Department of Computer Engineering

Govt. Engineering College,

Ajmer
A
MINOR PROJECT REPORT ON
“Commercial level FIREWALL”

Submitted in the partial fulfillment of the award of

BACHELOR OF TECHNOLOGY
[Rajasthan Technical University, Kota]
In
COMPUTER ENGINEERING
2009-10

Submitted By Guided By

Ankit Bhalla Mr. Satyanarayan Tazi

Gagandeep Singh
Deepak Kumar Sharma
Mukesh Kumar
Ashok Kumar Meena
(Final Year (VII Sem))

GOVT. ENGINEERING COLLEGE,AJMER

(An Autonomous Institute of Government of Rajasthan)

Department of CE & IT

1
 CERTIFICATE

This is to certify that I, Ankit Bhalla my team members Gagandeep

Singh , Deepak kumar sharma ,Mukesh Kumar ,Ashok kumar meena of VII
Semester, BTech. (Computer Engineering) 2009-10 have prepared a minor project
Titled “Commercial level Firewall” in partial fulfillment for the award of the
degree of Bachelor of Technology under Rajasthan Technical University, Kota.

Date:23/12/09

Mr. Atul Choudhary Mr. Satya Narayan Tazi

(Minor-Project Coordinator) (Mentor)

Mrs.Prakriti Trivedi
(HOD CE & IT)

2
 ACKNOWLEDGEMENT

It is with profound gratitude that I express my deep indebtedness to the departmental

head of Govt. Engineering Collage, Ajmer. Without their support and guidance it
would not have been possible for this project to have materialized and taken a concrete
shape.

I owe a personal thanks to my project Mentor- Mr. Satya Narayan Tazi who extended
full support and cooperation at every stage of my project.

I would also like to take this opportunity to acknowledge the guidance and support from
Mrs. Prakriti Trivedi (H.O.D. of Computer Science & Information Technology) for
undergoing project

I am indebted to my parents and friends for their constant encouragement and helping me
in my endeavor. Last, but not the least, I would like to thank everyone who has
contributed for successful completion of my project.

ANKIT BHALLA

3
 TABLE OF CONTENT

CHAPTER CONTENT PAGE NO

NO
1 Requirements 5
2 Introduction 6
3 Basics of Firewall 7
4 Firewall Implementation 15
5 Firewall using Linux 19
6 Thread modelling 23
7 Conclusion 38
8 References 39

4
 TABLE OF FIGURES

FIGURE CONTENT PAGE NO

NO
3.1 Network scenario 8
3.2 Firewall data traffic 10
3.3 OSI and TCP\IP model 12
3.4 IP layer in firewall 12
5.1 Packet filtering process 22
6.1 Network diagram 26
6.2 Functionality diagram 27
6.3 Network diagram with trust boundries 30
6.4 Attack tree 33
6.5 Attack tree with risk scores 34
6.6 Attack tree final 35

5
 CHAPTER 1
REQUIREMENTS

HARDWARE USED :

IBM THINKCENTRE M/T8183

1. INTEL PENTIUM 4 (3.06 GHZ)
2. 40 GB IDE HARD DRIVE
3. 512 MB RAM
4. 2 NIC (REALTEK 8139)
5. RJ45 CONNECTOR CABLES
6. 8 PORT ETHERNET SWITCH

SOFTWARE USED :

1. LINUX KERNEL 2.4.18 (STABLE VERSION )

2. SNORT IDS
3. LDAP SERVER
4. ASTARO GATEWAY VERSION 7 FOR GUI SUPPORT
5. VARIOUS OPEN SOURCE TECHNOLOGIES

6
 CHAPTER 2
INTRODUCTION

A firewall is a part of a computer system or network that is designed to block

unauthorized access while permitting authorized communications. It is a device or set of
devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer
traffic between different security domains based upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both.

