a strategy for security testing industrial firewalls
play

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen - PowerPoint PPT Presentation

Mar 21, 2024 •283 likes •643 views

A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E. Irvine Department of Computer Science Naval Postgraduate School December 10, 2019 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 1

  1. A Strategy for Security Testing Industrial Firewalls Thuy D. Nguyen Steve C. Austin Cynthia E. Irvine Department of Computer Science Naval Postgraduate School December 10, 2019 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 1 / 35

  2. The views expressed in this material are those of the authors and do not reflect the official policy or position of the Naval Postgraduate School or the U.S. Government. Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 2 / 35

  3. Topics Introduction 1 Firewalls Under Test 2 Test Philosophy 3 Test Design 4 Implementation and Analysis 5 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 3 / 35

  4. Motivation Blind trust — Products meet all vendor security claims. Industrial firewalls provide logical separation between corporate and ICS networks. Vulnerabilities can occur in proprietary hardware, firmware, and software March 2019: 10-hour DoS attack on US power grid due to unpatched firewall 1 1 Western Electric Coordinating Council. Lesson Learned: Risks Posed by Firewall Firmware Vulnerabilities. North American Electric Reliability Corporation. Sept. 2019. Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 4 / 35

  5. Contribution Hypothesis: ICS firewalls do not always provide advertised functionality and are susceptible to exploits launched by open-source software. Contribution: A demonstration of a repeatable methodology for testing ICS firewalls. Framed around functional, exception, and penetration testing Used to verify vendor claims on provided functionality & protection features Tested with two commercial ICS firewalls Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 5 / 35

  6. Firewalls in ICS Network Industrial protocols tested Modbus EtherNet/IP ◮ CIP ◮ EtherNet/IP Remote Method Invocation (RMI) Source: NIST SP 800-82r2 Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 6 / 35

  7. Firewalls Under Test Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 7 / 35

  8. Tofino Security Appliance (SA) Model 9211-ET consists of: Hardware base Tofino Central Management Platform Four loadable security modules (LSM) ◮ Secure Asset Management ◮ Firewall ◮ Event Logger ◮ Modbus TCP Enforcer Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 8 / 35

  9. SA Modes Predeployed : Not configured Passive : Allow all traffic to pass through Test : Analyze traffic but does not enforce blocking policy Operational : Fully functional and blocking traffic per rulesets Decommissioned : All LSMs are deactivated; SA only listens for commands from CMP Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 9 / 35

  10. Tofino Xenon Model TofinoXE-0200T1T1 consists of: Hardware base Tofino Configurator Five loadable security modules (LSM) ◮ NetConnect ◮ Firewall ◮ Event Logger ◮ Modbus TCP Enforcer ◮ EtherNet/IP Enforcer Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 10 / 35

  11. Xenon Modes Passive : Allow all traffic to pass through Test : Examine, but does not block, traffic Operational : Fully functional, blocks traffic per rulesets Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 11 / 35

  12. Product Claims SA Xenon IP spoofing protection Suggested rule creation based on observed traffic patterns Rule creation ◮ Automatic: Based on protocols SSH communications between supported by CMP and PLCs Xenon and Configurator ◮ Assisted: Based on user input Software update derived from CMP log messages ◮ Via Configurator update Secure communications between interface SA and CMP ◮ Directly from USB interface ◮ Wireshark detected SSH Software update must be performed via CMP update interface Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 12 / 35

  13. Known Vulnerabilities Xenon SA SUT was automatically updated to No CVE specific to SA v03.2.01 during initial installation SA uses OpenSSH v5, which has v03.2.00 fixed several CVEs known vulnerabilities ◮ CVE-2010-5107: Connection-slot ◮ CVE-2017-11400: Attacker can modify USB firmware upgrade exhaustion caused by fixed time limit in login logic packages ◮ CVE-2017-15906: SFTP server ◮ CVE-2017-11401: Attacker can allows creation of zero-length send malformed/crafted packets Modbus packets files while in read-only mode ◮ CVE-2017-11402: Attacker can remotely activate rules to bypass firewall Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 13 / 35

  14. Test Philosophy Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 14 / 35

  15. Flaw Hypothesis Methodology (1) A way to conduct systematic penetration testing Use various forms of evidence to develop counter examples to assertions of truth about the system ◮ Manuals, design documents, verification evidence, etc. Support different types of testing ◮ Whitebox, graybox, blackbox Most effective if product vendors cooperate We use the FHM as a guideline for blackbox testing of ICS firewalls Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 15 / 35

  16. Flaw Hypothesis Methodology (2) Technical stages Flaw Generation Flaw Confirmation Flaw Generation Flaw Elimination Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 16 / 35

  17. How We Used FHM Our testing was constrained to available public interfaces and documentation No binary analysis Testing phases FHM mapping Review (in detail) vendor documentation, 1 Phase 1 → protocols, related CVEs Flaw Generation Design tests with enumerated expected 2 Phases 2, 3, 4 → results Flaw Confirmation Execute tests and populate test database 3 Back end of Phase 4 Analyze test results (expected vs. observed) 4 → Flaw Generation Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 17 / 35

