The Role of Firewalls in Network Security: A Prestudy for Firewall Threat Modeling

(1)

IN

DEGREE PROJECT COMPUTER ENGINEERING, FIRST CYCLE, 15 CREDITS

STOCKHOLM SWEDEN 2018,

The Role of Firewalls in Network Security

A Prestudy for Firewall Threat Modeling JANI BONNEVIER

SEBASTIAN HEIMLÉN

(2)

(3)

Abstract

Firewalls help protect computer networks from intrusions and malware by en- forcing restrictions on what network traffic is allowed to pass through the firewall into the network. This thesis explores the role of firewalls in network security, with the ultimate goal of advancing attempts to create a threat model for firewalls. Five areas are explored, namely:

• Definitions of Concepts

• Firewalls vs. Services as Targets for Direct Attack

• The Past and Future of Firewalls

• Approach to Estimating Firewall Security

• Firewall Configuration and Security Policies

These areas are explored using a questionnaire survey. Each question in the questionnaire is either tied to a particular area, or is used to evaluate the respondents’ credibility. The questionnaire has 15 questions, many of which ask for free text answers. The group of potential respondents consists of 209 individuals, of whom about 75 % are authors of scientific articles that discuss firewalls, penetration testing, and other relevant topics. The rest are information security professionals, journalists or bloggers of varying merit that were found online.

20 responses to the questionnaire were received. Responses to qualitative questions were codified to produce some quantitative data.

The conclusions drawn based on the results include, among other things:

• Attackers tend to directly target network services rather than firewalls.

• Respondents disagreed on whether the role of firewalls is currently changing.

• A possible approach to estimating firewall security takes into account the network services that the firewall protects.

• Firewall configurations frequently do not match the security policies of the organizations in which the firewalls are deployed.

Keywords

firewall; firewall configuration; threat modeling; network security; information security

(4)

Sammanfattning

Svensk titel: Brandväggars roll i nätverkssäkerhet: En förstudie för hotmodellering av brandväggar

Brandväggar hjälper att skydda datornätverk från intrång och skadeprogram genom att begränsa den trafik som tillåts passera genom brandväggen in i nätver- ket. Denna uppsats utforskar brandväggars roll i nätverkssäkerhet med målet att göra framsteg i försök att skapa en hotmodell för brandväggar. Fem områden utforskas, nämligen:

• Definitioner av begrepp

• Brandväggar kontra tjänster som mål för direkta angrepp

• Brandväggens historia och framtid

• Tillvägagångssätt för att estimera brandväggssäkerhet

• Brandväggskonfiguration och säkerhetspolicyer

Dessa områden utforskas via en enkätstudie. Varje fråga i enkäten tillhör antin- gen ett specifikt område, eller används för att evaluera respondenternas tro- värdighet. Enkäten har 15 frågor, varav många efterfrågar fritextsvar. Gruppen potentiella respondenter består av 209 individer, varav cirka 75 % är författare av vetenskapliga artiklar som behandlar brandväggar, penetrationstestning och andra relevanta ämnen. Resten är professionella säkerhetskonsulter, journalis- ter eller bloggare med olika meriter inom informationssäkerhet eller nätverk.

20 svar på enkäten togs emot. Svar på kvalitativa frågor klassificerades för att producera kvantitativ data.

Slutsatserna som drogs baserat på resultaten inkluderar bl.a.:

• Angripare tenderar att ha nätverkstjänster som sina direkta mål, snarare än brandväggar.

• Respondenterna var oense om huruvida brandväggars roll just nu förän- dras.

• Ett möjligt tillvägagångssätt för att uppskatta brandväggssäkerhet tar hän- syn till de nätverkstjänster brandväggen skyddar.

• Brandväggskonfigurationer överrenstämmer ofta inte med säkerhetsrik- tlinjerna i de organisationer där brandväggarna är i bruk.

Nyckelord

brandvägg; brandväggskonfiguration; hotmodellering; nätverkssäkerhet; infor- mationssäkerhet

(5)

Glossary

attacker — A person who illegally gains access to and/or tampers with infor- mation in a computer system.

brute force attack — A repetitive method of trial and error used to obtain in- formation, typically a person’s username, password or cryptographic key. Soft- ware is used to generate a large number of guesses, which are then tested until the correct value is found.

DNS — Domain Name System. A system that maps domain names to IP ad- dresses. In the context of this thesis, DNS refers to the network services provided by DNS servers.

firewall — A device that monitors traffic in and out of a local area network and either allows or denies passage according to its configuration/ruleset.

FTP — File Transfer Protocol. In the context of this thesis, FTP refers to the network services provided by FTP servers.

HTTP — Hypertext Transfer Protocol. The foundation of communication for the World Wide Web. In the context of this thesis, HTTP refers to the network services provided by web servers.

ICMP — Internet Control Message Protocol. Used by network devices to com- municate outside of regular data transmission, as well as by tools such asping andtraceroute.

penetration tester; pentester — A person hired to conduct penetration test- ing.

penetration testing; pentesting — The authorized practice of attempting to find vulnerabilities in a computer system or network through practical means.

SMTP — Simple Mail Transfer Protocol. A protocol for sending email. In the context of this thesis, SMTP refers to the network services provided by outgoing SMTP email servers.

Telnet — A protocol that enables remote terminal connections and interactions between computers. Unencrypted and superseded by the encrypted SSH protocol. In the context of this thesis, Telnet is referred to as a network service rather than a protocol.

(6)

threat model — A model containing the data required to analyze and assess the security of an IT-system.

(7)

1 Introduction

This section introduces the thesis, the background to the problem, the problem statement, the purpose, the research strategy, and goals of the project.

The history of computer networking in general and the Internet in particular, has consisted of one security disaster after the other, and that will likely continue to be the case for the foreseeable future. Over the years, a plethora of security features have been put in place to protect individuals and organizations from malicious attacks.

One of those security features can be likened to a border control between the Wild West of the Internet and private local area networks, namely, the firewall¹. A firewall is a device or computer program created to protect networks inside the firewall from malicious traffic by filtering the traffic into and out of networks.

Firewalls are, in some sense, not a core feature of the Internet; they have to be bought, installed and configured correctly to do their job properly. They also have to be continuously maintained. The same goes for applications that run inside the network. As a computer network grows larger and more applications are installed and used, the complexity of managing and updating these applications, as well as the firewall, increases. Thus the risk of failing to maintain the security of the network also increases as the network grows.