Firewalls are frequently used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially intranets . All messages entering or
leaving the pass through the firewall, which examines each message and blocks those that
do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through the network
and accepts or rejects it based on user-defined rules. Although difficult to
configure, it is fairly effective and mostly transparent to its users. It is susceptible
to IP spoofing .
2. Application gateway: Applies security mechanisms to specific applications, such
as FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
3. Stateful gateway: Applies security mechanisms when a TCP or UDP connection
is established. Once the connection has been made, packets can flow between the
hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network

7
 CHAPTER 3

BASICS OF FIREWALL

A firewall protects networked computers from intentional hostile intrusion that could
compromise confidentiality or result in data corruption or denial of service. It may be a
hardware device or a software program running on a secure host computer. In either
case, it must have at least two network interfaces, one for the network it is intended to
protect, and one for the network it is exposed to.

A firewall sits at the junction point or gateway between the two networks, usually a
private network and a public network such as the Internet. The earliest firewalls were
simply routers. The term firewall comes from the fact that by segmenting a network into
different physical subnetworks, they limited the damage that could spread from one
subnet to another just like firedoors or firewalls. Figure 1: Hardware Firewall
Hardware firewall providing protection to a Local Network

Figure3.1 network scenario

8
3.1 WORKING
A firewall examines all traffic routed between the two networks to see if it meets certain
criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall
filters both inbound and outbound traffic. It can also manage public access to private
networked resources such as host applications. It can be used to log all attempts to enter
the private network and trigger alarms when hostile or unauthorized entry is attempted.
Firewalls can filter packets based on their source and destination addresses and port
numbers. This is known as address filtering. Firewalls can also filter specific types of
network traffic. This is also known as protocol filtering because the decision to forward
or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet.
Firewalls can also filter traffic by packet attribute or state.

A firewall cannot prevent individual users with modems from dialling into or out of the
network, bypassing the firewall altogether. Employee misconduct or carelessness cannot
be controlled by firewalls. Policies involving the use and misuse of passwords and user
accounts must be strictly enforced. These are management issues that should be raised
during the planning of any security policy but that cannot be solved with firewalls alone.

The arrest of the Phonemasters cracker ring brought these security issues to light.
Although they were accused of breaking into information systems run by AT&T Corp.,
British Telecommunications Inc., GTE Corp., MCI WorldCom, Southwestern Bell, and
Sprint Corp, the group did not use any high tech methods such as IP spoofing (see
question 10). They used a combination of social engineering and dumpster diving. Social
engineering involves skills not unlike those of a confidence trickster. People are tricked
into revealing sensitive information. Dumpster diving or garbology, as the name suggests,
is just plain old looking through company trash. Firewalls cannot be effective against
either of these techniques.

9
How does a firewall work?
There are two access denial methodologies used by firewalls. A firewall may allow all
traffic through unless it meets certain criteria, or it may deny all traffic unless it meets
certain criteria . The type of criteria used to determine whether traffic should be allowed
through varies from one type of firewall to another. Firewalls may be concerned with the
type of traffic, or with source or destination addresses and ports. They may also use
complex rule bases that analyse the application data to determine if the traffic should be
allowed through. How a firewall determines what traffic to let through depends on which
network layer it operates at. A discussion on network layers and architecture follows.

Basic Firewall Operation

Figure 3.2 Firewall Data Traffic

Anyone who is responsible for a private network that is connected to a public network
needs firewall protection. Furthermore, anyone who connects so much as a single

10
computer to the Internet via modem should have personal firewall software. Many dial-
up Internet users believe that anonymity will protect them. They feel that no malicious
intruder would be motivated to break into their computer. Dial up users who have been
victims of malicious attacks and who have lost entire days of work, perhaps having to
reinstall their operating system, know that this is not true. Irresponsible pranksters can
use automated robots to scan random IP addresses and attack whenever the opportunity
presents itself.

3.2 OSI and TCP/IP Network models

To understand how firewalls work it helps to understand how the different layers of a
network interact. Network architecture is designed around a seven layer model. Each
layer has its own set of responsibilities, and handles them in a well-defined manner. This
enables networks to mix and match network protocols and physical supports. In a given
network, a single protocol can travel over more than one physical support (layer one)
because the physical layer has been dissociated from the protocol layers (layers three to
seven). Similarly, a single physical cable can carry more than one protocol. The TCP/IP
model is older than the OSI industry standard model which is why it does not comply in
every respect. The first four layers are so closely analogous to OSI layers however that
interoperability is a day to day reality.