  18. Test Design Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 18 / 35

  19. Approach Assumptions Attacker has access to corporate network Attacker has intimate knowledge of Phases of operation under system and processes test Firewall is between attacker and Discovery PLC Configuration Operational Scope Functional testing Exception testing Penetration testing Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 19 / 35

  20. Test Plan (1) Per-test description Test objective A set of preconditions that must be met before running each test ◮ SUT’s mode of operation ◮ Rules to be enforced by active LSMs ◮ Kali Linux configuration Test operation to be performed Special conditions that affect test execution (as applicable) ◮ Ex: If Modbus LSM is active, must have at least one Modbus rule to test USB load Expected results Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 20 / 35

  21. Test Plan (2) Functional testing Objective: Verify vendor claims Tests using open-source tools (Nessus, Metasploit, Wireshark) ◮ IP spoofing protection ◮ SYN flood protection ◮ Support for rule creation ◮ Modbus LSM functionality ◮ EtherNet/IP LSM functionality (Xenon only) ◮ Secure communications between firewall and management platform Tests to verify mode transitions using USB device Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 21 / 35

  22. Test Plan (3) Exception testing Objective: Assess how SUT responds to unusual conditions Tests to check boundary conditions of Modbus commands and register values ◮ Use Metasploit ModbusClient module ◮ Send FC16 Write and FC03 Read commands with register values exceeding valid range (0-49999) Tests to check USB configuration load process for exceptions Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 22 / 35

  23. Test Plan (4) Penetration testing Objective: Assess how SUT responds to exploits Tests common to both SA and Xenon-specific tests Xenon ◮ Java RMI registry interfaces ◮ ARP poisoning enumeration ◮ Web server stack buffer overflow ◮ Java RMI server insecure ◮ SSHv2 fuzzing endpoint code execution scanner ◮ SSH enumerate users ◮ Java RMI server insecure default ◮ SSH version scanner configuration Java code ◮ SSH key exchange DoS execution ◮ Remote syslog long tag DoS Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 23 / 35

  24. Summary of Tests D C O UC Total SA tests Functional 4 4 9 5 22 Exception 2 2 2 4 10 Penetration 7 7 7 0 21 Total 13 13 18 9 53 Xenon tests Functional 4 4 10 4 22 Exception 2 2 2 3 9 Penetration 10 10 10 0 30 Total 16 16 22 7 61 D=discovery; C=configuration; O=operational; UC=configuration via USB Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 24 / 35

  25. Implementation and Analysis Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 25 / 35

  26. ICS Test Network Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 26 / 35

  27. Test Topology Nguyen, Austin, Irvine (NPS) Security Testing ICS Firewalls 27 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy activity The Heseltine Review 2 Structural changes in the international economy will impact the UK Globalisation and rise of BRICS are changing

748 views • 12 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author: Filippo Tilaro Supervised by: Brice Copy Overview Scope & Objectives IT & Industrial Security Model Security Metrics & Testing

327 views • 15 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Firewalls A firewall ... is a physical barrier inside a building or vehicle,

555 views • 23 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vrimag/PACSS Kobe Universit

1.02k views • 33 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements intermission Day 22: Firewalls, NATs, and IDSes Stephen McCamant Intrusion detection systems University of Minnesota, Computer Science &

308 views • 4 slides
Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements intermission Day 21: Firewalls, NATs, and IDSes Stephen McCamant Intrusion detection systems University of Minnesota, Computer Science &

260 views • 5 slides
The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 ,

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 ,

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 , Chunyi Peng, Mi Zhang 1 1 Michigan State University 2 National Chiao Tung University 3 Purdue University Wi-Fi Calling Services Wi-Fi Calling

621 views • 31 slides
New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto

New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto

New developments on BREACH Dimitris Karakostas, Dionysis Zindros Stanford, Real World Crypto 2016 Overview BREACH review Our contributions Statistical attacks Attacking block ciphers Attacking noise Optimization

477 views • 33 slides
IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm -

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm -

IoT Security in Action! Julien Vermillard , Sierra Wireless @vrmvrm - jvermillard@sierrawireless.com EclipseCON EU 2016 Introduction Managing connected devices Why it is simple to exploit non-secured systems How simple to have the minimum

1.14k views • 39 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida

CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida

CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida Institute for Cyber Security (FICS) Review What did we talk about this semester? Cryptography secret vs public-key key exchange

828 views • 18 slides
Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional

Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional

Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional kernel: Control HW access CPU (timesharing) (virtual) memory Disk (File system) Devices (net, console, video, audio etc) Kernel

614 views • 18 slides
ARP Address Resolu,on Protocol Security Joo Paulo Barraca

ARP Address Resolu,on Protocol Security Joo Paulo Barraca

ARP Address Resolu,on Protocol Security Joo Paulo Barraca jpbarraca@ua.pt 1 Networking Basics Communica,on in packet networks rely on several

319 views • 20 slides
Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and

Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and

Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and Joaqun Chung <jbezerra@fiu.edu>, <joaquin.chung@gatech.edu> Outline Introducing LSST as an Use Case Presen?ng LSST

371 views • 18 slides

More recommend