1.1 Background

This study emerged from one company and their efforts to extend their product.

1.1.1 Foreseeti

Foreseeti is an IT-security company based and located in Stockholm, Sweden.

Foreseeti was founded in 2014 and strives to become a “global leader in quantitative threat modeling and proactive risk management”. Foreseeti has developed a product called SecuriCAD®, which is a threat modeling and risk management tool that can be used to analyze IT infrastructure and model threats and weak- nesses [1].

1.1.2 Problem Background

The SecuriCAD® software developed by Foreseeti employs a probabilistic calculation engine to simulate attacks on IT infrastructure, for example corporate networks. This calculation engine requires a lot of data to be able to perform good attack simulations. Foreseeti reached out and wanted to investigate and obtain more data regarding firewall security; specifically the time it takes an

1The reader may think of a firewall as something that they have on their own computer. Those are indeed firewalls, but not of the kind this thesis is concerned with.

(10)

attacker to breach a firewall in the case it contains a misconfiguration. The correlation between firewall misconfigurations and the time to breach the firewall has not been studied much. Foreseeti wanted to conduct a quantitative study on firewalls, the results of which could be used to directly improve SecuriCAD®.

1.2 Problem Statement

A problem statement was proposed by Foreseeti and the study commenced.

However, certain complications were encountered that ultimately resulted in a different problem statement.

1.2.1 Original Problem

Corporate firewalls supposedly play a part in restricting access to the organization’s local networks, protecting the company from malware and attackers [2].

Configuring and managing these firewalls is, however, complex and prone to human error [3]. Studies [4], [5] have shown that firewalls protecting corporate networks are often poorly configured, which leads to security risks. The main problem statement requested by Foreseeti was the following.

How likely is it that a professional penetration tester can breach a typical enterprise firewall in a certain amount of time?

The statement essentially calls for the quantification of firewall security. This is a question Foreseeti have had trouble answering, and this project was initially going to attempt the same.

1.2.2 Final Problem Statement

After some work on the aforementioned problem, it became apparent during our questionnaire prestudy (Section 3.2.2) that it was rather complex. The statement seems simple enough at first glance, but only because it assumes a very particular way of looking at firewalls and network security. There are a number of problems, or open questions, surrounding it that have to be answered prior to answering the exact question posed by Foreseeti. This study is thus to be seen as a prestudy that seeks to enable answering the original problem statement, by exploring and answering the following questions.

• Definitions of Concepts: What exactly does it mean to “breach a fire- wall”? What constitutes a firewall configuration error?

• Firewalls vs. Services as Targets for Direct Attack: Do attackers usually even think of firewalls as targets for direct attack, or do they target network services?

• The Past and Future of Firewalls: Some studies of firewall security have been done (Section 2.5), but their relevance today depends on how

(11)

quickly the role of the firewall changes. How, if at all, has it changed recently, or will it change in the future?

• Approach to Estimating Firewall Security: Could one approach to estimating firewall security be to study the relationship between the firewall and the services it protects?

• Firewall Configuration and Security Policies: How well do firewall configurations match the security policies of the organizations in which they are deployed?

1.3 Purpose

The purpose of this thesis is to explore the role of firewalls as a security measure in corporate computer networks. This is done by researching a few more specific questions concerning firewalls, such as definitions of concepts, to what degree they are targeted by attackers, how their role is changing, how their security can be estimated and how well configured they tend to be. This thesis aims to be a step along the way toward creating a threat model for firewalls.

1.4 Research Strategy

Given that the research is exploratory and mostly qualitative, the research strategy is to conduct a questionnaire survey. This was suggested by the research group’s contact at Foreseeti.

1.5 Goals

Several goals with this thesis exist, namely:

1.5.1 Academic

The academic goal of the thesis is to answer a problem statement by carrying out a project on a scientific basis using methods and methodologies that are proven and correct. By writing a good thesis that meets all course requirements, the authors will finish their studies at KTH Royal Institute of Technology.

1.5.2 Industrial

The industrial goal is to provide results that would be of use to Foreseeti in the future development of their threat model. Since the thesis tries to provide answers to problems regarding firewalls used in corporate settings, other actors in the industry may also benefit from the findings.

1.5.3 Scientific

Scientifically, the goal is to carry out a valid and reliable study that can be of use to other researchers. As previously stated, this thesis can be seen as a prestudy for future research.

(12)

1.6 Societal Benefits and Ethics

The results presented could possibly benefit corporations that wish to evaluate the security of their systems. This, in turn, could be beneficial to society as a whole. Increasing amounts of people’s personal information are kept online today. When corporations become less vulnerable to attacks, the leakage of this personal information might be reduced. Higher security in corporations would likely lead to less successful attacks and breaches, which would save corporations and society a lot of money. Also, a large part of the Internet is made up of corporate networks. By securing these networks there would be fewer hosts for malware to spread through, which in turn could reduce the spreading of malware in general [6].

Since firewalls are an important part of corporate network security, the data collected as part of this project is considered sensitive. All respondents are kept completely anonymous because the information they might provide could potentially be used by bad actors to identify real, vulnerable systems.

1.7 Delimitations

This study is concerned with only network firewalls and not personal firewalls, which are applications installed on individual workstations or laptops. Network firewalls, on the other hand, are software-, hardware- or cloud-based solutions that protect entire networks from the dangers that lurk outside. This study is not concerned with information security matters that do not involve firewalls, unless brought up by respondents. One example of such a matter would be social engineering attacks.

1.8 Outline

Section 2 provides a theoretical background that some may need in order understand the rest of the thesis. Moreover, it presents a theoretical overview of research methods and methodologies that were considered for this study. It also presents practical requirements for scientificity in a research method. Lastly, it discusses previous work that is related to this thesis. Section 3 accounts for the choice of theoretical research methods. Furthermore, each research question is discussed. Lastly, the practical implementation of the research method is presented. In Section 4 the results of the study are presented. Section 5 discusses the acquired results for each of the problem statements, the research methods used in the study and the validity and reliability of the study. Furthermore, the scientificity of the study is evaluated, conclusions are presented and possible future work related to the study is suggested.

