Académique Documents
Professionnel Documents
Culture Documents
JANI BONNEVIER
SEBASTIAN HEIMLÉN
• Definitions of Concepts
• Firewalls vs. Services as Targets for Direct Attack
• The Past and Future of Firewalls
• Approach to Estimating Firewall Security
• Firewall Configuration and Security Policies
These areas are explored using a questionnaire survey. Each question in the
questionnaire is either tied to a particular area, or is used to evaluate the re-
spondents’ credibility. The questionnaire has 15 questions, many of which ask
for free text answers. The group of potential respondents consists of 209 indi-
viduals, of whom about 75 % are authors of scientific articles that discuss fire-
walls, penetration testing, and other relevant topics. The rest are information
security professionals, journalists or bloggers of varying merit that were found
online.
The conclusions drawn based on the results include, among other things:
Keywords
• Definitioner av begrepp
• Brandväggar kontra tjänster som mål för direkta angrepp
• Brandväggens historia och framtid
• Tillvägagångssätt för att estimera brandväggssäkerhet
• Brandväggskonfiguration och säkerhetspolicyer
Dessa områden utforskas via en enkätstudie. Varje fråga i enkäten tillhör antin-
gen ett specifikt område, eller används för att evaluera respondenternas tro-
värdighet. Enkäten har 15 frågor, varav många efterfrågar fritextsvar. Gruppen
potentiella respondenter består av 209 individer, varav cirka 75 % är författare
av vetenskapliga artiklar som behandlar brandväggar, penetrationstestning och
andra relevanta ämnen. Resten är professionella säkerhetskonsulter, journalis-
ter eller bloggare med olika meriter inom informationssäkerhet eller nätverk.
20 svar på enkäten togs emot. Svar på kvalitativa frågor klassificerades för att
producera kvantitativ data.
Nyckelord
brute force attack — A repetitive method of trial and error used to obtain in-
formation, typically a person’s username, password or cryptographic key. Soft-
ware is used to generate a large number of guesses, which are then tested until
the correct value is found.
DNS — Domain Name System. A system that maps domain names to IP ad-
dresses. In the context of this thesis, DNS refers to the network services pro-
vided by DNS servers.
firewall — A device that monitors traffic in and out of a local area network and
either allows or denies passage according to its configuration/ruleset.
FTP — File Transfer Protocol. In the context of this thesis, FTP refers to the
network services provided by FTP servers.
SMTP — Simple Mail Transfer Protocol. A protocol for sending email. In the
context of this thesis, SMTP refers to the network services provided by outgoing
SMTP email servers.
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Research Strategy . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.6 Societal Benefits and Ethics . . . . . . . . . . . . . . . . . . . 4
1.7 Delimitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.8 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Theoretical Background . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Firewall Fundamentals . . . . . . . . . . . . . . . . . . . . . 5
2.3 Research Methods and Methodologies . . . . . . . . . . . . 7
2.4 Practical Requirements for Scientificity . . . . . . . . . . . 10
2.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Practical Implementation of Research Method . . . . . . . 16
3.3 Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4 Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1 Respondents’ Experience . . . . . . . . . . . . . . . . . . . . 21
4.2 Respondents’ Roles in Information Security . . . . . . . . . 22
4.3 Regularly Examines Firewalls . . . . . . . . . . . . . . . . . 23
4.4 Definition of a Firewall Configuration Error . . . . . . . . . 24
4.5 Definition of Firewall Breach . . . . . . . . . . . . . . . . . . 26
4.6 Firewall vs. Services as Targets for Attack . . . . . . . . . . 29
4.7 The Role of Firewalls Over the Last Five Years . . . . . . . 31
4.8 The Role of Firewalls in the Cloud . . . . . . . . . . . . . . . 32
4.9 Control Question 1: Firewall Ruleset . . . . . . . . . . . . . 33
4.10Control Question 2: Most Important Traffic to Block . . . . 35
4.11 Most Frequently Exposed Services . . . . . . . . . . . . . . . 36
4.12 Most Frequently Vulnerable Services . . . . . . . . . . . . . 40
4.13 Match Between Firewall Configurations and Security Poli-
cies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.14 Percentage of Firewalls with Configuration-Policy Mismatches 43
4.15 Correlation Between Vulnerable and Exposed Network Ser-
vices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.16 Correlation Between Q14 and Q15 . . . . . . . . . . . . . . . 46
i
5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2 Research Methods . . . . . . . . . . . . . . . . . . . . . . . . 49
5.3 Validity and Reliability . . . . . . . . . . . . . . . . . . . . . . 50
5.4 Scientificity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.5 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.7 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Appendix A: The Questionnaire . . . . . . . . . . . . . . . . . . . . 61
ii
1 Introduction
This section introduces the thesis, the background to the problem, the problem
statement, the purpose, the research strategy, and goals of the project.
One of those security features can be likened to a border control between the
Wild West of the Internet and private local area networks, namely, the firewall1 .
A firewall is a device or computer program created to protect networks inside the
firewall from malicious traffic by filtering the traffic into and out of networks.
Firewalls are, in some sense, not a core feature of the Internet; they have to be
bought, installed and configured correctly to do their job properly. They also
have to be continuously maintained. The same goes for applications that run
inside the network. As a computer network grows larger and more applications
are installed and used, the complexity of managing and updating these applica-
tions, as well as the firewall, increases. Thus the risk of failing to maintain the
security of the network also increases as the network grows.
1.1 Background
This study emerged from one company and their efforts to extend their product.
1.1.1 Foreseeti
Foreseeti is an IT-security company based and located in Stockholm, Sweden.
Foreseeti was founded in 2014 and strives to become a “global leader in quantita-
tive threat modeling and proactive risk management”. Foreseeti has developed
a product called SecuriCAD®, which is a threat modeling and risk management
tool that can be used to analyze IT infrastructure and model threats and weak-
nesses [1].
