Firewall policy reconstruction by active probing: An attacker's view

Taghrid Samak; Adel El-Atawy; Ehab Al-Shaer; Li Hong

doi:10.1109/NPSEC.2006.320342

Firewall policy reconstruction by active probing: An attacker's view

Taghrid Samak^*, Adel El-Atawy, Ehab Al-Shaer, Li Hong

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

11 Scopus citations

Abstract

Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.

Original language	English
Title of host publication	2nd Workshop on Secure Network Protocols, NPSec
Pages	20-25
Number of pages	6
DOIs	https://doi.org/10.1109/NPSEC.2006.320342
State	Published - 2006
Externally published	Yes
Event	2006 2nd Workshop on Secure Network Protocols, NPSec - Santa Barbara, CA, United States Duration: 12 Nov 2006 → 12 Nov 2006

Publication series

Name	2nd Workshop on Secure Network Protocols, NPSec

Conference

Conference	2006 2nd Workshop on Secure Network Protocols, NPSec
Country/Territory	United States
City	Santa Barbara, CA
Period	12/11/06 → 12/11/06

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1109/NPSEC.2006.320342

Cite this

@inproceedings{e011a922d42c4ad99c722cdfb26df24b,

title = "Firewall policy reconstruction by active probing: An attacker's view",

abstract = "Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.",

author = "Taghrid Samak and Adel El-Atawy and Ehab Al-Shaer and Li Hong",

year = "2006",

doi = "10.1109/NPSEC.2006.320342",

language = "English",

isbn = "1424407737",

series = "2nd Workshop on Secure Network Protocols, NPSec",

pages = "20--25",

booktitle = "2nd Workshop on Secure Network Protocols, NPSec",

note = "2006 2nd Workshop on Secure Network Protocols, NPSec ; Conference date: 12-11-2006 Through 12-11-2006",

}

Samak, T, El-Atawy, A, Al-Shaer, E & Hong, L 2006, Firewall policy reconstruction by active probing: An attacker's view. in 2nd Workshop on Secure Network Protocols, NPSec., 4110432, 2nd Workshop on Secure Network Protocols, NPSec, pp. 20-25, 2006 2nd Workshop on Secure Network Protocols, NPSec, Santa Barbara, CA, United States, 12/11/06. https://doi.org/10.1109/NPSEC.2006.320342

TY - GEN

T1 - Firewall policy reconstruction by active probing

T2 - 2006 2nd Workshop on Secure Network Protocols, NPSec

AU - Samak, Taghrid

AU - El-Atawy, Adel

AU - Al-Shaer, Ehab

AU - Hong, Li

PY - 2006

Y1 - 2006

N2 - Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.

AB - Having a firewall policy that is correct and complete is crucial to the safety of the computer network. An adversary will benefit a lot from knowing the policy or its semantics. In this paper we show how an attacker can reconstruct a firewall's policy by probing the firewall by sending tailored packets into a network and forming an idea of what the policy looks like. We present two approaches of compiling this information into a policy that can be arbitrary close to the original one used in the deployed firewall. The first approach is based on region growing from single firewall response to sample packets. The other approach uses split-and-merge in order to divide the space of the firewall's rules and analyzes each independently. Both techniques merge the results obtained into a more compact version of the policies reconstructed.

UR - https://www.scopus.com/pages/publications/46249130521

U2 - 10.1109/NPSEC.2006.320342

DO - 10.1109/NPSEC.2006.320342

M3 - Conference contribution

AN - SCOPUS:46249130521

SN - 1424407737

SN - 9781424407736

T3 - 2nd Workshop on Secure Network Protocols, NPSec

SP - 20

EP - 25

BT - 2nd Workshop on Secure Network Protocols, NPSec

Y2 - 12 November 2006 through 12 November 2006

ER -

Firewall policy reconstruction by active probing: An attacker's view

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this