Firewalls operate at different layers to use different criteria to restrict traffic. The lowest
layer at which a firewall can work is layer three. In the OSI model this is the network
layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with routing
packets to their destination. At this layer a firewall can determine whether a packet is
from a trusted source, but cannot be concerned with what it contains or what other
packets it is associated with. Firewalls that operate at the transport layer know a little
more about a packet, and are able to grant or deny access depending on more
sophisticated criteria. At the application level, firewalls know a great deal about what is
going on and can be very selective in granting access.

11
 Figure 3.3 OSI and TCP/IP Model

It would appear then, that firewalls functioning at a higher level in the stack must be
superior in every respect. This is not necessarily the case. The lower in the stack the
packet is intercepted, the more secure the firewall. If the intruder cannot get past level
three, it is impossible to gain control of the operating system.

Professional Firewalls Have Their Own IP Layer

12
 Figure 3.4 IP Layer in Firewall

Professional firewall products catch each network packet before the operating system
does, thus, there is no direct path from the Internet to the operating system's TCP/IP
stack. It is therefore very difficult for an intruder to gain control of the firewall host
computer then "open the doors" from the inside.

According To Byte Magazine, traditional firewall technology is susceptible to

misconfiguration on non-hardened OSes. More recently, however, "...firewalls have
moved down the protocol stack so far that the OS doesn't have to do much more than act
as a bootstrap loader, file system and GUI". The author goes on to state that newer
firewall code bypasses the operating system's IP layer altogether, never permitting
"potentially hostile traffic to make its way up the protocol stack to applications running
on the system".

3.3 TYPES OF FIREWALL

Firewalls fall into four broad categories: packet filters, circuit level gateways, application
level gateways and stateful multilayer inspection firewalls.

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of
TCP/IP. They are usually part of a router. A router is a device that receives packets from
one network and forwards them to another network. In a packet filtering firewall each
packet is compared to a set of criteria before it is forwarded. Depending on the packet
and the criteria, the firewall can drop the packet, forward it or send a message to the
originator. Rules can include source and destination IP address, source and destination
port number and protocol used. The advantage of packet filtering firewalls is their low
cost and low impact on network performance. Most routers support packet filtering. Even
if other firewalls are used, implementing packet filtering at the router level affords an
initial degree of security at a low network layer. This type of firewall only works at the
network layer however and does not support sophisticated rule based model. Network

13
Address Translation (NAT) routers offer the advantages of packet filtering firewalls but
can also hide the IP addresses of computers behind the firewall, and offer a level of
circuit-based filtering.

Packet Filtering Firewall:

Circuit level gateways work at the session layer of the OSI model, or the TCP layer of
TCP/IP. They monitor TCP handshaking between packets to determine whether a
requested session is legitimate. Information passed to remote computer through a circuit
level gateway appears to have originated from the gateway. This is useful for hiding
information about protected networks. Circuit level gateways are relatively inexpensive
and have the advantage of hiding information about the private network they protect. On
the other hand, they do not filter individual packets.

Stateful Gateway:
Application level gateways, also called proxies, are similar to circuit-level gateways
except that they are application specific. They can filter packets at the application layer of
the OSI model. Incoming or outgoing packets cannot access services for which there is
no proxy. In plain terms, an application level gateway that is configured to be a web
proxy will not allow any ftp, gopher, telnet or other traffic through. Because they
examine packets at application layer, they can filter application specific commands such
as http:post and get, etc. This cannot be accomplished with either packet filtering
firewalls or circuit level neither of which know anything about the application level
information. Application level gateways can also be used to log user activity and logins.
They offer a high level of security, but have a significant impact on network
performance. This is because of context switches that slow down network access
dramatically. They are not transparent to end users and require manual configuration of
each client computer.

Application level Gateway:

Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are

14
legitimate and evaluate contents of packets at the application layer. They allow direct
connection between client and host, alleviating the problem caused by the lack of
transparency of application level gateways. They rely on algorithms to recognize and
process application layer data instead of running application specific proxies. Stateful
multilayer inspection firewalls offer a high level of security, good performance and
transparency to end users. They are expensive however, and due to their complexity are
potentially less secure than simpler types of firewalls if not administered by highly
competent personnel.

15
 CHAPTER 4
FIREWALL IMPLEMENTATION

We suggest you approach the task of implementing a firewall by going through the
following steps:

a. Determine the access denial methodology to use.

