Keeping them Honest: Testing and Validation of Network Security Devices
-
Upload
digitallibrary -
Category
Technology
-
view
1.410 -
download
0
description
Transcript of Keeping them Honest: Testing and Validation of Network Security Devices
![Page 1: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/1.jpg)
Keeping ‘em Honest
Testing and Validation of Network Security Devices
Dustin D. TrammellSecurity Researcher
BreakingPoint Systems, Inc.
![Page 2: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/2.jpg)
About MeDustin D. Trammell
http://www.dustintrammell.comFounder, Computer Academic Underground (CAU)Co-Founder, Austin Hacker Association (AHA!)Employed by BreakingPoint Systems, Inc.
Security ResearcherResearch properties and scope of vulnerabilitiesDevelopment of dynamic attacks and exploits
![Page 3: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/3.jpg)
Background & Terminology:Anatomy of an Attack
![Page 4: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/4.jpg)
Anatomy of an Attack: Overview
![Page 5: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/5.jpg)
Anatomy of an Attack: Network
![Page 6: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/6.jpg)
Anatomy of an Attack: Target
![Page 7: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/7.jpg)
Anatomy of an Exploit: Vulnerable Codeint main() {
parent();return 0;
}
void parent() {char string[13] = “Hello, World!”;child( string );
}
void child( char string[9] ) {printf( “%s\n”, string );
}
![Page 8: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/8.jpg)
Anatomy of an Exploit: Call Stack
![Page 9: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/9.jpg)
Anatomy of an Exploit: Buffer Overflow
![Page 10: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/10.jpg)
Network SecurityDevices
![Page 11: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/11.jpg)
Scope of DiscussionFirewalls
TraditionalApplication AwareWeb ApplicationSession Border Controllers (SBC) (VoIP)Client-side / Host-based / “Personal”
Intrusion MonitoringIntrusion Detection Systems (IDS)Intrusion Prevention Systems (IPS)Host-based IPS
![Page 12: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/12.jpg)
Firewalls
![Page 13: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/13.jpg)
Firewall Business ModelOne-time sale of appliance or softwareSale of independent “Application Modules” for content-awarenessService contract for:
Software updatesSupport
![Page 14: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/14.jpg)
Firewalls: Filtering ApproachLayer 3
Source and Destination Network Addresses Layer 4
Transport Protocol (TCP/UDP)Transport Protocol Ports
Layer 5 - 7Session PropertiesApplication IdentificationApplication Content
![Page 15: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/15.jpg)
Firewall Vendor Claims
![Page 16: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/16.jpg)
“We block Application X”What this may really mean:
“We block TCP ports xxxx-yyyy which App X uses”“We detect App X’s setup sequence and block it”“We actually do detect Application X and track it”“...but only if it’s unencrypted.”
Tests:Try App X “raw” on different portsTry detecting an App X session already in progressTry App X over any legitimate transport protocolTunnel App X inside a different protocolWrap App X’s traffic in encryption
![Page 17: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/17.jpg)
Intrusion Detection andPrevention Systems
![Page 18: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/18.jpg)
IDS/IPS Business ModelOne-time sale of appliance or softwareContent service for signature / filter updates
Content packs add and remove filtersIncremental signature / filter solutions for new vulnerabilities
Service contract for:Software updatesSupport
![Page 19: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/19.jpg)
IDS/IPS Filter ApproachNetwork Layer Information:
Source and Destination Network AddressesTransport Layer Information:
Transport Protocol (TCP/UDP)Transport Protocol Ports
Application Layer Information:Static data matchingRegular Expression matchingBehavioral tracking / Anomaly Detection
![Page 20: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/20.jpg)
IDS/IPS Filter ClassificationVulnerability Filters (the holy grail)
Usually a combination of:Attack vectorSomething vulnerability specific
Policy FiltersTransports, Protocols, file types, functions, etc.Think firewall & attack vectors
Exploit FiltersGenerally one-offs, found in the wildThink malware/anti-virus approach
Payload Filtersexec /bin/sh, mail /etc/passwd, etc.