(13)

2 Theoretical Background

This section aims to give a theoretical background needed to be able to understand the remainder of the thesis and also explains why our problem is a problem in the first place. This section also gives a theoretical background on various research methods and methodologies. The specific methodologies used in this project are discussed in Section 3.

Section 2.1 gives a short explanation of security policies. Section 2.2 explains why firewalls exist and describe a few ways of attacking networks. Section 2.3 provides a theoretical overview of research methods and methodologies. Section 2.4 discusses what is required for a project to be scientific. Section 2.5 is an account of related work and studies that have been made regarding firewalls and how this study differs from them.

2.1 Security Policies

An organization of sufficient size most likely has internal policies that state how certain things should be done within the organization. One policy that always should be in place is the security policy, which is a document that states how an organization plans to protect its physical and information technology assets.

The document should be monitored and updated as the organization and its security requirements change [7]. The security policy should heavily affect the configuration of firewalls used by the organization, as they play an important role in the enforcement of the policy.

2.2 Firewall Fundamentals

Firewalls are a fundamental part of network security and often function as the first line of defense, partially separating a local network from the Internet. The task of the firewall is to prevent unauthorized network traffic from passing through itself into the protected network [2]. To make a firewall function properly it has to be told what traffic is to be authorized and what is not. This is done in a configuration file typically called a ruleset. The ruleset is an ordered list of rules, where each rule is of the form predicate→ action. The predicate typically contains a range of source IPs, a range of destination IPs, source port, destination port, protocol and the action typically is either accept, discard, log or a combination of these (see Table 1). When packets arrive at the firewall they are matched against this list of rules. Overlapping and conflicting rules are normal occurrences. To resolve the conflicts, the action of the first rule that matches the packet will be enforced, therefore the order is crucial and changing the order could change the behavior of the firewall drastically. The goal when configuring the firewall is to restrict as much traffic as possible to reduce the risk of letting malicious traffic in, while avoiding blocking legitimate traffic [8].

(14)

Table 1: An example firewall ruleset containing three rules.

rule Source IP Destination IP Source Port Destination Port Protocol Action

#1 any 1.2.3.4 any 25 TCP accept

#2 156.78.12.3 172.87.1.3 any 22 TCP accept

#3 any any any any any discard

2.2.1 Ways of Attacking Networks

An attacker must somehow either breach or circumvent the firewall to get further inside the network. A variety of ways of doing so exist.

Exposed network services constitute potential attack surfaces. A few common examples of network services are HTTP, FTP, SSH, SMTP and ICMP. They often run inside a local area network, but they can be exposed on the Internet by the firewall or be placed outside of the firewall entirely. In some cases, such as HTTP, this may be desirable. If a network service is exposed on the Internet, anyone (who possesses an elementary understanding of networks) can easily find it with a port scan and send traffic to the service. If the exposed service is vulnerable, it is an open door through which an attacker can steal information, carry out sabotage, or with some luck, reach further into the network and do the same on an even larger portion of the network. In that case, the attacker has effectively circumvented or breached the firewall.

Phishing is a social engineering attack in which an attacker typically sends emails from a forged sender address to individuals working at the targeted organization, with the intent of tricking the individuals into either downloading malware or sharing sensitive information with the attacker. These emails are made to look very authentic and often claim to be very urgent. For example, the email could claim to be sent from a systems administrator asserting that the receiver urgently has to install a new security update that is attached to the email. The attached file is of course not a security update, but a malicious program that the attacker can use to harvest credentials, monitor the receiver and potentially connect the receiver’s computer to the attacker’s, thereby creating a connection through the firewall [9].

Phishing is a widely used technique that takes advantage of the fact that a human is much easier to manipulate and trick than a security system. According to Dhamija [10], computer users, in general, lack the knowledge regarding op- erating systems and security needed to distinguish phishing from legit emails and websites. Users are also easily deceived by the often very well made faked images and text in phishing attempts. By utilizing phishing, an attacker can essentially circumvent all security measures in place. It does not matter how

(15)

secure the perimeter of the infrastructure is, if the attacker can trick the correct person into giving up the correct information or downloading malware.

Denial of firewalling is an attack that stems from the more general denial of service-attacks. During a DoF attack, carefully crafted traffic is used to overload a firewall. The overloading of the firewall has two possible outcomes. One is that all traffic is denied, resulting in the network not being reachable; a form of sabotage. The other, generally more preferred outcome (for the attacker), is that the firewall becomes so busy that it cannot authenticate the traffic but instead lets all traffic through. A well-crafted DoF attack can thus disable the firewall entirely, leaving the network completely vulnerable for further attacks [11].

Configuration errors are a matter of definition studied in this study. What fol- lows is therefore an introductory explanation of approximately what one might mean by the word.

Configuration errors are either errors in the firewall ruleset or errors such as using the default password for the administration interface, exposing the administration interface publicly on the Internet or allowing unencrypted remote access to the administration interface via Telnet [4].

What specifically constitutes a firewall ruleset error depends on the wider security policy of the organization in question. Any firewall ruleset that does not comply with the organization’s stated security policy should be treated as a firewall ruleset error. Generally, if a firewall allows an unauthorized agent to access internal systems or information, it should most likely be considered a firewall ruleset error.

Other configuration errors may compromise the security of the firewall inde- pendently of the actual firewall ruleset. It does not matter how well configured the firewalls rulesets are if the actual configuration of the firewall itself is left insecure. For example, exposing the administration interface publicly on the Internet is a major security issue even if the interface is password protected. An attacker could perform a brute force attack to figure out the password and get access to the configuration of the firewall. Another example is using the default password for the administration interface. This renders the firewall useless if an attacker gets access to the interface.

2.3 Research Methods and Methodologies

Håkansson has written a rather comprehensive overview of research methodologies [12]. What follows is a summary of some of them.

(16)

2.3.1 Categorization of Research Methods

Research methods in [12] are divided into two main categories; quantitative and qualitative. A quantitative study is concerned with collecting and/or analyzing large sets of concretely measurable data. A qualitative study, on the other hand, is more exploratory in nature and aims to reach tentative hypotheses and the- ories. Finally, triangulation is the practice of utilizing both quantitative and qualitative methods in order for them to complement each other.