1
attacker to breach a firewall in the case it contains a misconfiguration. The cor-
relation between firewall misconfigurations and the time to breach the firewall
has not been studied much. Foreseeti wanted to conduct a quantitative study on
firewalls, the results of which could be used to directly improve SecuriCAD®.
The statement essentially calls for the quantification of firewall security. This is
a question Foreseeti have had trouble answering, and this project was initially
going to attempt the same.
2
quickly the role of the firewall changes. How, if at all, has it changed re-
cently, or will it change in the future?
• Approach to Estimating Firewall Security: Could one approach to
estimating firewall security be to study the relationship between the fire-
wall and the services it protects?
• Firewall Configuration and Security Policies: How well do firewall
configurations match the security policies of the organizations in which
they are deployed?
1.3 Purpose
The purpose of this thesis is to explore the role of firewalls as a security measure
in corporate computer networks. This is done by researching a few more specific
questions concerning firewalls, such as definitions of concepts, to what degree
they are targeted by attackers, how their role is changing, how their security can
be estimated and how well configured they tend to be. This thesis aims to be a
step along the way toward creating a threat model for firewalls.
1.5 Goals
Several goals with this thesis exist, namely:
1.5.1 Academic
The academic goal of the thesis is to answer a problem statement by carrying out
a project on a scientific basis using methods and methodologies that are proven
and correct. By writing a good thesis that meets all course requirements, the
authors will finish their studies at KTH Royal Institute of Technology.
1.5.2 Industrial
The industrial goal is to provide results that would be of use to Foreseeti in the
future development of their threat model. Since the thesis tries to provide an-
swers to problems regarding firewalls used in corporate settings, other actors in
the industry may also benefit from the findings.
1.5.3 Scientific
Scientifically, the goal is to carry out a valid and reliable study that can be of use
to other researchers. As previously stated, this thesis can be seen as a prestudy
for future research.
3
1.6 Societal Benefits and Ethics
The results presented could possibly benefit corporations that wish to evaluate
the security of their systems. This, in turn, could be beneficial to society as a
whole. Increasing amounts of people’s personal information are kept online to-
day. When corporations become less vulnerable to attacks, the leakage of this
personal information might be reduced. Higher security in corporations would
likely lead to less successful attacks and breaches, which would save corpora-
tions and society a lot of money. Also, a large part of the Internet is made up of
corporate networks. By securing these networks there would be fewer hosts for
malware to spread through, which in turn could reduce the spreading of mal-
ware in general [6].
Since firewalls are an important part of corporate network security, the data
collected as part of this project is considered sensitive. All respondents are kept
completely anonymous because the information they might provide could po-
tentially be used by bad actors to identify real, vulnerable systems.
1.7 Delimitations
This study is concerned with only network firewalls and not personal firewalls,
which are applications installed on individual workstations or laptops. Network
firewalls, on the other hand, are software-, hardware- or cloud-based solutions
that protect entire networks from the dangers that lurk outside. This study is
not concerned with information security matters that do not involve firewalls,
unless brought up by respondents. One example of such a matter would be social
engineering attacks.
1.8 Outline
Section 2 provides a theoretical background that some may need in order un-
derstand the rest of the thesis. Moreover, it presents a theoretical overview of
research methods and methodologies that were considered for this study. It also
presents practical requirements for scientificity in a research method. Lastly, it
discusses previous work that is related to this thesis. Section 3 accounts for the
choice of theoretical research methods. Furthermore, each research question is
discussed. Lastly, the practical implementation of the research method is pre-
sented. In Section 4 the results of the study are presented. Section 5 discusses
the acquired results for each of the problem statements, the research methods
used in the study and the validity and reliability of the study. Furthermore, the
scientificity of the study is evaluated, conclusions are presented and possible
future work related to the study is suggested.
4
2 Theoretical Background
This section aims to give a theoretical background needed to be able to under-
stand the remainder of the thesis and also explains why our problem is a prob-
lem in the first place. This section also gives a theoretical background on various
research methods and methodologies. The specific methodologies used in this
project are discussed in Section 3.
Section 2.1 gives a short explanation of security policies. Section 2.2 explains
why firewalls exist and describe a few ways of attacking networks. Section 2.3
provides a theoretical overview of research methods and methodologies. Section
2.4 discusses what is required for a project to be scientific. Section 2.5 is an
account of related work and studies that have been made regarding firewalls
and how this study differs from them.
5
Table 1: An example firewall ruleset containing three rules.
Phishing is a widely used technique that takes advantage of the fact that a hu-
man is much easier to manipulate and trick than a security system. According
to Dhamija [10], computer users, in general, lack the knowledge regarding op-
erating systems and security needed to distinguish phishing from legit emails
and websites. Users are also easily deceived by the often very well made faked
images and text in phishing attempts. By utilizing phishing, an attacker can
essentially circumvent all security measures in place. It does not matter how
6
secure the perimeter of the infrastructure is, if the attacker can trick the correct
person into giving up the correct information or downloading malware.
Denial of firewalling is an attack that stems from the more general denial of
service-attacks. During a DoF attack, carefully crafted traffic is used to overload
a firewall. The overloading of the firewall has two possible outcomes. One is
that all traffic is denied, resulting in the network not being reachable; a form of
sabotage. The other, generally more preferred outcome (for the attacker), is that
the firewall becomes so busy that it cannot authenticate the traffic but instead
lets all traffic through. A well-crafted DoF attack can thus disable the firewall
entirely, leaving the network completely vulnerable for further attacks [11].
Configuration errors are a matter of definition studied in this study. What fol-
lows is therefore an introductory explanation of approximately what one might
mean by the word.
Configuration errors are either errors in the firewall ruleset or errors such as
using the default password for the administration interface, exposing the ad-
ministration interface publicly on the Internet or allowing unencrypted remote
access to the administration interface via Telnet [4].
