Keeping them Honest: Testing and Validation of Network Security Devices

47
Keeping ‘em Honest Testing and Validation of Network Security Devices Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.

description

You know what your firewall, NAC system and IPS are supposed to do, but do you know how well they're doing it? Learn how to verify that your network security devices are working appropriately and doing so under load. Learn methodologies for testing these various types of devices, where these devices commonly fail and how to design dynamic and comprehensive test cases to identify these failures.

Transcript of Keeping them Honest: Testing and Validation of Network Security Devices

Page 1: Keeping them Honest: Testing and Validation of Network Security Devices

Keeping ‘em Honest

Testing and Validation of Network Security Devices

Dustin D. TrammellSecurity Researcher

BreakingPoint Systems, Inc.

Page 2: Keeping them Honest: Testing and Validation of Network Security Devices

About MeDustin D. Trammell

http://www.dustintrammell.comFounder, Computer Academic Underground (CAU)Co-Founder, Austin Hacker Association (AHA!)Employed by BreakingPoint Systems, Inc.

Security ResearcherResearch properties and scope of vulnerabilitiesDevelopment of dynamic attacks and exploits

Page 3: Keeping them Honest: Testing and Validation of Network Security Devices

Background & Terminology:Anatomy of an Attack

Page 4: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Attack: Overview

Page 5: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Attack: Network

Page 6: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Attack: Target

Page 7: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Exploit: Vulnerable Codeint main() {

parent();return 0;

}

void parent() {char string[13] = “Hello, World!”;child( string );

}

void child( char string[9] ) {printf( “%s\n”, string );

}

Page 8: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Exploit: Call Stack

Page 9: Keeping them Honest: Testing and Validation of Network Security Devices

Anatomy of an Exploit: Buffer Overflow

Page 10: Keeping them Honest: Testing and Validation of Network Security Devices

Network SecurityDevices

Page 11: Keeping them Honest: Testing and Validation of Network Security Devices

Scope of DiscussionFirewalls

TraditionalApplication AwareWeb ApplicationSession Border Controllers (SBC) (VoIP)Client-side / Host-based / “Personal”

Intrusion MonitoringIntrusion Detection Systems (IDS)Intrusion Prevention Systems (IPS)Host-based IPS

Page 12: Keeping them Honest: Testing and Validation of Network Security Devices

Firewalls

Page 13: Keeping them Honest: Testing and Validation of Network Security Devices

Firewall Business ModelOne-time sale of appliance or softwareSale of independent “Application Modules” for content-awarenessService contract for:

Software updatesSupport

Page 14: Keeping them Honest: Testing and Validation of Network Security Devices

Firewalls: Filtering ApproachLayer 3

Source and Destination Network Addresses Layer 4

Transport Protocol (TCP/UDP)Transport Protocol Ports

Layer 5 - 7Session PropertiesApplication IdentificationApplication Content

Page 15: Keeping them Honest: Testing and Validation of Network Security Devices

Firewall Vendor Claims

Page 16: Keeping them Honest: Testing and Validation of Network Security Devices

“We block Application X”What this may really mean:

“We block TCP ports xxxx-yyyy which App X uses”“We detect App X’s setup sequence and block it”“We actually do detect Application X and track it”“...but only if it’s unencrypted.”

Tests:Try App X “raw” on different portsTry detecting an App X session already in progressTry App X over any legitimate transport protocolTunnel App X inside a different protocolWrap App X’s traffic in encryption

Page 17: Keeping them Honest: Testing and Validation of Network Security Devices

Intrusion Detection andPrevention Systems

Page 18: Keeping them Honest: Testing and Validation of Network Security Devices

IDS/IPS Business ModelOne-time sale of appliance or softwareContent service for signature / filter updates

Content packs add and remove filtersIncremental signature / filter solutions for new vulnerabilities

Service contract for:Software updatesSupport

Page 19: Keeping them Honest: Testing and Validation of Network Security Devices

IDS/IPS Filter ApproachNetwork Layer Information:

Source and Destination Network AddressesTransport Layer Information:

Transport Protocol (TCP/UDP)Transport Protocol Ports

Application Layer Information:Static data matchingRegular Expression matchingBehavioral tracking / Anomaly Detection

Page 20: Keeping them Honest: Testing and Validation of Network Security Devices

IDS/IPS Filter ClassificationVulnerability Filters (the holy grail)

Usually a combination of:Attack vectorSomething vulnerability specific

Policy FiltersTransports, Protocols, file types, functions, etc.Think firewall & attack vectors

Exploit FiltersGenerally one-offs, found in the wildThink malware/anti-virus approach

Payload Filtersexec /bin/sh, mail /etc/passwd, etc.