2.3.2 Philosophical Assumptions

The philosophical assumption is the starting point that the rest of the research is based upon.

Positivism and Realism can be seen as quantitative assumptions, while Inter- pretivism and Criticalism are more distinctly qualitative.

Positivism assumes that “the reality is objectively given and independent of the observer and instruments.” Therefore Positivism is useful in projects of experimental and testing character.

Realism assumes that there exists an objective reality independent of any ob- server or interpretation, but views scientific knowledge as a mere approxima- tion of the truth. The realist collects data by observing a phenomenon and then works with understanding the collected data and developing knowledge from it [12].

Interpretivism assumes that “access to reality (given or socially constructed) is only through social constructions such as language, consciousness, shared meanings, and instruments” [13]. They understand phenomena by interpret- ing the meaning that people assign to them.

Criticalism assumes that “the reality is socially, historically, and culturally con- stituted, produced and reproduced by people” Criticalism can be used to learn about social, historical and cultural aspects of people and things produced by people [12].

2.3.3 Research Methods

Research methods describe and provide the procedures used to accomplish the research task.

The Experimental research method studies reasons for, and effects of certain phenomena. It can be used to compare effects of different scenarios against each other, given different causes. An example usage is system performance testing.

(17)

The Descriptive research method studies and describes characteristics of the dif- ferent phenomenon in different scenarios, but does not study causes and effects of the phenomenon. The Descriptive research method often uses surveys, case studies or observations to produce and describe representations of situations.

The Non-Experimental research method draws conclusions based on existing scenarios. The method is used to describe behavior or opinions and can for example be used to study users’ behavior or opinions.

The Conceptual research method is used to interpret existing concepts or cre- ating new ones. The Conceptual research method can for example be used to examine content in a system.

The Fundamental research method is “curiosity-driven” and aims to generate

“new ideas, principles and theories” [12]. It is used in all kinds of research and useful for finding new questions to study more closely with other methods.

2.3.4 Research Approaches

The research approach determines how conclusions are drawn and from what data. The main two approaches are the inductive and deductive ones. The in- ductive research approach aims to discover things to study and create hypothe- ses. The data are often collected using qualitative methods. The deductive re- search approach studies things that are already known to exist. Theories are tested by deducing and testing a hypothesis by using, almost exclusively, quan- titative methods with large data sets. Finally, the abductive approach is a com- bination of the two, that “derives likely conclusions from an incomplete set of observations” [12].

2.3.5 Research Strategy / Design

The research strategy informs how the research is to be planned and carried out in practice. Examples of strategies listed in [12] include Experimental, Survey, Ex post facto, Case study and Exploratory.

In Experimental research, the aim is to conduct experiments where as many variables as possible are controlled, prove or falsify hypotheses and study relationships between variables.

Surveys exist in two main varieties; cross-sectional and longitudinal. Cross- sectional surveys examine the relationships of a wide range of variables at a single point in time. Longitudinal surveys do the same over some period of time.

The strategy works well for both quantitative and qualitative studies.

(18)

Ex post facto research is carried out after the data have already been collected.

It attempts to find causal factors by studying the past.

Case study uses multiple sources of evidence in a real-life context. It is par- ticularly useful when the distinction between the studied phenomenon and its context is unclear.

Exploratory research aims to find relationships between as many variables as possible, often using qualitative surveys. It identifies issues, rather than provides definite answers to them.

2.3.6 Data Collection

The data collection method determines to a large degree what results can be presented and what conclusions can be drawn. Common data collection methods for quantitative research are Observations, Experiments, Questionnaires and Case studies. For qualitative research; Questionnaires, Interviews, Observa- tions and Case studies. The quantitative methods are suited for collecting large data sets, while the qualitative methods are more suited for collecting smaller but more in-depth, data sets.

2.4 Practical Requirements for Scientificity

Andersson and Ekholm have written a report in which they discuss scientific work methods and the practical requirements for scientificity in projects [14].

On page 17 in the report, they give an example of a scientific work method based on their interpretation of a method originating from Bunge [15], in the form of the following series of steps.

1. Identify a problem within an area of research.

2. Describe the problem carefully.

3. Study existing knowledge within the problem area. Find information, methods or tools that are relevant to the problem statement.

4. Explain and solve the problem statement based on knowledge from step 3. If existing knowledge on the problem statement is not enough to solve the problem statement, move to step 5. Otherwise, move to step 6.

5. Propose new ideas, theories or hypothesis and collect new empirical data to solve the problem.

6. Present either exact or approximate solutions to the problem.

7. Derive the consequences of the proposed solution.

8. Test the proposed solution.

9. Correct the proposed solution according to the test results.

10. Examine the proposed solution with respect to existing knowledge (step 3) and identify new problem statements.

(19)

Based on this practical sequence, Andersson and Ekholm also present a method to evaluate the scientific quality of research projects that utilize the method above. The evaluation involves identifying the existence of certain aspects in the written work that describes the project. These aspects are described by An- dersson and Ekholm as characteristic of a project with a scientific approach.

1. Background (Problem owner/stakeholders) 2. Hypothesis/testable consequences

3. Purpose/goals 4. Delimitations

5. Theory describing problem 6. Research method

7. Execution 8. Expected result 9. Achieved result

Based on whether these aspects are accounted for, one can get a hint of whether a given project used a scientific approach or not.

2.5 Related Work

Wool performed two quantitative studies [4], [5] of firewall ruleset configuration errors in real, deployed firewalls. Both of these studies suggest that firewalls, in general, are poorly configured and that the number of configuration errors is positively correlated with the number of rules in the ruleset. Wool’s studies and our study are tangentially related, but while Wool studied the phenomena of configuration errors in great detail, our study discusses it with broader strokes as part of a bigger picture. Furthermore, Wool defines a firewall configuration error as being any configuration of a set of configurations that he con- siders to be insecure in some way. Even though the research is probably the best of its kind, the studies, as well as Wool’s set of configuration errors, are rather old. This study aims to address both the definition of configuration errors and the relevance of previous research.

Kamara et al. [16] propose a methodology for analyzing vulnerabilities in firewalls. Twenty known firewall vulnerabilities are analyzed and categorized according to the suggested methodology. Our work does not analyze or categorize any vulnerabilities, but again, discusses them in more general terms.