What specifically constitutes a firewall ruleset error depends on the wider se-
curity policy of the organization in question. Any firewall ruleset that does not
comply with the organization’s stated security policy should be treated as a fire-
wall ruleset error. Generally, if a firewall allows an unauthorized agent to access
internal systems or information, it should most likely be considered a firewall
ruleset error.
Other configuration errors may compromise the security of the firewall inde-
pendently of the actual firewall ruleset. It does not matter how well configured
the firewalls rulesets are if the actual configuration of the firewall itself is left
insecure. For example, exposing the administration interface publicly on the
Internet is a major security issue even if the interface is password protected. An
attacker could perform a brute force attack to figure out the password and get
access to the configuration of the firewall. Another example is using the default
password for the administration interface. This renders the firewall useless if
an attacker gets access to the interface.
7
2.3.1 Categorization of Research Methods
Research methods in [12] are divided into two main categories; quantitative and
qualitative. A quantitative study is concerned with collecting and/or analyzing
large sets of concretely measurable data. A qualitative study, on the other hand,
is more exploratory in nature and aims to reach tentative hypotheses and the-
ories. Finally, triangulation is the practice of utilizing both quantitative and
qualitative methods in order for them to complement each other.
Positivism assumes that “the reality is objectively given and independent of the
observer and instruments.” Therefore Positivism is useful in projects of experi-
mental and testing character.
Realism assumes that there exists an objective reality independent of any ob-
server or interpretation, but views scientific knowledge as a mere approxima-
tion of the truth. The realist collects data by observing a phenomenon and then
works with understanding the collected data and developing knowledge from it
[12].
Criticalism assumes that “the reality is socially, historically, and culturally con-
stituted, produced and reproduced by people” Criticalism can be used to learn
about social, historical and cultural aspects of people and things produced by
people [12].
The Experimental research method studies reasons for, and effects of certain
phenomena. It can be used to compare effects of different scenarios against each
other, given different causes. An example usage is system performance testing.
8
The Descriptive research method studies and describes characteristics of the dif-
ferent phenomenon in different scenarios, but does not study causes and effects
of the phenomenon. The Descriptive research method often uses surveys, case
studies or observations to produce and describe representations of situations.
9
Ex post facto research is carried out after the data have already been collected.
It attempts to find causal factors by studying the past.
10
Based on this practical sequence, Andersson and Ekholm also present a method
to evaluate the scientific quality of research projects that utilize the method
above. The evaluation involves identifying the existence of certain aspects in
the written work that describes the project. These aspects are described by An-
dersson and Ekholm as characteristic of a project with a scientific approach.
Based on whether these aspects are accounted for, one can get a hint of whether
a given project used a scientific approach or not.
Alsaleh et al. [17] present a set of quantitative metrics for measuring the security
level of an enterprise firewall based on its ruleset configuration. The metric can
be used to compare the security of different firewalls against each other. While
the metric is useful for many purposes and certainly would be interesting to ap-
ply to data such as Wool’s, we cannot make use of it given our choice of research
11
methods. This study instead explores an alternative approach to estimating fire-
wall security.
12
3 Method
What follows is a description of the study in terms of the methods and method-
ologies discussed in Section 2.3.
The project group hopes to collect definitions by experts for these concepts, not
least to see whether an established consensus already exists. The proposed def-
initions are collected with the following questionnaire questions.
Q5: How would you define the act of “breaching a firewall”? (Free
text answer)
The answers to this question can provide insights into how firewall security
could be modeled. In the case that firewalls are a target for attackers, it is im-
portant to consider the degree to which firewalls themselves are resistant to at-
tacks. In the other case, firewall configuration is of greater importance. Par-
ticularly relevant are answers from penetration testers who regularly breach or
13
circumvent firewalls. Answers to this question are collected using the following
questionnaire question.
The question tries to determine the degree to which previous studies on firewall
security are still relevant, or for how long they might remain relevant. Answers
are collected using the following questionnaire questions.
Q8: Has the role of the firewalls changed during the last 5 years?
How and why? (Free text answer)
If it is the case that network services, rather than firewalls, are targets for direct
attack, one should explore ways to model firewall security with services in mind.
To study this relationship, two sets of answers are wanted; one that determines
the most frequently exposed network services and another that determines the
most frequently vulnerable ones. The correlation between the two could then be
studied. Answers are collected using the following questionnaire questions.
14
One possible way of defining a firewall configuration error (which was one of the
questions in Section 3.1.1) is as a mismatch between the firewall configuration
and the organization’s security policy. Given this definition, the project group
wants to study how well configured firewalls tend to be. Answers are collected
using the following questionnaire questions. They are essentially the same ques-
tion, formulated differently.
Q14: How well does the configuration of the typical perimeter fire-
wall you have encountered match the organization’s security pol-
icy? (Answer given as a number ranging from 1-5, where 1 represents
“Several Mismatches” and 5 represents “Perfect Match”)
Q1: For how many years have you been working with, or research-
ing information security?
Q2: What is your primary role within the field of information se-
curity? (Options or free text answer)
15
3.2 Practical Implementation of Research Method
The practical work of this project aimed to utilize the theoretical research method
(described in the beginning of Section 3) while ensuring some level of scien-
tificity (discussed in Section 2.4) and keeping in concordance with the project
triangle, as proposed by Ekholm [18].
This research project was therefore divided into three phases. The phases are
listed in chronological order and depend on each other. Each phase is an essen-
tial part of the project and contributes to the end result. One of the phases was
conducted as an iterative process. What follows is a description of each phase
of the project.
• Firewalls
• Network security
• Network architecture
The literature study was mainly conducted by reading published literature that
was found through research libraries such as IEEE Xplore2 and ACM Digital
Library3 . The research yielded relevant information in the form of previous
studies and references that could be used in this study, as well as perspectives
that were used to formulate the research questions.
16
• Questionnaire design. The initial design of the questionnaire and the
questions at hand were formed.
• Questionnaire prestudy. A prestudy was conducted, where the ques-
tionnaire was tested and evaluated.
• Redesign of the questionnaire. After the prestudy, the questionnaire
was redesigned according to the feedback from the prestudy.