It is recommended you begin with the methodology that denies all access by
default. In other words, start with a gateway that routes no traffic and is
effectively a brick wall with no doors in it.

b. Determine inbound access policy.

If all of your Internet traffic originates on the LAN this may be quite simple. A
straightforward NAT router will block all inbound traffic that is not in response to
requests originating from within the LAN. As previously mentioned, the true IP
addresses of hosts behind the firewall are never revealed to the outside world,
making intrusion extremely difficult. Indeed, local host IP addresses in this type
of configuration are usually non-public addresses, making it impossible to route
traffic to them from the Internet. Packets coming in from the Internet in response
to requests from local hosts are addressed to dynamically allocated port numbers
on the public side of the NAT router. These change rapidly making it difficult or
impossible for an intruder to make assumptions about which port numbers to use.

If your requirements involve secure access to LAN based services from Internet
based hosts, then you will need to determine the criteria to be used in deciding
when a packet originating from the Internet may be allowed into the LAN. The
stricter the criteria, the more secure your network will be. Ideally you will know
which public IP addresses on the Internet may originate inbound traffic. By
limiting inbound traffic to packets originating from these hosts, you decrease the
likelihood of hostile intrusion. You may also want to limit inbound traffic to

16
 certain protocol sets such as ftp or http. All of these techniques can be achieved
with packet filtering on a NAT router. If you cannot know the IP addresses that
may originate inbound traffic, and you cannot use protocol filtering then you will
need more a more complex rule based model and this will involve a stateful
multilayer inspection firewall.

c. Determine outbound access policy.

If your users only need access to the web, a proxy server may give a high level of
security with access granted selectively to appropriate users. As mentioned,
however, this type of firewall requires manual configuration of each web browser
on each machine. Outbound protocol filtering can also be transparently achieved
with packet filtering and no sacrifice in security. If you are using a NAT router
with no inbound mapping of traffic originating from the Internet, then you may
allow LAN users to freely access all services on the Internet with no security
compromise. Naturally, the risk of employees behaving irresponsibly with email
or with external hosts is a management issue and must be dealt with as such.

d. Determine if dial-in or dial-out access is required.

Dial-in requires a secure remote access PPP server that should be placed outside
the firewall. If dial-out access is required by certain users, individual dial-out
computers must be made secure in such a way that hostile access to the LAN
through the dial-out connection becomes impossible. The surest way to do this is
to physically isolate the computer from the LAN. Alternatively, personal firewall
software may be used to isolate the LAN network interface from the remote
access interface.

e. Decide whether to buy a complete firewall product, have one implemented by a

systems integrator or implement one yourself.

Once the above questions have been answered, it may be decided whether to buy
a complete firewall product or to configure one from multipurpose routing or

17
 proxy software. This decision will depend as much on the availability of in-house
expertise as on the complexity of the need. A satisfactory firewall may be built
with little expertise if the requirements are straightforward. However, complex
requirements will not necessarily entail recourse to external resources if the
system administrator has sufficient grasp of the elements. Indeed, as the
complexity of the security model increases, so does the need for in-house
expertise and autonomy.

4.1 IP SPOOFING

Many firewalls examine the source IP addresses of packets to determine if they are
legitimate. A firewall may be instructed to allow traffic through if it comes from a
specific trusted host. A malicious cracker would then try to gain entry by "spoofing" the
source IP address of packets sent to the firewall. If the firewall thought that the packets
originated from a trusted host, it may let them through unless other criteria failed to be
met. Of course the cracker would need to know a good deal about the firewall's rule base
to exploit this kind of weakness. This reinforces the principle that technology alone will
not solve all security problems. Responsible management of information is essential. One
of Courtney's laws sums it up: "There are management solutions to technical problems,
but no technical solutions to management problems".