Alsaleh et al. [17] present a set of quantitative metrics for measuring the security level of an enterprise firewall based on its ruleset configuration. The metric can be used to compare the security of different firewalls against each other. While the metric is useful for many purposes and certainly would be interesting to apply to data such as Wool’s, we cannot make use of it given our choice of research

(20)

methods. This study instead explores an alternative approach to estimating firewall security.

(21)

3 Method

What follows is a description of the study in terms of the methods and methodologies discussed in Section 2.3.

The study uses triangulation, although it is somewhat more qualitative than quantitative. It assumes the philosophical viewpoint of realism and uses the fundamental research method. The study is primarily an inductive one. A cross- sectional survey, with a questionnaire directed at information security researchers and professionals constitutes the main research strategy and data collection el- ements of the study. The quantitative data is analyzed statistically. The qual- itative data is, apart from being considered as it is, codified in order to extract quantitative data from them.

3.1 Research Questions

In this section, each of the research questions defined in the problem statement are discussed. Each questionnaire question is related to one of the research questions (Section 1.2.2).

3.1.1 Definitions of Concepts

What exactly does it mean to “breach a firewall”? What constitutes a firewall configuration error?

The project group hopes to collect definitions by experts for these concepts, not least to see whether an established consensus already exists. The proposed definitions are collected with the following questionnaire questions.

Q4: How do you define a firewall configuration error? (Free text answer)

Q5: How would you define the act of “breaching a firewall”? (Free text answer)

3.1.2 Firewalls vs. Services as Targets for Direct Attack

Do attackers usually even think of firewalls as targets for direct attack, or do they target network services?

The answers to this question can provide insights into how firewall security could be modeled. In the case that firewalls are a target for attackers, it is important to consider the degree to which firewalls themselves are resistant to attacks. In the other case, firewall configuration is of greater importance. Par- ticularly relevant are answers from penetration testers who regularly breach or

(22)

circumvent firewalls. Answers to this question are collected using the following questionnaire question.

Q6: Do attackers tend to directly target firewalls or do they tend to target exposed network services? (Free text answer)

3.1.3 The Past and Future of Firewalls

How, if at all, has the role of firewalls changed recently, or will it change in the future?

The question tries to determine the degree to which previous studies on firewall security are still relevant, or for how long they might remain relevant. Answers are collected using the following questionnaire questions.

Q8: Has the role of the firewalls changed during the last 5 years?

How and why? (Free text answer)

Q9: Will the role of firewalls change as more companies move to the cloud / SDN-networks? How and why? (Free text answer) 3.1.4 Approach to Estimating Firewall Security

Could one approach to estimating firewall security be to study the relationship between the firewall and the services it protects?

If it is the case that network services, rather than firewalls, are targets for direct attack, one should explore ways to model firewall security with services in mind.

To study this relationship, two sets of answers are wanted; one that determines the most frequently exposed network services and another that determines the most frequently vulnerable ones. The correlation between the two could then be studied. Answers are collected using the following questionnaire questions.

Q12: In your experience, which network services in corporate net- works are most frequently exposed on the Internet? (Free text an- swer; list services in descending order of frequency)

Q13: In your experience, which network services in corporate net- works do most frequently contain vulnerabilities? (Free text an- swer; list services in descending order of frequency)

3.1.5 Firewall Configuration and Security Policies

How well do firewall configurations match the security policies of the organi- zations in which they are deployed?

(23)

One possible way of defining a firewall configuration error (which was one of the questions in Section 3.1.1) is as a mismatch between the firewall configuration and the organization’s security policy. Given this definition, the project group wants to study how well configured firewalls tend to be. Answers are collected using the following questionnaire questions. They are essentially the same question, formulated differently.

Q14: How well does the configuration of the typical perimeter fire- wall you have encountered match the organization’s security pol- icy? (Answer given as a number ranging from 1-5, where 1 represents

“Several Mismatches” and 5 represents “Perfect Match”)

Q15: Approximately what percentage of perimeter firewalls that you have encountered have mismatches between their rulesets and the organization’s security policy?

3.1.6 Control Questions

These are questions to which the answers are known, that are used to assess the respondents’ credibility.

Q10: Given this firewall ruleset, which of the following statements are true? (Options; select all that apply. The ruleset and options are shown in Section 4.9)

Q11: Which of these types of inbound traffic is the most important to block with a firewall? (Options; select one. The ruleset and op- tions are shown in Section 4.10)

3.1.7 Information About the Respondent

A couple of questions are asked about the respondent’s role and experience in the field of information security. They are mainly used to assess the respondents’ credibility.

Q1: For how many years have you been working with, or research- ing information security?

Q2: What is your primary role within the field of information se- curity? (Options or free text answer)

Q3: Do you regularly examine/analyze/test different firewalls? The question refers to individual firewalls and their configurations; not brands, models or types. (Yes / No)

(24)

3.2 Practical Implementation of Research Method

The practical work of this project aimed to utilize the theoretical research method (described in the beginning of Section 3) while ensuring some level of scientificity (discussed in Section 2.4) and keeping in concordance with the project triangle, as proposed by Ekholm [18].

This research project was therefore divided into three phases. The phases are listed in chronological order and depend on each other. Each phase is an essen- tial part of the project and contributes to the end result. One of the phases was conducted as an iterative process. What follows is a description of each phase of the project.

3.2.1 Literature Study Phase

The first phase of the project was the literature study, which commenced as soon as the problem statement was proposed by Foreseeti. The aim of the literature study was for the authors to get a better understanding of the problem at hand.

Three main areas were researched, namely:

• Firewalls

• Network security

• Network architecture

The literature study was mainly conducted by reading published literature that was found through research libraries such as IEEE Xplore² and ACM Digital Library³. The research yielded relevant information in the form of previous studies and references that could be used in this study, as well as perspectives that were used to formulate the research questions.

After researching these problem-specific areas, literature regarding scientific research methods and project methods was read, such as [14], [15] and [12]. This research was used to decide what methods and methodologies were appropri- ate to be used in the project and ultimately resulted in the project method now described.

3.2.2 Questionnaire Design and Publication Phase

The literature study reinforced the choice of using a questionnaire as the method for data collection. The design and creation of said questionnaire became the second phase, which itself can be divided into three parts, carried out in the order given below.

