ACL Complexity and Unknown Vulnerabilities

Monday, November 21, 2011

Brett Scott


ACL Complexity: How You Are Vulnerable and Do Not Even Know It

Recently we were implementing one of our security products at a new client.

Their prior security program was to use a "top-tier" managed services company and their own network engineer to "co-manage" their security products including their firewalls.

At turn up, our box alerted that it was receiving traffic that was not permitted in the implementation plan. This particular implementation had us behind the firewall instead of our typical implementation outside the firewall. Needless to say, we started asking why this was the case.

Their network engineer opened up their firewalls interface and indicated that the traffic was in fact being torn down and was not passing through. I began to fantasize about how great our company's new business was going to be: creating / crafting network traffic at the quantum level.

Upon further investigation by the managed service company, they too saw that the traffic in question was in fact being torn down and that our box was most likely encountering “false positives”. At this point things got a bit awkward.

The score was two to one on our box being crazy and detecting traffic that was not there. Thankfully, our team was not about to take no for an answer and began supplying traffic information and details to all who would listen.

After three more hours of investigation into the issue, it turns out that conflicting ACLs were to blame.

The interface on their firewall clearly showed that the traffic in question was being “torn down”, but from our logs it was passing through. Only after hours of effort and hunting did the issue finally get discovered and subsequently resolved.

To us this discovery was terrifying. If the only way to tell if the ACLs are properly configured is to use another detection mechanism that is capable of identifying improper traffic and nobody had anything like that on their networks, then how many networks are completely vulnerable and do not know it?

Like most companies, our new client had their ACLs built organically over time. Let's face it, not many fancy a full day or two of ACL design perfection. Not to mention ever finding the time to make such effort.

Due to the organic nature of the ACL growth and the changing requirements for different systems / rollouts / etc., many network admins are never afforded the opportunity to sanity check their rulesets. Even worse, if they go to investigate the issue, their firewall will give them false assurance.

It begs the question, how big is this problem?

In our experience, this real life example is just the tip of the iceberg. We frequently encounter unexplained phenomena at the networking / security level and all to often it is ultimately ignored. All too often, when a misconfiguration or other mishap is discovered the first rule of action is to attack the messenger.

The net result is that there are many companies out there just waiting to be breached. Most of them could be prevented.

It is our hope that bringing this real world example to light will cause network admins everywhere to take a good hard look at their ACLs and make sure they do not live under the same illusion.

Possibly Related Articles:
Information Security
Firewalls Vulnerabilities Log Management Managed Services Network Security Monitoring ACL
Post Rating I Like this!
Chuck Kellum Brett, this article is spot-on. I think your article could evangelize more than just increased awareness for net admins. As they say in church - "Testify!" - From a wounded messenger, *Quit killing the messenger*. I was killing time playing with Wireshark and saw some traffic that should not have been live inside the firewall. I proved my point eventually, but alienated the manager and eventually had to move on to another project. The firewall reported all along that it was blocking the traffic. I eventually demonstrated that at least 4 key ACL statements were being circumvented this way, due to the way the ACLs had grown.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.