The design of the questionnaire was done according to some tips given by Har-
rison [19]. The questionnaire was kept as short as possible, with as few and
as straightforward questions as possible. 15 questions in total made for a good
length. This should be enough questions to collect the desired data, while still al-
lowing the respondents to properly fill in the questionnaire in a short amount of
time. The questionnaire had to be general enough so that it could be filled out by
people working with information security, but not necessarily strictly firewalls.
During the entirety of this project phase, another process was also carried out,
namely that of finding potential respondents. In order to conduct as good of
a study as possible, it was important to find competent respondents who pos-
sessed knowledge of information security in general and firewalls in particular.
To help ensure that a sufficient number of responses were received, from various
perspectives, the questionnaire was not solely distributed to firewall specialists.
People from various professions in the field of information security were sought,
although the bulk (about 75 %) of potential respondents ended up being authors
of scientific articles that discuss firewalls, penetration testing and other relevant
topics. The rest were information security or network professionals, journalists
or bloggers of varying merit that were found online.
Subsequently, the questionnaire was deemed ready for publishing. The ques-
tionnaire was created and distributed via Google Forms, which allowed for an
easy and quick distribution of the survey to a large number of respondents around
the world. It also allowed for anonymity (with some caveats, see Section 5.5.1)
which was important to offer to all respondents. The questionnaire remained
open for responses for one week. This was determined to be enough time to al-
low most people who wanted to respond to do so. About half of the respondents
submitted their response within the first 24 hours of the questionnaire being
17
opened.
Questionnaire design
Find potential
respondents Questionnaire prestudy
Questionnaire redesign
Publish questionnaire
To utilize the advantages of iterative processes, the analysis of the data was done
in iterations. One iteration was carried out for each of the research questions
listed in Section 3.1. In each iteration, the data from the questionnaire regard-
ing that research question were analyzed and discussed. Thanks to this iterative
process, the project ran no risk of running out of time prior to deriving any con-
clusions at all.
3.3 Coding
Qualitative free text answers are codified in an inductive manner, meaning that
the set of possible coding categories for each question is not known in advance,
18
but derived from the responses. The percentage PC of responses codified under
category C is calculated as
RC
PC =
R
where RC is the number of responses codified under C, and R is the total number
of responses (very elementary math).
For some questionnaire questions, a single response can be codified under more
than one category. The sum of the percentages of responses codified under each
of the categories respectively may in such cases exceed 100 %. For example, if
the categories are “Yes” and “No”, a nuanced response (e.g. “Yes, because ___,
but on the other hand, ___”) may be codified as both. A more decisively positive
response would be codified as simply “Yes”. In this example, PYes = RRYes = 22 =
100% and PNo = RRNo = 21 = 50%, and the sum would be 100% + 50% = 150% >
100%.
3.4 Weighting
The results of two of the questionnaire questions (Q12 and Q13) are weighted us-
ing a custom method. The exact formula is presented in Section 4.11.1 (because
it is quite closely tied to the specific questions), but its essence is that the value
of each response is multiplied by the sum of the respondent’s stated experience
(Q1) and score on control questions (Q10 and Q11).
Experience ranges from 0 to the maximum length of a person’s career (on the
order of tens of years) and the control question score ranges from 0 to 6. The
balance between these two aspects affects the weighting significantly and was
considered carefully. Ultimately, however, the current balance, where the max-
imum control question score is worth as much as 6 years of experience, is ad-
mittedly somewhat arbitrary. The group concluded that experience in the field,
even if not directly related to firewalls, is more important for credibility than the
control question score. On the other hand, the control question score is arguably
more reliable, because it is not subject to fabrication in the same way that the
stated amount of experience is.
19
20
4 Result
The section begins with a presentation of the results for each individual ques-
tionnaire question (Sections 4.1–4.14). Then, correlations between the results
of some of the questions are investigated (Sections 4.15–4.16). This all builds
up to the discussion and conclusions regarding the research questions in the
remainder of the thesis.
The average respondent claimed to have about 11 years of experience in the field
of information security.
21
Q1 - Distribution of responses
6
5
Number of responses
0
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34
Years of experience
22
Table 4: Results for Q2.
Number Percentage
Academic researcher 15 75.00 %
Penetration tester 2 10.00 %
Administrator 1 5.00 %
Architect 1 5.00 %
Journalist 1 5.00 %
14
12
Number of responses
10
0
Academic researcher Penetration tester Administrator Architect Journalist
23
Table 5: Statistics for Q3.
Responses 20
Responses by academic researchers 15
Responses by others 5
Response rate 100 %
70
Percentage of responses
60
50
40
30
20
10
0
Yes No
24
configuration error. Other concepts were mentioned in 44 % of responses.
A single response could be codified into multiple categories. Thus the presented
percentages do not necessarily add up to 100 % (Section 3.3).
70
Percentage of responses
60
50
40
30
20
10
0
Ruleset-policy mismatch Ruleset too permissive Contradictory rules
25
Examples of responses that were codified as “Ruleset-policy mismatch” (possi-
bly among other things):
“At the highest level it is when the firewall does not implement a
defined business’ security policy. Unfortunately, some businesses do
not create such a definition leading to a problem in understanding
errors.”
“Any configuration that does not align with the corporation’s secu-
rity policy.”
Some responses were somewhat ambiguous, but if they discussed intent or ex-
pectations, they were also codified as “Ruleset-policy mismatch”.
A single response could be codified into multiple categories. Thus the presented
percentages do not necessarily add up to 100 % (Section 3.3).
26
Table 9: Statistics for Q5.
Responses 13
Responses by academic researchers 10
Responses by others 3
Response rate 65 %
Table 10: Results for Q5. Percentages of respondents who mentioned a certain
concept in their definition. The percentages are with regard to the
column’s specified group.