Evasion FiltersData encodings / padding techniquesEncoded payload decoder stubs
![Page 21: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/21.jpg)
Retaining IDS/IPS PerformanceVendor
Ship product with a small default filter setProvide a larger “recommended” filter setDisable old default filters in favor of newEncourage customers to customize filter set
CustomerDefine your own filter setTest content updates prior to production
![Page 22: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/22.jpg)
IDS/IPS Vendor Claims
![Page 23: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/23.jpg)
“We detect/block vulnerability X”What this may really mean:
“We detect traffic that looks like exploit A, B, etc. for vulnerability X”“We detect traffic targeting TCP/UDP ports xxxx-yyyy”“We block legitimate functionality which is used as an attack vector for vulnerability X”“We actually do block vulnerability X”
Tests:Trigger the vulnerability via different attack vectorsRandomize data in the exploit and payloadUse exploit and payload encodersSend legitimate traffic that uses the functionality (false positive)
![Page 24: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/24.jpg)
Designing Test Cases for Vulnerability Coverage
Testing
![Page 25: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/25.jpg)
Common FailuresFilter is specific to a particular attack vector
Vectors: HTTP, FTP, SMTP, etc.Reason: Most devices are architected to target narrow scopes (performance)
Filter is specific to a particular exploitMany exploits are caught in the wild prior to the vulnerability being completely understoodReason: Filters are developed once and not updatedReason: Filters aren’t aware of appropriate locations for permutation (too static)
![Page 26: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/26.jpg)
Who Should Test?Vendor
Verify their filters are as robust as possibleVerify their filters do what they claim they do
CustomerVerify the vendor’s claims are validPeace of mind
3rd PartyCustomer Audit / ComplianceVendor Product Certification
![Page 27: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/27.jpg)
Testing Methodology OverviewRun as many unique test cases for a single vulnerability as you possibly canAccurately reproducing a single or a set of test cases is extremely importantUse randomization similar to Fuzzing methodologies
![Page 28: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/28.jpg)
Know Your TargetTechniques:
Test as many ways to trigger the vulnerability as possibleTest legitimate use cases of the target vulnerable functionality
Goals:Verify that vulnerability filters are actually triggering on the vulnerability itselfVerify that vulnerability filters are not triggering solely on the target functionality
![Page 29: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/29.jpg)
Know Your Attack VectorsTechniques:
Use as many network transports as possibleUse as many protocols as possibleUse as many code paths as possibleTest with both enabled and disabled Policy Filters
Goals:Verify that vulnerability filters are not triggering solely on the attack vectorVerify that vulnerability filters are not reliant upon a particular attack vectorVerify that policy filters trigger on appropriate attack vectors
![Page 30: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/30.jpg)
Know Your ExploitTechniques:
Randomize values as much as possibleRandomize locations as much as possibleRandomize sizes as much as possibleUse as many data encodings as possible
Goals:Verify that vulnerability filters aren’t reliant upon specific versions of exploitsVerify that filters aren’t reliant upon a particular data encodingVerify that exploit filters catch exploit permutationsVerify that evasion filters catch encodings, padding, etc.
![Page 31: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/31.jpg)
Know Your PayloadTechniques:
Use randomized data as payloadUse payload encoders
Goals:Verify that vulnerability filters are not reliant upon specific payloadsVerify that exploit filters are not reliant upon specific payloadsVerify that evasion filters are triggering on appropriate payload encoders
![Page 32: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/32.jpg)
Vulnerability FilterCase Studies
![Page 33: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/33.jpg)
MS07-055Kodak Image Viewer Remote Code ExecutionMicrosoft Rating: CriticalDefault image viewer on Windows 2000 and systems upgraded from Windows 2000Vulnerability in how the viewer handles maliciously-crafted TIFF filesBug in parsing the BitsPerSample IFD entry
Set this structure’s Offset field to arbitrary file data
![Page 34: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/34.jpg)
MS07-055 PropertiesTIFF internal values can be encoded as either little-endian or big-endian formatTIFF is an object-oriented file formatObjects can appear in any orderVulnerability is in the parsing of a particular IFD entry objectIFD entry objects can be in any orderMultiple IFD objects can exist in the file
![Page 35: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/35.jpg)
MS07-055 Filter DeficienciesOne IPS would only detect malicious big-endian TIFF filesOne IPS would only detect if the malicious object was within the first 310 bytesMultiple IPSs would only detect the malicious file when transferred via HTTP
![Page 36: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/36.jpg)
MS07-061Windows URI Handling Remote Code ExecutionMicrosoft Rating: CriticalAll versions of Windows XP and Server 2003Vulnerability in how the Windows shell handles maliciously-crafted URIsVector Requirement: Needs a method for resolving a URI without user intervention
![Page 37: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/37.jpg)
MS07-061 PropertiesBug in Adobe PDF Viewer allows “mailto:” URI resolution without user intervention!PDF is an object-oriented file formatPDF objects can appear in any orderPDF action object triggers URI resolution via the OSs ShellExecute()ShellExecute() calls IE7 as default URI handler for “mailto:”IE7 bails back to the OS because the URI is malformedShellExecute() attempts to fix and resolve the URI againShellExecute() inadvertently executes arbitrary commands
![Page 38: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/38.jpg)
MS07-061 Filter DeficienciesOne IPS would only detect a particular version of the malicious URIMultiple IPSs would only detect the malicious file when transferred via HTTP or SMTPOne IPS would only detect the malicious file when encoded within SMTP as base64Multiple IPSs tested expected PDF as the attack vector for the malicious URI
![Page 39: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/39.jpg)
Device Performance Testing
![Page 40: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/40.jpg)
Performance TestingDevice’s ability to provide security coverage while under loadMost security vendors don’t test this:
Filter set tests are usually performed in a vacuumFilter sets are tested with a single test case or small samplings of test data
Approaches:Test on a live network (not recommended)Use application simulation appliance or softwareRe-use vulnerability test cases from previous testsRun test cases and application simulation simultaneously
![Page 41: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/41.jpg)
Performance Test CaseTwo test scenarios:
Set of attacks with 1 Mb/s background trafficSet of attacks with 1 Gb/s background traffic
Two industry leading devices tested:Device A
Industry LeaderMulti-gigabit IPS
Device BIndustry Leader’s close competitorMulti-gigabit IPS
![Page 42: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/42.jpg)
Missed Attacks Under Load
![Page 43: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/43.jpg)
Blocked Attacks Under Load
![Page 44: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/44.jpg)
Filter Set Performance TestDetermining how a content update and filter-set size impacts latencyThree tests
Baseline: All Filters DisabledPre-Update: Vendor Default Filter SetPost-Update: Updated Filters Enabled
![Page 45: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/45.jpg)
Maximum Latency Observed
![Page 46: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/46.jpg)
Average Latency Observed
![Page 47: Keeping them Honest: Testing and Validation of Network Security Devices](https://reader033.fdocuments.us/reader033/viewer/2022051513/54590201b1af9f40378b5394/html5/thumbnails/47.jpg)
Conclusions