2https://ieeexplore.ieee.org

3https://dl.acm.org/

(25)

• Questionnaire design. The initial design of the questionnaire and the questions at hand were formed.

• Questionnaire prestudy. A prestudy was conducted, where the ques- tionnaire was tested and evaluated.

• Redesign of the questionnaire. After the prestudy, the questionnaire was redesigned according to the feedback from the prestudy.

The design of the questionnaire was done according to some tips given by Har- rison [19]. The questionnaire was kept as short as possible, with as few and as straightforward questions as possible. 15 questions in total made for a good length. This should be enough questions to collect the desired data, while still allowing the respondents to properly fill in the questionnaire in a short amount of time. The questionnaire had to be general enough so that it could be filled out by people working with information security, but not necessarily strictly firewalls.

As recommended by Harrison [19], a prestudy was conducted where the questionnaire was answered and discussed (separately) by two information security professionals; one penetration tester from the industry and one academic pro- fessor. This was done to verify that the questionnaire was well designed, under- standable and possible to answer properly. These two discussions gave some great insight that was used to further improve the questionnaire prior to it being sent out.

During the entirety of this project phase, another process was also carried out, namely that of finding potential respondents. In order to conduct as good of a study as possible, it was important to find competent respondents who pos- sessed knowledge of information security in general and firewalls in particular.

To help ensure that a sufficient number of responses were received, from various perspectives, the questionnaire was not solely distributed to firewall specialists.

People from various professions in the field of information security were sought, although the bulk (about 75 %) of potential respondents ended up being authors of scientific articles that discuss firewalls, penetration testing and other relevant topics. The rest were information security or network professionals, journalists or bloggers of varying merit that were found online.

Subsequently, the questionnaire was deemed ready for publishing. The ques- tionnaire was created and distributed via Google Forms, which allowed for an easy and quick distribution of the survey to a large number of respondents around the world. It also allowed for anonymity (with some caveats, see Section 5.5.1) which was important to offer to all respondents. The questionnaire remained open for responses for one week. This was determined to be enough time to al- low most people who wanted to respond to do so. About half of the respondents submitted their response within the first 24 hours of the questionnaire being

(26)

opened.

Questionnaire design

Questionnaire prestudy

Publish questionnaire Find potential

respondents

Questionnaire redesign

Figure 1: Questionnaire design and publication process.

3.2.3 Result Analysis Phase

The third phase commenced when the questionnaire was closed. Qualitative responses were codified in order to extract some quantitative data from them (explained further in Section 3.3). Interesting responses were quoted in the thesis.

For some questionnaire questions, the results were weighted (explained further in Section 3.4). Additionally, correlations were studied and charts were created.

To utilize the advantages of iterative processes, the analysis of the data was done in iterations. One iteration was carried out for each of the research questions listed in Section 3.1. In each iteration, the data from the questionnaire regarding that research question were analyzed and discussed. Thanks to this iterative process, the project ran no risk of running out of time prior to deriving any conclusions at all.

3.3 Coding

Qualitative free text answers are codified in an inductive manner, meaning that the set of possible coding categories for each question is not known in advance,

(27)

but derived from the responses. The percentage P_C of responses codified under category C is calculated as

P_C = R_C R

where R_Cis the number of responses codified under C, and R is the total number of responses (very elementary math).

For some questionnaire questions, a single response can be codified under more than one category. The sum of the percentages of responses codified under each of the categories respectively may in such cases exceed 100 %. For example, if the categories are “Yes” and “No”, a nuanced response (e.g. “Yes, because ___, but on the other hand, ___”) may be codified as both. A more decisively positive response would be codified as simply “Yes”. In this example, P_Yes = ^R_R^Yes = ²₂ = 100% and P_No = ^R_R^No = ¹₂ = 50%, and the sum would be 100% + 50% = 150% >

100%.

3.4 Weighting

The results of two of the questionnaire questions (Q12 and Q13) are weighted using a custom method. The exact formula is presented in Section 4.11.1 (because it is quite closely tied to the specific questions), but its essence is that the value of each response is multiplied by the sum of the respondent’s stated experience (Q1) and score on control questions (Q10 and Q11).

Experience ranges from 0 to the maximum length of a person’s career (on the order of tens of years) and the control question score ranges from 0 to 6. The balance between these two aspects affects the weighting significantly and was considered carefully. Ultimately, however, the current balance, where the maximum control question score is worth as much as 6 years of experience, is ad- mittedly somewhat arbitrary. The group concluded that experience in the field, even if not directly related to firewalls, is more important for credibility than the control question score. On the other hand, the control question score is arguably more reliable, because it is not subject to fabrication in the same way that the stated amount of experience is.

The weighting is applied to a score that is based on the ranking of options in responses (also explained in Section 4.11.1). Because the weighting method is experimental and without basis in literature, the unweighted scores are also presented. Furthermore, just in case the scoring system itself turns out to be flawed, results based on the number of mentions of options, regardless of ranking, are also presented.

(28)

(29)

4 Result

The section begins with a presentation of the results for each individual questionnaire question (Sections 4.1–4.14). Then, correlations between the results of some of the questions are investigated (Sections 4.15–4.16). This all builds up to the discussion and conclusions regarding the research questions in the remainder of the thesis.

The questionnaire was sent to 246 potential respondents. At least 37 of our requests could not be delivered, bringing the number down to 209. 20 responses were received, of which 15 were from academic researchers. All questions were optional, so not all respondents answered all questions.

4.1 Respondents’ Experience

Q1: For how many years have you been working with, or research- ing information security?

The average respondent claimed to have about 11 years of experience in the field of information security.

Table 2: Statistics for Q1.

Responses 16

Response rate 80 %

Average 10.88

Median 10

Standard deviation 6.73

(30)

0 1 2 3 4 5 6

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34

Numberofresponses

Years of experience Q1 - Distribution of responses

Figure 2: Chart for Q1.

4.2 Respondents’ Roles in Information Security

Q2: What is your primary role within the field of information se- curity? (Options or free text answer)

75 % of respondents described themselves as academic researchers. The pro- portion is the same as that of authors of scientific articles among potential respondents (Section 3.2.2).

Responses 20

Response rate 100 %

(31)

Table 4: Results for Q2.