27
Q5 - Definition of breaching a firewall
100
All who responded
90 Academic researchers
Others
80
70
Percentage of responses
60
50
40
30
20
10
n
l
ty
s
al
em
io
ili
w
nt
ab
st
e
fir
ve
sy
er
um
gh
ln
to
vu
ou
rc
ss
Ci
ce
hr
l
al
ac
ct
we
fi
ed
fir
af
riz
tr
of
ho
e
n
at
tio
ut
m
na
ita
iti
U
eg
lo
p
Ill
Ex
“It could mean one of two things (i) using misconfigurations to get
through it, or (ii) using a hack or exploit to corrupt or otherwise cir-
cumvent a well defined set of policies, Generally the outcome is pack-
ets getting to where they should not.”
28
“Exploiting a vulnerability in a firewall to gain access to the device
or changing the behavior of the firewall.”
The free text answers were codified to produce the presented quantitative data.
57 % of respondents said attackers tend to target services, while 36 % said at-
tackers target both services and firewalls. Thus, about 93 % of respondents
mentioned network services and 36 % mentioned firewalls. No one said that
attackers only target firewalls.
Table 12: Results for Q6. Percentages of respondents who answered a certain
way. The percentages are with regard to the column’s specified group.
Coding category All who responded Academic researchers Others
Services 57.14 % 70.00 % 25.00 %
Both 35.71 % 30.00 % 50.00 %
Firewall 0.00 % 0.00 % 0.00 %
Neither 7.14 % 0.00 % 25.00 %
29
Q6 - Firewalls vs. services as targets for direct attack
100
All who responded
90 Academic researchers
Others
80
70
Percentage of responses
60
50
40
30
20
10
0
Services Both Firewall Neither
The single respondent whose answer was codified as “Neither” suggested that
phishing attacks are a far more likely and easier way of penetrating a firewall
than using malware.
One respondent whose answer was codified as “Services”, noted however that
attacks on firewalls certainly do exist, such as denial of service and other hacks.
Some simply stated “Both” as their sole answer, while others expanded upon
what roles the alternatives play.
30
in the services it protects.”
The free text answers were codified and resulted in the quantified data presented
below. 47 % claimed that the role of firewalls have changed during the last five
years, while 52 % claimed that it has not. The definition of “role” was purposely
not specified in this question, because what professionals in the field regard as
the role of the firewall is in itself a relevant question. In other words, omitting
the definition allowed for more diverse qualitative responses.
Table 14: Codified results for Q8. Percentage of respondents who answered a
certain way. The percentages are with regard to the column’s specified
group.
Coding category All who responded Academic researchers Others
Yes 47.06 % 50.00 % 40.00 %
No 52.94 % 50.00 % 60.00 %
Nearly half of the respondents thought that the role had changed and the other
half thought that it had not. Many elaborative responses arguing for both sides
were received.
One respondent claimed that the time span was too short.
Another respondent claimed that the fundamentals of the firewall had not changed,
but it had become better at what it does.
31
of firewall checking, limited deep packet analysis, and firewall man-
agement.”
One respondent claimed that firewalls now have to inspect more protocols as
applications become more advanced and hide their traffic behind generic pro-
tocols.
“Many services migrating to the cloud makes old firewalls less use-
full.”
The free text answers were codified and resulted in the quantified data presented
below. 67 % claimed that the role of firewalls will change as we move from
traditional network architectures to cloud-based network architectures. 25 %
claimed that the role would not change and 8 % of the responses could not be
codified.
32
Table 16: Codified results for Q9. Percentage of respondents who answered a
certain way. The percentages are with regard to the column’s specified
group.
Coding category All who responded Academic researchers Others
Yes 66.67 % 75.00 % 50.00 %
No 25.00 % 12.50 % 50.00 %
Not codified 8.33 % 12.50 % 0.00 %
Fewer responses were received than for Q8, but there were still some elaborative
answers given.
One motivation for the role of firewalls not changing with cloud/SDN network
architectures was the following.
“Yes, with crucial services being moved to the cloud, hackers will tar-
get the cloud more than the enterprise network.”
One respondent argued that the role of firewalls will not change, as they are not
enough.
“i don’t think so, firewalls aren’t enough, otherwise they are indis-
pensable in any good security policy. and new security solutions
used in SDN nets and Cloud are based on firewalls.”
One respondent answered yes on the question, but did not specify in what way
the cloud protection will differ from “traditional” firewalls.
33
Figure 8: The ruleset referred to in Q10.
One point was awarded for each statement that was correctly checked or unchecked,
so the highest possible score was five. There was no way of knowing whether a
respondent abstained from answering or thought that all statements were incor-
rect. Thus it was assumed that all respondents answered and leaving all check-
boxes empty resulted in two points.
34
Q10 - Distribution of scores
7
5
Number of responses
0
0 1 2 3 4 5 6
Score
• Telnet. Correct.
• ICMP.
• Whois.
• FTP.
35
Table 19: Results for Q11. Percentages of respondents who answered with each
of the possible answers. The percentages are with regard to the col-
umn’s specified group.
All who responded Academic researchers Others
Telnet 75.00 % 84.62 % 33.33 %
FTP 0.00 % 0.00 % 0.00 %
ICMP 18.75 % 15.38 % 33.33 %
Whois 6.25 % 0.00 % 33.33 %
70
Percentage of responses
60
50
40
30
20
10
0
Telnet FTP ICMP Whois
4.11.1 Analysis
Results are presented for all services that were mentioned in either Q12 or Q13.
Three ways of measuring the results were used. The rationale behind these
methods is discussed in Section 3.4.
36
• Mentions. The percentage of respondents that mentioned a given ser-
vice.
• Score. For each response, the listed services were given points based on
their position in the list. The first service was given five points, the next
was given four points, the next three and so on. The score S for a given
service was simply the sum total of points across all responses, according
to the following formula.
∑
5
S= pnp
p=1
SU Ssum
SW =
SUsum
where
– SU is the unscaled, weighted score.
– p is the number of points “awarded” based on position.