An effective measure against IP spoofing is the use of a Virtual Private Network (VPN)
protocol such as IPSec. This methodology involves encryption of the data in the packet as
well as the source address. The VPN software or firmware decrypts the packet and the
source address and performs a checksum. If either the data or the source address have
been tampered with, the packet will be dropped. Without access to the encryption keys, a
potential intruder would be unable to pe

Is a firewall sufficient to secure my network or do I need anything else

18
The firewall is an integral part of any security program, but it is not a security program in
and of itself. Security involves data integrity (has it been modified?), service or
application integrity (is the service available, and is it performing to spec?), data
confidentiality (has anyone seen it?) and authentication (are they really who they say they
are?). Firewalls only address the issues of data integrity, confidentiality and
authentication of data that is behind the firewall. Any data that transits outside the
firewall is subject to factors out of the control of the firewall. It is therefore necessary for
an organization to have a well planned and strictly implemented security program that
includes but is not limited to firewall protection.

Firewall related problems

Firewalls introduce problems of their own. Information security involves constraints, and
users don't like this. It reminds them that Bad Things can and do happen. Firewalls
restrict access to certain services. The vendors of information technology are constantly
telling us "anything, anywhere, any time", and we believe them naively. Of course they
forget to tell us we need to log in and out, to memorize our 27 different passwords, not to
write them down on a sticky note on our computer screen and so on.

Firewalls can also constitute a traffic bottleneck. They concentrate security in one spot,
aggravating the single point of failure phenomenon. The alternatives however are either
no Internet access, or no security, neither of which are acceptable in most organizations.

Benefits of a firewall

Firewalls protect private local area networks from hostile intrusion from the Internet.
Consequently, many LANs are now connected to the Internet where Internet connectivity
would otherwise have been too great a risk.

Firewalls allow network administrators to offer access to specific types of Internet

services to selected LAN users. This selectivity is an essential part of any information
management program, and involves not only protecting private information assets, but

19
also knowing who has access to what. Privileges can be granted according to job
description and need rather than on an all-or-nothing basis.

CHAPTER 5

Firewall Using Linux

Linux security and netfilter/iptables Linux has become extremely popular in the IT
industry because of its robustness, reliability,flexibility, and seemingly unlimited scope
for customization. Linux has many inbuilt capabilities that let the developer customize its
tools, behavior, and appearance according to his needs without
requiring expensive third-party tools. One such inbuilt capability is firewall configuration
for Linux systems on a network, be they systems connected to the Internet or a LAN,
servers, or proxy servers interfacing between a LAN and the Internet. This capability can
be put to use with the help of the netfilter/iptables IP packet filtering system that comes
integrated in versions 2.4.x of Linux kernels.
The netfilter/iptables IP packet filtering system is the latest among Linux packet filtering
solutions like ipfwadm and ipchains and is also the first one to be integrated into the
Linux kernel. The netfilter/iptables system is ideal for Linux system administrators,
network administrators, and home users who want to configure firewalls according to
their specific needs, save money on firewall solutions, and have total control over IP
packet filtering.
Understanding firewall configuration and packet filtering

5.1 PACKET FILTERING PROCESS

For a Linux system connected to a network, a firewall is the essential defense mechanism
that allows only legitimate network traffic in and out of the system and disallows
everything else. To determine whether the network traffic is legitimate or not, a firewall
relies on a set of rules it contains that are predefined by a network or system
administrator. These rules tell the firewall whether to consider as legitimate and what to
do with the network traffic coming from a certain source, going to a certain destination,
20
or having a certain protocol type. The term "configuring the firewall" refers to adding,
modifying, and removing these rules.
Network traffic is made up of IP packets or simply packets -- small chunks of data
traveling in streams from a source system to a destination system. These packets have
headers, i.e. bits of data prefixed to every packet that contain information about the
packet's source, destination, and protocol types. Based on a set of rules, a firewall checks
these headers to determine which packet to accept and which packet to reject. This
process is known as packet filtering.
Why do we want to configure our own firewalls?
When a packet reaches the firewall, the kernel first examines the header information of
the packet, particularly the destination of the packet. This process is known as routing.
If the packet originated from outside and is destined for the system and the firewall is on,
the kernel passes it on to the INPUT chain of the kernelspace packet filtering table. If
the packet originated from inside the system or another source on an internal network
the system is connected to and is destined for another outside system, the packet is passed
on to the OUTPUT chain. Similarly, packets originating from outside systems and
destined for outside systems are passed on to the FORWARD chain.
Next the packet's header information is compared with each rule in the chain it is passed
on to, unless it perfectly matches a rule. If a packet matches a rule, the kernel performs
the action specified by the target of that rule on the packet. But if the packet doesn't
match a rule, then it is compared to the next rule in the chain. Finally, if the packet
doesn't match to any rule in the chain, then the
kernel consults the policy of that chain to decide what to do with the packet. Ideally the
policy should tell the kernel to DROP that packet. Fig graphically illustrates this packet
filtering process

Installing the netfilter/iptables system Since the netfilter component of netfilter/iptables

comes integrated with the kernel 2.4.x, you only need to download and install the iptables
userspace tool.