Number Percentage Academic researcher 15 75.00 %

Penetration tester 2 10.00 %

Administrator 1 5.00 %

Architect 1 5.00 %

Journalist 1 5.00 %

0 2 4 6 8 10 12 14 16

Academic researcher Penetration tester Administrator Architect Journalist

Numberofresponses

Q2 - Role in the field of information security

4.3 Regularly Examines Firewalls

Q3: Do you regularly examine/analyze/test different firewalls? The question refers to individual firewalls and their configurations; not brands, models or types. (Yes / No)

35 % of respondents answered “Yes” and the rest answered “No”.

(32)

Responses 20

Responses by academic researchers 15

Responses by others 5

Response rate 100 %

Table 6: Results for Q3. Percentages of respondents who answered a certain way. The percentages are with regard to the column’s specified group.

All who responded Academic researchers Others

Yes 35.00 % 33.33 % 40.00 %

No 65.00 % 66.67 % 60.00 %

0 10 20 30 40 50 60 70 80 90 100

Yes No

Percentageofresponses

Q3 - Respondent regularly examines firewalls

4.4 Definition of a Firewall Configuration Error

Q4: How do you define a firewall configuration error? (Free text answer)

69 % of respondents mentioned mismatches between firewall rulesets and security policies as either their definition or a part of their definition of a firewall

(33)

configuration error. Other concepts were mentioned in 44 % of responses.

A single response could be codified into multiple categories. Thus the presented percentages do not necessarily add up to 100 % (Section 3.3).

Responses 16

Response rate 80 %

Table 8: Results for Q4. Percentages of respondents who mentioned a certain concept in their definition. The percentages are with regard to the column’s specified group.

Coding category All who responded Academic researchers Others

Ruleset-policy mismatch 68.75 % 75.00 % 50.00 %

Ruleset too permissive 25.00 % 16.67 % 50.00 %

Contradictory rules 18.75 % 16.67 % 25.00 %

0 10 20 30 40 50 60 70 80 90 100

Ruleset-policy mismatch Ruleset too permissive Contradictory rules

Q4 - Definition of firewall configuration error

(34)

Examples of responses that were codified as “Ruleset-policy mismatch” (possibly among other things):

“At the highest level it is when the firewall does not implement a defined business’ security policy. Unfortunately, some businesses do not create such a definition leading to a problem in understanding errors.”

“It’s either a configuration that don’t respect rules and guidelines, or configuration that represents contradictions with other rulsets.”

“Any configuration that does not align with the corporation’s security policy.”

Some responses were somewhat ambiguous, but if they discussed intent or ex- pectations, they were also codified as “Ruleset-policy mismatch”.

“A bug that doesn’t separate allowed from not-allowed in the in- tended way.”

“When a firewall configuration fails to perform as expected.”

Others did not mention policies at all.

“Letting unwanted packets that threaten security enter organizations’

network.”

“A man-made mistake resulting in over-permissive ruleset.”

“Any configuration that enables an unauthorized party to gain control.”

4.5 Definition of Firewall Breach

Q5: How would you define the act of “breaching a firewall”? (Free text answer)

54 % of respondents mentioned illegitimate traffic passing through the firewall as their definition or part of their definition of what it means to breach a firewall.

Other concepts were mentioned in 60 % of responses.

A single response could be codified into multiple categories. Thus the presented percentages do not necessarily add up to 100 % (Section 3.3).

(35)

Responses 13

Response rate 65 %

Table 10: Results for Q5. Percentages of respondents who mentioned a certain concept in their definition. The percentages are with regard to the column’s specified group.

Coding category All who responded Academic researchers Others Illegitimate traffic through firewall 53.85 % 60.00 % 33.33 % Exploitation of firewall vulnerability 30.77 % 30.00 % 33.33 %

Unauthorized access to systems 15.38 % 10.00 % 33.33 %

Circumvention 15.38 % 20.00 % 0.00 %

(36)

0 10 20 30 40 50 60 70 80 90 100

Illegitimate traffic

through firewall

Exploitation offirewall

vulnerability

Unauthorized access

tosystems

Circumvention

Q5 - Definition of breaching a firewall

Examples of responses that were codified as “Illegitimate traffic through firewall” (possibly among other things):

“Illegitimate network traffic passing through the firewall ”

“A hacker manages to initiate a connection through the FW for a malicious purpose”

“It could mean one of two things (i) using misconfigurations to get through it, or (ii) using a hack or exploit to corrupt or otherwise circumvent a well defined set of policies, Generally the outcome is packets getting to where they should not.”

Exploitations of firewall vulnerabilities were the second most mentioned concept (as also seen in the last of above responses).

(37)

“Exploiting a vulnerability in a firewall to gain access to the device or changing the behavior of the firewall.”

Some considered circumvention to be a “breach”. Granted, there is some am- biguity here regarding what these respondents really meant, because their answers were so concise.

“Devising a round-about way to bypass the firewall”.

“Bypassing firewall logic that filters unwanted packets”

4.6 Firewall vs. Services as Targets for Attack

Q6: Do attackers tend to directly target firewalls or do they tend to target exposed network services? (Free text answer)

The free text answers were codified to produce the presented quantitative data.

57 % of respondents said attackers tend to target services, while 36 % said attackers target both services and firewalls. Thus, about 93 % of respondents mentioned network services and 36 % mentioned firewalls. No one said that attackers only target firewalls.

Responses 14

Response rate 70 %

Table 12: Results for Q6. Percentages of respondents who answered a certain way. The percentages are with regard to the column’s specified group.

Services 57.14 % 70.00 % 25.00 %

Both 35.71 % 30.00 % 50.00 %

Firewall 0.00 % 0.00 % 0.00 %

Neither 7.14 % 0.00 % 25.00 %

(38)

0 10 20 30 40 50 60 70 80 90 100

Services Both Firewall Neither

Q6 - Firewalls vs. services as targets for direct attack

The single respondent whose answer was codified as “Neither” suggested that phishing attacks are a far more likely and easier way of penetrating a firewall than using malware.

One respondent whose answer was codified as “Services”, noted however that attacks on firewalls certainly do exist, such as denial of service and other hacks.

Some simply stated “Both” as their sole answer, while others expanded upon what roles the alternatives play.

“Both, if the firewall can be compromised intrusion and attacks become relatively straightforward. Otherwise targeting insecure network services is a good alternative.”