– np is the number of responses in which the service occurred in the
position worth p points.
– Eip is the experience in years of respondent number i that mentioned
the service in the position worth p points (Q1, Section 4.1).
– Cip is the number of correct answers (at most 6) to control questions
(Q10, Q11) by respondent number i that mentioned the service in the
position worth p points.
– Ssum is the sum of the unweighted scores of all services.
– SUsum is the sum of the unscaled, weighted scores of all services.
4.11.2 Results
Both HTTP and SMTP were mentioned by at least half of the respondents. HTTP
received a score of 47, SMTP about half of that and then FTP less than half of
SMTP’s score.
37
Table 20: Statistics for Q12.
Responses 14
Responses by academic researchers 9
Responses by others 5
Response rate 70 %
38
Q12 - Most exposed network services - Mentioned by percentage of responses
100
90
80
70
Percentage of responses
60
50
40
30
20
10
0
HTTP SMTP FTP Telnet WLAN VPN DNS Proxy SMB NTP NBT IRC SNMP
45
40
35
30
Score
25
20
15
10
0
HTTP SMTP FTP Telnet WLAN VPN DNS Proxy SMB NTP NBT IRC SNMP
39
4.12 Most Frequently Vulnerable Services
Q13: In your experience, which network services in corporate net-
works do most frequently contain vulnerabilities? (Free text an-
swer; list services in descending order of frequency)
4.12.1 Analysis
Same as Q12, see Section 4.11.1.
4.12.2 Results
Almost half of the respondents mentioned HTTP. The other services were men-
tioned in at most 22 % of responses. In terms of score, HTTP, DNS, SMTP and
FTP were found to be the most frequently vulnerable, in that order.
40
Q13 - Most vulnerable network services - Mentioned by percentage of responses
100
90
80
70
Percentage of responses
60
50
40
30
20
10
0
HTTP SMTP FTP Telnet WLAN VPN DNS Proxy SMB NTP NBT IRC SNMP
12
10
8
6
4
2
0
HTTP SMTP FTP Telnet WLAN VPN DNS Proxy SMB NTP NBT IRC SNMP
41
4.13 Match Between Firewall Configurations and Security Policies
Q14: How well does the configuration of the typical perimeter fire-
wall you have encountered match the organization’s security pol-
icy? (Answer given as a number ranging from 1-5, where 1 represents
“Several Mismatches” and 5 represents “Perfect Match”)
As can be seen below in table 24, the average and median rating was 2.50. Not a
single respondent answered 5, which suggests that respondents usually find at
least one mismatch.
3
Number of responses
0
1 2 3 4 5 6
Several Mismatches Perfect Match
Match between typical firewall and organization security policy
42
4.14 Percentage of Firewalls with Configuration-Policy Mismatches
Q15: Approximately what percentage of perimeter firewalls that
you have encountered have mismatches between their rulesets and
the organization’s security policy?
0
0 10 20 30 40 50 60 70 80 90 100 110
Percentage of firewalls with mismatches
43
SMTP, FTP and DNS. As showcased in Figures 17, 18 and 19, these four services
had the highest scores for both exposure and vulnerability. The red lines in the
plots are a linear function fitted to the data by Gnuplot “using the nonlinear
least-squares Marquardt-Levenberg algorithm” [20].
Percentage of responses that mentioned service as frequently vulnerable
Q12 vs Q13 - Correlation between most exposed and most vulnerable services - Mentions
100
90
80
70
60
50
HTTP
40
30
DNS FTP SMTP
20
10 SNMP
NBT
NTP
IRC SMB Telnet
0 WLAN
Proxy
VPN
0 10 20 30 40 50 60 70 80 90 100
Percentage of responses that mentioned service as frequently exposed
44
Q12 vs Q13 - Correlation between most exposed and most vulnerable services - Unweighted score
22
20 HTTP
18
16
Vulnerability score
14
12
10 DNS
FTP SMTP
8
6
SMB
4 SNMP
IRC
NTP Telnet
2 NBT
0 Proxy
WLAN
VPN
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54
Exposure score
Figure 18: Correlation between unweighted scores of services in Q12 and Q13.
Q12 vs Q13 - Correlation between most exposed and most vulnerable services - Weighted score
28
26
24 HTTP
22
20
Vulnerability score
18
16
14
12
10 DNS
8 SMTP
FTP
6 IRC
4 SMB
SNMP Telnet
NTP
2 NBT
0 WLAN
Proxy VPN
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56
Exposure score
Figure 19: Correlation between weighted scores of services in Q12 and Q13.
45
4.16 Correlation Between Q14 and Q15
Here, there results for Q14 (Section 4.13) and Q15 (Section 4.14) are compared.
The questions provide two ways of comparing firewall configurations and se-
curity policies. In a perfect world, the typical firewall configuration would per-
fectly match the security policy, and thus the rating on Q14 would be 5. In Q15
the respondents were to estimate the percentage of firewalls they had encoun-
tered that contained mismatches with security policies. Not a single respondent
answered 0 %, while two respondents answered 100 %.
The responses to Q14 and Q15 were expected to be negatively correlated (typical
firewall matches policy well ⇐⇒ few firewalls have mismatches). Figure 20
displays the correlation between the responses to these two questions, which it
was not as clear as expected. All in all this result suggests that firewall config-
urations generally match their applicable security policies poorly. The red line
in the plot is a linear function fitted to the data by Gnuplot “using the nonlinear
least-squares Marquardt-Levenberg algorithm” [20].
100
Percentage of FWs with ruleset-policy mismatches
90
80
70
60
50
40
30
20
10
0
1 2 3 4 5
Several Mismatches Perfect Match
Ruleset-policy match for typical firewall
46
5 Discussion
This section discusses the research methods applied (Section 5.2), the acquired
results (Section 5.1) and the validity and reliability of the study (Section 5.3).
The conclusion of the study is presented in Section 5.6 and possible future work
that is related to this study is presented in Section 5.7.