Evasion FiltersData encodings / padding techniquesEncoded payload decoder stubs

Page 21: Keeping them Honest: Testing and Validation of Network Security Devices

Retaining IDS/IPS PerformanceVendor

Ship product with a small default filter setProvide a larger “recommended” filter setDisable old default filters in favor of newEncourage customers to customize filter set

CustomerDefine your own filter setTest content updates prior to production

Page 22: Keeping them Honest: Testing and Validation of Network Security Devices

IDS/IPS Vendor Claims

Page 23: Keeping them Honest: Testing and Validation of Network Security Devices

“We detect/block vulnerability X”What this may really mean:

“We detect traffic that looks like exploit A, B, etc. for vulnerability X”“We detect traffic targeting TCP/UDP ports xxxx-yyyy”“We block legitimate functionality which is used as an attack vector for vulnerability X”“We actually do block vulnerability X”

Tests:Trigger the vulnerability via different attack vectorsRandomize data in the exploit and payloadUse exploit and payload encodersSend legitimate traffic that uses the functionality (false positive)

Page 24: Keeping them Honest: Testing and Validation of Network Security Devices

Designing Test Cases for Vulnerability Coverage

Testing

Page 25: Keeping them Honest: Testing and Validation of Network Security Devices

Common FailuresFilter is specific to a particular attack vector

Vectors: HTTP, FTP, SMTP, etc.Reason: Most devices are architected to target narrow scopes (performance)

Filter is specific to a particular exploitMany exploits are caught in the wild prior to the vulnerability being completely understoodReason: Filters are developed once and not updatedReason: Filters aren’t aware of appropriate locations for permutation (too static)

Page 26: Keeping them Honest: Testing and Validation of Network Security Devices

Who Should Test?Vendor

Verify their filters are as robust as possibleVerify their filters do what they claim they do

CustomerVerify the vendor’s claims are validPeace of mind

3rd PartyCustomer Audit / ComplianceVendor Product Certification

Page 27: Keeping them Honest: Testing and Validation of Network Security Devices

Testing Methodology OverviewRun as many unique test cases for a single vulnerability as you possibly canAccurately reproducing a single or a set of test cases is extremely importantUse randomization similar to Fuzzing methodologies

Page 28: Keeping them Honest: Testing and Validation of Network Security Devices

Know Your TargetTechniques:

Test as many ways to trigger the vulnerability as possibleTest legitimate use cases of the target vulnerable functionality

Goals:Verify that vulnerability filters are actually triggering on the vulnerability itselfVerify that vulnerability filters are not triggering solely on the target functionality

Page 29: Keeping them Honest: Testing and Validation of Network Security Devices

Know Your Attack VectorsTechniques:

Use as many network transports as possibleUse as many protocols as possibleUse as many code paths as possibleTest with both enabled and disabled Policy Filters

Goals:Verify that vulnerability filters are not triggering solely on the attack vectorVerify that vulnerability filters are not reliant upon a particular attack vectorVerify that policy filters trigger on appropriate attack vectors

Page 30: Keeping them Honest: Testing and Validation of Network Security Devices

Know Your ExploitTechniques:

Randomize values as much as possibleRandomize locations as much as possibleRandomize sizes as much as possibleUse as many data encodings as possible

Goals:Verify that vulnerability filters aren’t reliant upon specific versions of exploitsVerify that filters aren’t reliant upon a particular data encodingVerify that exploit filters catch exploit permutationsVerify that evasion filters catch encodings, padding, etc.