21
 Figure 5.1 Packet Filtering Process
Before you start installing the iptables userspace tool, you'll need to make certain
modifications to your system. First of all you'll
need to configure your kernel's options using the command make config. During
configuration you must turn on the options
CONFIG_NETFILTER and CONFIG_IP_NF_IPTABLES by setting them to Y, since
it is necessary to make netfilter/iptables
work. Other options you might want to turn on are as follows:
● CONFIG_PACKET: This option is useful, if you want to allow applications and
programs to work directly to certain
network devices.
● CONFIG_IP_NF_MATCH_STATE: This option is very important and useful, if
you want to configure stateful firewalls.
Such firewalls can remember previous decisions taken regarding packet filtering and
make new decisions based on them. I
will further discuss this aspect in the section Advantages of the netfilter/iptables system.
●CONFIG_IP_NF_FILTER: This option provides a basic packet filtering framework.
Turning this option on will add a
basic filter table to kernelspace with built-in INPUT, FORWARD, and OUTPUT chains.
● CONFIG_IP_NF_TARGET_REJECT: This option allows you to specify that an
ICMP error message should be sent in
reply to incoming packets that are DROPped, instead.

22
 CHAPTER 6
Threat Modeling

Today’s security management efforts are based on risk management principles. In other
words, security resources are applied to vulnerabilities that pose the greatest risk to the
business. There are several processes for identifying and prioritizing risk. One of the
most effective is threat modeling.
There has been much written about threat modeling. But most of the papers and books
come at the problem of threat and vulnerability management from an academic
perspective. The papers and articles that do take a business management approach
typically cover one or two aspects of the process.
This paper is a practical, high-level guide to conducting threat modeling activities within
a business environment. It begins by exploring why threat modeling is important. This is
followed by a step-by-step process, including some tools you might find helpful.

6.1 WHY THREAT MOELLING

It’s common for security teams to receive reports of vulnerabilities with requests for
immediate action to eliminate them. One big source of these requests is an organization’s
internal audit team. Another common source of fix-it-now-because-the-press/vendor-
says-it’s-critical messages is management, including many IS Directors. But should all
vulnerabilities be considered emergencies? Are all vulnerabilities worthy of your security
budget dollars?
One of the basic tenets of risk management is that not every vulnerability presents a
threat to a network. Only a vulnerability that can be exploited is a threat to business
operations and information assets. Threat modeling helps to identify those vulnerabilities
that are actually critical in the unique environment that is your network. The threat
modeling process should:

23
 1. Identify potential threats and the conditions that must exist for an attack to be
successful
2. Provide information about how existing safeguards affect required attack
conditions
3. Provide information about which attack condition and vulnerability remediation
activities add the most value
4. Help you understand which conditions or vulnerabilities, when eliminated or
mitigated, affect multiple threats; this optimizes your security investment

6.2 THE PROCESS

The description of the threat modeling process varies depending on who’s doing the
telling. The following process is based on research covering several different approaches.
Based on my experience as a security manager, I took what I believe to be best practices
and compiled them into a hybrid model. This model consists of six steps, or phases:
1. Identify critical assets
2. Decompose the system to be assessed
3. Identify possible points of attack
4. Identify threats
5. Categorize and prioritize the threats
6. Mitigate

Identify Critical Assets

Before spending time assessing a system, you need to be sure it’s important enough to
your business to warrant the necessary time and resources. In this first step, you should
list all critical assets and the systems on which they reside. Whether an asset is critical to
business operations isn’t an IS-only decision. The business users must also play a part in
determining which assets can’t be compromised without serious negative consequences.