5.1 Results
In this section, the results tied to each research question are discussed.
Based on the results of Q4, there appears to be a consensus that a firewall con-
figuration error could, at the very least, be defined as a mismatch between the
firewall ruleset and the organization’s security policy. The validity of this result
is reinforced by the fact that no such idea had been mentioned at that point in
the questionnaire; many respondents independently arrived at something ap-
proximating this definition.
It just so happens that toward the end of the questionnaire, there were two ques-
tions regarding how well firewall configurations match security policies (Q14,
Q15). Given the definition we have now arrived at, these two questions can be
thought of as “how well configured do firewalls tend to be?”.
From this one might conclude that services are a far more critical part of network
security, but that firewalls themselves are not insignificant either.
It is possible that the phrasing of the question suggested to some that it was
an either-or question, even though it was possible to answer “Both”. Had the
question explicitly included “Both” as an alternative, perhaps more respondents
47
would have answered with that. On the other hand, as it is now we can be more
certain that those who did answer “Both” really meant it, rather than simply
opting for it as a safe bet.
While the result was quite even on Q8, in the case of Q9 67 % of respondents
thought that the role of the firewall would in fact change as the network archi-
tectures shift toward the cloud. This suggests that much of the research that
exists in the field may become less relevant as this shift progresses.
These results also give rise to some other questions. Will the ways of attacking
networks change as networks become cloud-based and if so, how? Will existing
security measures become obsolete given the new network architecture? Given
that corporations that move to the cloud will lose some control over security
measures, how can they assure their customers of the security of their data?
The weighting of scores did not significantly affect the outcome, as the same
services stood out as the most insecure. In fact, the weighted and unweighted
results may be identical within the margins of error that this study has anyway.
The score-based and mention-based results were also very similar.
48
particular network services, similar to the one used here.
The results suggested that firewall configurations generally match their appli-
cable security policies poorly. Studying the cause of this was outside the scope
of this study, but can be speculated upon. It may be difficult to translate the
security policy into rules in a firewall ruleset, or perhaps it is as one respondent
said in their optional comment.
Note that just because a firewall complies with the security policy, does not mean
that it is secure. A perfectly compliant firewall configuration can still be inse-
cure and allow attackers to breach the network. It is then not only the firewall
configuration, but also the organization’s security policy that needs to be re-
considered. Regardless, it is still a problem if firewalls do not match security
policies, because then corporations may not have the security they believe they
have.
However, difficulties arose when attempting to study the problem using an ab-
49
ductive approach. Thus a new set of problems statements were formulated and
the project was forced to employ a more inductive approach instead, as many
of the new problem statements were not really about measuring anything, but
rather exploring what there is to measure.
5.3.1 Credibility
Credibility is concerned with the question “How congruent are the findings with
reality?” [21] and is one of the most important criteria for ensuring a trustwor-
thy study. Shenton provides a few examples of provisions that can be used to
promote confidence in that the results of the study are trustworthy, such as the
following.
The project method used in this study adopted several of these provisions. Well
established research methods have been adopted and motivated. Data collection
was done via a questionnaire with a controlled group of potential respondents.
The potential respondents were chosen based on their presumed skill set and
ability to answer the questions. The questionnaire was completely anonymous,
with the ambition of allowing the participants to be honest (although anonymity
50
may not be entirely good in our case, see Section 5.5). The main reason for
the control questions was that the competence of respondents could to some
degree be determined. The questionnaire was distributed by email, with a single,
personalized email sent to each recipient (except in one case, where two emails
were sent by mistake). There was no nagging or begging for participation.
5.3.2 Transferability
Transferability “is concerned with the extent to which the findings of one study
can be applied to other situations” [21]. Shenton suggests that the question re-
garding transferability is highly impacted by the boundaries of the study, and
gives examples of a few things that need to be conveyed to the reader prior to
discussing transferability, such as the following.
5.3.3 Dependability
Dependability is concerned with whether a repetition of the study, with the same
method under the same circumstances, gives the same result. Shenton [21] spec-
ifies three sections that should exist in the scientific report to allow readers to
reason about the dependability of the study, namely:
This thesis includes all of these, and therefore it should be possible for anyone to
repeat this study quite closely. Even if our methods themselves are dependable,
our results may not be, due to the small number of respondents. Thus the results
of a repeated study may not be the same.
5.3.4 Confirmability
Confirmability is concerned with the objectivity of the study. Real objectivity
is very hard to ensure in studies utilizing questionnaires or tests since they are
designed by humans, and therefore the intrusion of the researchers’ biases is
inevitable. A few examples of things that increase the objectivity of a study are
the following.
51
• Decisions made and methods adopted should be acknowledged and moti-
vated within the report.
• Preliminary theories that were not born out of data should be discussed.
• Descriptions on how research questions gave rise to work should be in-
cluded in the report [21].
The chosen methods, questionnaire questions and strategies for answering the
research questions have been motivated and described, mostly in Sections 1
and 3. Many of the questions in the questionnaire allowed for free text an-
swers, which allowed for objectivity, since the respondent is not forced to choose
among answers or definitions predetermined by the researchers. Some of the
questions, for example Q9 (Section 4.8), contained certain assumptions, which
goes against objectivity as the question itself may be biased.
5.4 Scientificity
Our work quite closely matches the scientific work method described in Section
2.4, particularly steps 1–6. Steps 8–10 (testing, correction and examination of
the solution) have not been done at all; we simply present our results and con-
clusions and that is all.
In table 26 the scientificity of the study has been evaluated according to the eval-
uation method described in Section 2.4. The study seems to fall short with re-
gard to the existence of a hypothesis; there simply is none (although the neces-
sity of a hypothesis in an inductive study is not entirely evident to us).
Based on the criteria laid out by Andersson and Ekholm [14], we may conclude
that our study is somewhat scientific, but not perfectly so.
52
5.5 Limitations
Given the size of the field of information security, the number of respondents
in the study was very low with only 20; a fact that significantly diminishes the
reliability of the study. Possible reasons for the low response rate are discussed
in 5.5.1.
