a simple model to quantify the risk associated with the firewall rule base. A risk calculator is built from the scratch for this challenge.

  3. Build A Simple Risk Calculator • Goal? A mean to audit the firewall rule base objectively. • How? Simplified Model: a) search and decompose a firewall rule; b) assign a risk score to each component; c) then sum them up; d) alert if the sum pass a risk threshold. • What? I’ll give you a demo in this talk.

  4. Build A Simple Risk Calculator • Example (Cisco format): access-list OUTSIDE-ACL extended permit ip any any • ACL Group Name: “OUTSIDE-ACL” • Protocol: “IP” • Source IP: “any” • Destination IP: “any” • Port: “any” • Action: “allow”

  5. Build A Simple Risk Calculator • Example Risk Model: Assign a risk score based on the potential risk impact: • Affected IP range (size of the ‘hole’) • Trusted vs. Non-trusted

  6. Build A Simple Risk Calculator • Example Risk Model (continued): • Affected service and port range (size of the ‘hole’)

  7. Build A Simple Risk Calculator • Example Risk Model (continued): access-list OUTSIDE-ACL extended permit ip any any • Source IP Risk Score = 40 • Destination IP Risk Score = 80 • Destination Port (Range) Risk Score = 50 • Total Risk Score = 40 + 80 + 50 = 170 Trigger Alert Thresholds: 1. Yellow Alert: Total Risk Score >= 100 2. Red Alert: Total Risk Score >= 120

  8. Build A Simple Risk Calculator • Code It (in Perl): Before we start: A choice to store program setting into a configuration file. ######################################################### # risk_calc.pl configuration file ######################################################### # Trusted network blocks (comma seperated format) without trigger penalty score BLK_TRUSTED = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 # Risky ports (e.g., NetBIOS,database) that would trigger a penalty score risky_ports = ftp, 21, ftp-data, 20, pop3, 110, ldap, 389, telnet, 23, tftp, 69, x11, 6000, netbios, 135, 445, 139, mssql, 1433, mysql, 3306, postgresql, 5432, sqlnet, 1521, sunrpc, 111 # Threshold to trigger a penalty score of an ACL (default to 100 ports within port range) excessive_port_range = 100 # Total risk score threshold that trigger yellow finding risk_yellow = 100 # Total risk score threshold that trigger red finding risk_red = 120

  9. Build A Simple Risk Calculator • Code It (in Perl): Step 1. Read the program configuration file. sub read_config_simple () { print "Reading program configuration file: $f_config\n"; open (CONFIG, $_[0]) || die "Problem reading program configuration file $_[0]: $! \nPlease read the README.txt again.\n"; while (my $line=<CONFIG>) { chomp($line); $line =~ s/\s+//g; if ($line =~ /^#/) { next; } elsif ($line =~ /^(.*)=(.*)/) { $CNF{$1} = $2; } else { next; } } close (CONFIG); }

  10. Build A Simple Risk Calculator • Code It (in Perl): Step 2. Look up the active access group(s). sub access_group_lookup () { # ## Looking for lines such "access-group INSIDE-ACL in interface inside" as the starting point # my @ag; open (IN0, $_[0]); while (<IN0>) { if (/^access-group\s.*in\sinterface/){ chomp; push (@ag,$_); } } close (IN0); return @ag; }

  11. Build A Simple Risk Calculator • Code It (in Perl): Step 3. Look up all defined Access Control List (ACL) under the access group. sub access_list_lookup () { # ## Lookup ACL under a specific access-group # my @ACLS; open (IN1, $_[0]); while (<IN1>) { if (/^access-list $_[1] (|extended )permit/g) { push(@ACLS,$_); } } close(IN1); return @ACLS; }

  12. Build A Simple Risk Calculator • Code It (in Perl): Step 4. Break down and calculate the risk score for every ACL. sub access_list_score () { # ## calculate the risk score for every ACL on the access-group in use # my $count=0; @acls=access_list_lookup($_[0], $_[1]); foreach (@acls) { $count++; # break down the ACL and calculate the risk score …... }

  13. Build A Simple Risk Calculator • Code It (in Perl): Step 5. Print out the findings. sub print_findings () { # ## Print out yellow and red risk finding table from global hash # print "\nRisk Score Yellow Finding Table\n"; print "FW ID,ACL Entry,ACL Risk Score,Score Breakdown\n"; foreach my $key (sort (keys(%ACL_YL))) { print "$key, $ACL_YL{$key}{score}, $ACL_YL{$key}{brk_dn}\n"; } print "\nRisk Score Red Finding Table\n"; print "FW ID,ACL Entry,ACL Risk Score,Score Breakdown\n"; foreach my $key (sort (keys(%ACL_RED))) { print "$key, $ACL_RED{$key}{score}, $ACL_RED{$key}{brk_dn}\n"; } }

  14. Build A Simple Risk Calculator • Program In Action: $ cat list_test ../../corpUSA/Year2010/PEN_Audit/xxx-pixa/runningAdmin.txt ../../corpUSA/PEN_Audit/xxx#Enterprise/runningAdmin.txt ../../corpUSA/Year2010/PEN_Audit/xxx-xxx-fwa/runningAdmin.txt $ ./risk_calc.pl -l list_test Reading program configuration file: ./risk_calc.conf Processing Cisco firewall configuration file: ../../corpUSA/Year2010/PEN_Audit/xxx-pixa/runningAdmin.txt ... Protected interface: app <= ACL Group: FROM_APP access-list FROM_APP extended permit ip any any log warnings interval 500 , Risk Score(src,des,port): 40 + 80 + 50 = 170 Total ACLs audited in ACL group FROM_APP: 31 …… Audit Completed: Total ACLs audited in 3 firewall(s): 285 Total ACLs with risk score between 100-120: 0 Total ACLs with risk score equal or greater than 120: 5 ……

  15. Build A Simple Risk Calculator • What the Program Found In Real (Summary): • A total of 140,464 ACL entries on 404 Cisco firewalls were examined within 30 minutes. • 87 firewall ACL entries were found to have a risk score of 120 or higher. 83 firewall ACL entries were found to have risk score between 100 and 120. Observation: I’m really slow when it comes to manual calculation. This program save my project.

  16. Build A Simple Risk Calculator • What the Program Found in Real (Snap-shot): Risky ACLs Top 10: Note: Sensitive information are masked as xxx.

  17. Build A Simple Risk Calculator • What the Program Found in Real (Bonus): The following invalid netmask (highlighted, 255.255.255.251) were found: • access-list allow-in permit tcp host xxx.12.254.91 xxx.12.254.113 255.255.255.251 eq 1998 • access-list allow-in permit tcp host xxx.12.254.91 xxx.12.254.113 255.255.255.251 gt 10000 Observation: Do I say there is a bug in Cisco IOS’s netmask parser?

  18. Build A Simple Risk Calculator • Limitation: • Currently support Cisco ASA, PIX and FWSM syntax only. • Subject to future Cisco ACL syntax format changes (i.e. new ACL feature could potentially break the program).

  19. Build A Simple Risk Calculator • Questions and Answers?

  20. Build A Simple Risk Calculator • Download Link: https://sites.google.com/site/yangsspaghettihacks/file-cabinet/Risk_Calc.zip • Credits: • Perl: http://www.perl.org • CPAN and module “Net::CIDR”: http://www.cpan.org/

More Related