24
Decompose the System
Once you identify your critical assets, select a system for which you’ll create a threat
model. A system is defined as an environment within your network that provides a
specific set of related functions. Your human resources application, with all related
servers, routers, switches, operating systems, user workstations, etc. is an example of a
system. System decomposition produces two deliverables: a network diagram and a
functionality (interaction) diagram. Figure 1 is an example of a network diagram.
The format of the diagram is a variation of the UML, or Unified Modeling Language
standard. Each component in the ESI Financial System (a fictitious entity) is represented
by a box. Each Workstation and server box includes information about the corresponding
real-world device’s hardware and software configuration. In addition to the actual
hardware connectivity, logical flow of data is also indicated. Finally, the network
diagram should include interfaces to outside entities. In this case, the connection to the
Internet is depicted.
It’s a common mistake when putting a network diagram together to omit pieces that
aren’t considered critical to the system’s operation. Make sure you include EVERY
component, interface, and user access point that touches the system in any way. Also
identify any interdependencies with other systems.

25
Figure6. 1 Network Diagram

26
Figure6. 2 Functionality Diagram

27
This functionality diagram uses a DFD (Data Flow Diagram) approach to show the
functional relationships between the various system components. Although I used device
names in the circular component symbols, analysts often use the names of software
components instead.
The level of detail in both the network and functionality diagrams is up to you. Just be
sure to include enough information to ensure the threat modeling results are accurate.
Identify Possible Points of Attack
The first step in the identification of attack points is designating trust boundaries. A trust
boundary separates processes, system components, and other elements that have different
trust levels. Figure 3 shows the ESI Network Diagram with trust boundaries added.
Trust boundaries also exist at all entry points into the system. Classify each entry point
based on the classification of the data exchanged. Table 1 lists example data
classifications. If the highest classification for data moving across an entry point is
Restricted, then the entry point must be classified Restricted. Examples of entry points
include sockets, interfaces between application components, and user workstations.
At each trust boundary, identify the types of safeguards that provide access controls. This
information is required when completing attack trees.

28
 Table 6.1 Data Classification

Identify Threats
The next step is to list any critical activities that take place at each trust boundary. Using
thislist, determine what an attacker might do to damage, destroy, or otherwise

29
 Figure 6.3: Network Diagram with Trust Boundaries

identification: use of the STRIDE method and a step-by-step analysis.

STRIDE

30
STRIDE is an acronym. The terms/phrases it represents, along with an explanation of
each, are listed in Table 2. At each trust boundary (TB), apply the STRIDE model by
asking whether one or more of the threat types represented apply. If so, include it on your
list of potential attack goals.
Step-by-step analysis
STRIDE is a very simple approach to threat identification. Because of its simplicity, its
use tends to result in one or missed threats per TB. Using a step-by-step analysis typically
produces a more complete threat list. One step-by-step method is a review of specific
threats organized into three categories: network threats, host threats, and application
threats (Chidambaram, 2004).

Table 6.2 STIDE Model

31
32
Network Threats
Webservices subjected to a denial of service attack
IP spoofing .
Faulty configuration of firewall rules, allowing outsiders to get access to
database
Errors in ACLs .
Sensitive data that flows unencrypted through the network.

Host Threats
Using un-patched servers allows crackers to exploit known vulnerabilities
Lack of clearly defined trust boundaries
Improper server hardening guidelines resulting in a mismatch between the server
Configuration and Security context in which it is placed.

Application Threats
Code that’s prone to buffer overflows, SQL injection, or cross-site
scripting
Defective or missing data encryption resulting in password compromise

Once you complete your list of threats, it’s time to build the system’s attack trees.
Attack trees are useful when capturing attack patterns that require events to occur in
sequence. They add less value when analyzing attacks comprised of parallel events
(Ellison, 2005). Figure 4 is an example of an attack tree.
An attack tree is a tree structure with the attacker’s objective placed in the root
node. In this example, the objective is to obtain sensitive information from the database
server in Figure 3. Working down the branches of the tree, the analyst decomposes the
attack into its various options and required conditions. At the first layer under the primary
objective, our tree lists potential entry points to obtain server access. Notice that the
relationship between these elements is OR; only one entry point has to be successfully
exploited to obtain information from the server.