Anonymity and the use of an open online questionnaire impact the credibility of
the result negatively because it cannot be guaranteed that all actual respondents
were among the potential respondents that had been chosen by us. That said,
we have no reason to suspect that the questionnaire at any point was subject to
uncontrolled distribution.
A prestudy was conducted to verify the first version of the questionnaire. The
second version of the questionnaire was not properly verified due to time con-
straints, but another verification would have been valuable because the problem
statement itself was reformulated as a result of the prestudy and the changes to
the questionnaire were quite radical.
Some people may refrain from providing information regarding their compe-
tence and profession in a service (Google Forms) where they know that all of the
entered data can be read by Google. The respondents are anonymous to us, but
they may not be to Google.
Email addresses to researchers were extracted from published articles they had
authored, but it is possible that many of the researchers have since moved on
and no longer use the addresses found in the articles.
Some of the potential respondents may reside in China. Considering that the
country employs the so-called “Great Firewall of China” (a phrase used to de-
scribe Internet censorship in the country [22]), there is no way of knowing whether
our emails were delivered to these individuals.
Apart from these possibilities, the low participation rate probably just stems
from completely “normal” causes, such as missing the email in the inbox, lacking
interest, not having time, or forgetting to respond.
53
5.6 Conclusion
The purpose of this study was to explore the role of the firewall in network se-
curity. This was done by researching five more specific problems. Two of them
were concerned with the relationship between firewalls and network services,
and it is in this area we believe this study makes its foremost contribution. With
regard to the question about firewall configurations, our results are in line with
findings from other studies, not least those by Wool [4], [5]. Realistically, we do
not consider our results to be that revolutionary nor reliable. What follows is a
short summary of our findings.
Naturally, the findings of this study should be of use in a future study that re-
sumes the work on this problem. Our proposition for such a future study is that
it be an experimental one, for example:
54
and firewall configurations could be created, between which the exposure
of services and/or vulnerabilities in the services vary.
3. Let penetration testers attack the network and measure the time it takes
them to breach the firewall according to the determined definition. The
services present in the network and/or exposed by the firewall would con-
stitute variables to be accounted for.
55
56
References
[1] Foreseeti. (2018) About foreseeti. Resource accessed: 2018-03-27.
[Online]. Available: https://www.foreseeti.com/about
[5] ——, “Trends in firewall configuration errors: Measuring the holes in swiss
cheese,” Internet Computing, IEEE, vol. 14, pp. 58 – 65, 09 2010.
[9] J. Hong, “The state of phishing attacks,” Commun. ACM, vol. 55, no. 1,
pp. 74–81, Jan. 2012. [Online]. Available: http://doi.acm.org.focus.lib.
kth.se/10.1145/2063176.2063197
[10] R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” pp. 581–
590, 2006. [Online]. Available: http://doi.acm.org/10.1145/1124772.
1124861
57
[12] A. Håkansson, Portal of Research Methods and Methodologies for
Research Projects and Degree Projects. CSREA Press U.S.A, 2013,
p. 67–73, [ed] Hamid R. Arabnia, Azita Bahrami, Victor A. Clincy,
Leonidas Deligiannidis, George Jandieri. [Online]. Available: http:
//urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-136960
58
line]. Available: https://www.researchgate.net/publication/281030754_
Great_Firewall_of_China
59
60
4/26/2018 Corporate Firewall Security Survey
Definitions:
"firewall" = Firewall protecting an corporate local area network. NOT a personal firewall.
This survey is conducted as part of a Bachelor's thesis by Jani Bonnevier <jkarki@kth.se> and
Sebastian Heimlén <heimlen@kth.se> at KTH Royal Institute of Technology.
Academic researcher
Penetration tester
Network/firewall administrator
Journalist / blogger
None (I do not work within the field)
Other:
Yes
No
Your Opinions
Definitions:
"firewall" = Firewall protecting an corporate local area network. NOT a personal firewall.
https://docs.google.com/forms/d/16z1FpCL0perwfQzQZ0IjotQXaafmt7LniLitU4Y5Jug/edit 1/4
4/26/2018 Corporate Firewall Security Survey
5. How would you define the act of "breaching a firewall"?
6. Do attackers tend to directly target firewalls or do they tend to target exposed network
services?
8. Has the role of the firewalls changed during the last 5 years? How and why?
9. Will the role of firewalls change as more companies move to the cloud / SDN-networks?
How and why?
https://docs.google.com/forms/d/16z1FpCL0perwfQzQZ0IjotQXaafmt7LniLitU4Y5Jug/edit 2/4
4/26/2018 Corporate Firewall Security Survey
10. Given this firewall ruleset, which of the following statements are true?
11. Which of these types of inbound traffic is the most important to block with a firewall?
Mark only one oval.
ICMP
Telnet
Whois
FTP
Your Estimations
Base your answers to the following questions on your own experience and expert knowledge.
Definitions:
"firewall" = Firewall protecting an corporate local area network. NOT a personal firewall.
12. In your experience, which network services in corporate networks are most frequently
exposed on the Internet?
Specify in order, with most frequent first.
13. In your experience, which network services in corporate networks do most frequently
contain vulnerabilities?
Specify in order, with most frequent first.
https://docs.google.com/forms/d/16z1FpCL0perwfQzQZ0IjotQXaafmt7LniLitU4Y5Jug/edit 3/4
4/26/2018 Corporate Firewall Security Survey
14. How well does the configuration of the typical perimeter firewall you have encountered
match the organization's security policy?
A "perimeter firewall" is a firewall deployed between a local area network and the Internet.
Mark only one oval.
1 2 3 4 5
Powered by
https://docs.google.com/forms/d/16z1FpCL0perwfQzQZ0IjotQXaafmt7LniLitU4Y5Jug/edit 4/4
TRITA TRITA-EECS-EX-2018:134
www.kth.se