“it depends on the attacker’s intention, if his target is behind a firewall surely he will attack the firewall to reach it, but exposed network services are always a piece of cake.”

Others were more decidedly on one side.

“Hackers are not interested in attacking firewall. They are interested

(39)

in the services it protects.”

4.7 The Role of Firewalls Over the Last Five Years

Q8: Has the role of the firewalls changed during the last 5 years?

How and why? (Free text answer)

The free text answers were codified and resulted in the quantified data presented below. 47 % claimed that the role of firewalls have changed during the last five years, while 52 % claimed that it has not. The definition of “role” was purposely not specified in this question, because what professionals in the field regard as the role of the firewall is in itself a relevant question. In other words, omitting the definition allowed for more diverse qualitative responses.

Responses 17

Response rate 85 %

Table 14: Codified results for Q8. Percentage of respondents who answered a certain way. The percentages are with regard to the column’s specified group.

Yes 47.06 % 50.00 % 40.00 %

No 52.94 % 50.00 % 60.00 %

Nearly half of the respondents thought that the role had changed and the other half thought that it had not. Many elaborative responses arguing for both sides were received.

One respondent claimed that the time span was too short.

“No. To short of a timespan. Increase to 10 years and firewalls has been going from traditional port-based to application aware firewalls.”

Another respondent claimed that the fundamentals of the firewall had not changed, but it had become better at what it does.

“Fundamentally there were limited changes - it’s still a checkpoint system. However there are quite some advances in terms of the speed

(40)

of firewall checking, limited deep packet analysis, and firewall management.”

One respondent claimed that firewalls now have to inspect more protocols as applications become more advanced and hide their traffic behind generic protocols.

“The technical scope in terms of the protocols inspected has become wider. There is a tug of war between App designers who use generic protocols such as http and the FWs that try to control meaningful entities that try to hide behind the generic protocol.”

Others claimed that changes to network architectures have lead to consequences regarding firewalls.

“Many services migrating to the cloud makes old firewalls less use- full.”

“Of course, because of SDN, NAT and programmable switches“

4.8 The Role of Firewalls in the Cloud

Q9: Will the role of firewalls change as more companies move to the cloud / SDN-networks? How and why? (Free text answer)

The free text answers were codified and resulted in the quantified data presented below. 67 % claimed that the role of firewalls will change as we move from traditional network architectures to cloud-based network architectures. 25 % claimed that the role would not change and 8 % of the responses could not be codified.

Responses 12

Response rate 60 %

(41)

Table 16: Codified results for Q9. Percentage of respondents who answered a certain way. The percentages are with regard to the column’s specified group.

Yes 66.67 % 75.00 % 50.00 %

No 25.00 % 12.50 % 50.00 %

Not codified 8.33 % 12.50 % 0.00 %

Fewer responses were received than for Q8, but there were still some elaborative answers given.

One motivation for the role of firewalls not changing with cloud/SDN network architectures was the following.

“I think firewalls will maintain their legacy role, as a ground-level layer of protection, and one of many systems that can help inform the emerging generation of platform security solutions.”

Another respondent reasoned differently.

“Yes, with crucial services being moved to the cloud, hackers will target the cloud more than the enterprise network.”

One respondent argued that the role of firewalls will not change, as they are not enough.

“i don’t think so, firewalls aren’t enough, otherwise they are indis- pensable in any good security policy. and new security solutions used in SDN nets and Cloud are based on firewalls.”

One respondent answered yes on the question, but did not specify in what way the cloud protection will differ from “traditional” firewalls.

“Yes, Companies will have to rely on the cloud provider protection.”

4.9 Control Question 1: Firewall Ruleset

Q10: Given this firewall ruleset, which of the following statements are true? (Options; select all that apply)

(42)

Figure 8: The ruleset referred to in Q10.

The options were the following.

• The local network most likely uses NAT. Correct.

• The ruleset most likely allows hosts on the local network to browse the WWW. Correct.

• The ruleset contains masked/overlapping rules. Correct.

• The ruleset is a realistic and complete example of how a typical corporate firewall might be configured.

• The ruleset contains a serious security flaw.

One point was awarded for each statement that was correctly checked or unchecked, so the highest possible score was five. There was no way of knowing whether a respondent abstained from answering or thought that all statements were incor- rect. Thus it was assumed that all respondents answered and leaving all check- boxes empty resulted in two points.

Table 17: Results for Q10. Number of points scored by respondents.

Average 3.3

Median 3

Standard deviation 1.13

(43)

0 1 2 3 4 5 6 7

0 1 2 3 4 5 6

Numberofresponses

Score

Q10 - Distribution of scores

4.10 Control Question 2: Most Important Traffic to Block

Q11: Which of these types of inbound traffic is the most important to block with a firewall? (Options; select one)

The options were the following.

• Telnet. Correct.

• ICMP.

• Whois.

• FTP.

Responses 16

Response rate 80 %

The Role of Firewalls in Network Security: A Prestudy for Firewall Threat Modeling

The Role of Firewalls in Network Security

A Prestudy for Firewall Threat Modeling JANI BONNEVIER

SEBASTIAN HEIMLÉN

Abstract

Sammanfattning

Glossary

Table of Contents

1 Introduction

1.1 Background

1.2 Problem Statement

1.3 Purpose

1.4 Research Strategy

1.5 Goals

1.6 Societal Benefits and Ethics

1.7 Delimitations

1.8 Outline

2 Theoretical Background

2.1 Security Policies

2.2 Firewall Fundamentals

2.3 Research Methods and Methodologies

2.4 Practical Requirements for Scientificity

2.5 Related Work

3 Method

3.1 Research Questions

3.2 Practical Implementation of Research Method

3.3 Coding

3.4 Weighting

4 Result

4.1 Respondents’ Experience

4.2 Respondents’ Roles in Information Security

4.3 Regularly Examines Firewalls

4.4 Definition of a Firewall Configuration Error

4.5 Definition of Firewall Breach

4.6 Firewall vs. Services as Targets for Attack

4.7 The Role of Firewalls Over the Last Five Years

4.8 The Role of Firewalls in the Cloud

4.9 Control Question 1: Firewall Ruleset

4.10 Control Question 2: Most Important Traffic to Block