33
 In an actual attack tree, the analyst would drill down into each of the top level
nodes. For our example, we’ll use Gain access via Internet. To successfully exploit this
vulnerability, port 1434 must be open on the firewall for general access AND the server’s
subnet must be open to general traffic rather than protected by an access control list. If
ESI has very stringent policies and standards for opening this port, then this attack path
might be already impossible to travel. So a recommendation from an auditor to
implement a restrictive ACL in the core switch might be a best practice, but it probably
wouldn’t be critical to the protection of the database server from Internet attack. This is a
very simple, incomplete example. But you should get the idea.

Figure6. 4: Attack Tree

The attack tree in Figure 4 can be used in at least three ways to help determine which
threats and vulnerabilities should be addressed and in what order: probability of
occurrence, cost/effort of mitigation, and whether one or more vulnerabilities are
mitigated. Activities designed to address these risk management areas occur in the next
step in the threat modeling process.

34
Categorize and Prioritize Threats
In an organization where threat and vulnerability management is governed by solid risk
management principles, the following formula is typically used to assign a risk score to a
threat:
Risk = Probability of Occurrence x Business Impact
There are a number of ways, both qualitative and quantitative, to apply this formula. For
the purposes of our threat assessment model, I’m going to use DREAD. DREAD (yes,
another acronym) is a collection of five areas with which to assess both probability of
occurrence (PO) and business impact (BI). Table 3 lists these areas.
Each one of the areas is given a score of 1, 2, or 3, with 3 being the highest level of
potential risk to the business. To map the DREAD areas to the risk formula, I created a
tool in which to enter the scores. The tool, an Excel spreadsheet, automatically calculates
the risk score for the threat analyzed.

Figure 6.5 : Attack Tree with Risk Scores

35
Mitigate
The information gathered in the previous step is used as input into the “do-something”
mitigation step. What action to take, if any, is based on the severity of the risk scores. If
management is evaluating how to apply resources to mitigating risk to multiple systems,
the threat risk scores play a large role.
Again, the overall risk score for the threat is the same as the Internet attack vector. Other
information that can be applied to the attack tree at this point is the cost of eliminating the
conditions necessary for an attack to follow a specific path. In our example, the cost for
reconfiguration of the firewall is simply a very low opportunity cost. However, ESI’s
core switch doesn’t support VLAN configuration to segregate the database server onto a
more security network segment. So the cost of eliminating this condition is much higher.
We already know from the scenario scoring in Figure 5 that removing this vulnerability
moves the risk score into the Low Risk category. The desired outcome at the right cost
makes this an easy decision for ESI’s management. The final attack tree is shown

Figure 6.6: Attack Tree – Final

36
 Conclusion

In this paper, stepped through a simple, practical approach to threat modeling. When
viewed through the risk management lens, this is effectively a qualitative approach. But it
allows security analysts to develop documentation necessary to make the right choices
when bombarded with scores of recommendations and demands for vulnerability
mitigation.
Don’t just accept this as the final word on threat modeling. This is just a high-level
methodology that can be a good starting point. Use it to develop your own processes.
Expand, bend, or throw out the ideas in this paper as necessary. The objective isn’t
adherence to some process articulated one Saturday afternoon by a seasoned (translated
old) IT professional. Instead, it’s the secure operation of your network.

37
 REFRENCES

Chidambaram, V. (2004, December). Threat modeling in enterprise architecture

integration. Retrieved March 2, 2006 from
http://www.infosys.com/services/systemintegration/ThreatModelingin.pdf
Ellison, R. J. (2005, September). Attack trees. Retrieved March 1, 2006 from
https://buildsecurityin.us-
cert.gov/portal/article/bestpractices/requirements_engineering/attack-trees.xml
Meier, J. D., Mackman, A., Dunner, M., Vasiereddy, S., Escamilla, R., & Murukan, A.
(2003, June). Improving web application security: threats and countermeasures.
MSDN. Retrieved February 25, 2006 from http://msdn.microsoft.com/library/en-
us/dnnetsec/html/THCMCh03.asp?frame=true
MSDN (n. d.). Evaluating security threats. Retrieved March 1, 2006 from
http://msdn2.microsoft.com/en-us/library(d=robot)/ms172104.aspx

38
Score Card
&
Suggested
Field

39