Page 31: Keeping them Honest: Testing and Validation of Network Security Devices

Know Your PayloadTechniques:

Use randomized data as payloadUse payload encoders

Goals:Verify that vulnerability filters are not reliant upon specific payloadsVerify that exploit filters are not reliant upon specific payloadsVerify that evasion filters are triggering on appropriate payload encoders

Page 32: Keeping them Honest: Testing and Validation of Network Security Devices

Vulnerability FilterCase Studies

Page 33: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-055Kodak Image Viewer Remote Code ExecutionMicrosoft Rating: CriticalDefault image viewer on Windows 2000 and systems upgraded from Windows 2000Vulnerability in how the viewer handles maliciously-crafted TIFF filesBug in parsing the BitsPerSample IFD entry

Set this structure’s Offset field to arbitrary file data

Page 34: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-055 PropertiesTIFF internal values can be encoded as either little-endian or big-endian formatTIFF is an object-oriented file formatObjects can appear in any orderVulnerability is in the parsing of a particular IFD entry objectIFD entry objects can be in any orderMultiple IFD objects can exist in the file

Page 35: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-055 Filter DeficienciesOne IPS would only detect malicious big-endian TIFF filesOne IPS would only detect if the malicious object was within the first 310 bytesMultiple IPSs would only detect the malicious file when transferred via HTTP

Page 36: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-061Windows URI Handling Remote Code ExecutionMicrosoft Rating: CriticalAll versions of Windows XP and Server 2003Vulnerability in how the Windows shell handles maliciously-crafted URIsVector Requirement: Needs a method for resolving a URI without user intervention

Page 37: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-061 PropertiesBug in Adobe PDF Viewer allows “mailto:” URI resolution without user intervention!PDF is an object-oriented file formatPDF objects can appear in any orderPDF action object triggers URI resolution via the OSs ShellExecute()ShellExecute() calls IE7 as default URI handler for “mailto:”IE7 bails back to the OS because the URI is malformedShellExecute() attempts to fix and resolve the URI againShellExecute() inadvertently executes arbitrary commands

Page 38: Keeping them Honest: Testing and Validation of Network Security Devices

MS07-061 Filter DeficienciesOne IPS would only detect a particular version of the malicious URIMultiple IPSs would only detect the malicious file when transferred via HTTP or SMTPOne IPS would only detect the malicious file when encoded within SMTP as base64Multiple IPSs tested expected PDF as the attack vector for the malicious URI

Page 39: Keeping them Honest: Testing and Validation of Network Security Devices

Device Performance Testing

Page 40: Keeping them Honest: Testing and Validation of Network Security Devices

Performance TestingDevice’s ability to provide security coverage while under loadMost security vendors don’t test this:

Filter set tests are usually performed in a vacuumFilter sets are tested with a single test case or small samplings of test data

Approaches:Test on a live network (not recommended)Use application simulation appliance or softwareRe-use vulnerability test cases from previous testsRun test cases and application simulation simultaneously

Page 41: Keeping them Honest: Testing and Validation of Network Security Devices

Performance Test CaseTwo test scenarios:

Set of attacks with 1 Mb/s background trafficSet of attacks with 1 Gb/s background traffic

Two industry leading devices tested:Device A

Industry LeaderMulti-gigabit IPS

Device BIndustry Leader’s close competitorMulti-gigabit IPS

Page 42: Keeping them Honest: Testing and Validation of Network Security Devices

Missed Attacks Under Load

Page 43: Keeping them Honest: Testing and Validation of Network Security Devices

Blocked Attacks Under Load

Page 44: Keeping them Honest: Testing and Validation of Network Security Devices

Filter Set Performance TestDetermining how a content update and filter-set size impacts latencyThree tests

Baseline: All Filters DisabledPre-Update: Vendor Default Filter SetPost-Update: Updated Filters Enabled

Page 45: Keeping them Honest: Testing and Validation of Network Security Devices

Maximum Latency Observed

Page 46: Keeping them Honest: Testing and Validation of Network Security Devices

Average Latency Observed

Page 47: Keeping them Honest: Testing and Validation of Network Security Devices

Conclusions