RoutingFirewall
Purpose
The RoutingFirewall object is representing the routing firewall itself rather than the packet forwarding and filtering functionality it provides. In other words, it is representing the management, access and vulnerability aspects of a firewall.
Therefore, connecting a Network to a RoutingFirewall does not represent traffic forwarding. This is instead defined by connecting ConnectionRule objects between Network objects that are allowed to communicate. For more information on this, please see the ConnectionRule section.
Connections
Application
Technically, a RoutingFirewall is regarded as an Application with packet forwarding capabilities. Therefore, the RoutingFirewall object inherits all properties of the Applciation type of modeling object.
An Application can be connected to a RoutingFirewall in the same way as an Application can be connected to an other Application, i.e. in a parent or child relationship.
Please see the Application section for more information.
Network
A RoutingFirewall can be connected to Network via NetworkExposure or ClientAccess since it is a derivative of Application. This is representing the possibility to connect to the RoutingFirewall itself (for administration purposes) from the Network.
Please see the Network section for more information.
IDPS
When connecting an IDPS to a RoutingFirewall object using a parent/child type of connection, it represents that the RoutingFirewall is also hosting an application or plugin/module with IDPS functionality. It can also be connected using the ManagedBy or AppProtection which represents that the RoutingFirewall is managing the IDPS functionality or that the IDPS is protecting the RoutingFirewall by filtering incoming connections to the RoutingFirewall's management interface, looking for well known malicious signatures/payloads.
Please see the IDPS section for more information.
ConnectionRule
A ConnectionRule can be connected to a RoutingFirewall InApplicationConnection, OutApplicationConnection, ApplicationConnection and ConnectionRule. The application-related connections is defining connectivity to the RoutingFirewall itself (administrative access) and the ConnectionRule connection defines which connection rules are managed by this particular RoutingFirewall.
In other words, if the RoutingFirewall gets compromised, all ConnectionRule objects (connected via the ConnectyionRule link) are also compromised.
Please see the ConnectionRule section for more information.
Data
Please see the Application section.
Identity
Please see the Application section.
SoftwareProduct
Please see the Application section.
SoftwareVulnerability
Please see the Application section.
System
A connection to a System object defines which hardware the RoutingFirewall is running on. N.b; RoutingFirewalls can also be routing functionality entirely in software. In such cases, the RoutingFirewall should be connected as a child application to the Application (operating system) hosting it.
Properties
AttackSteps
| Attack step name | Attack step purpose |
|---|---|
| AccessNetworkAndConnections | Once access is gained to an Application, you will also have access to any Network or ConnectionRule object it is connected to. |
| AttemptLocalConnectViaResponse | LocalConnect is, in contrast to NetworkConnect, making contact with this application from a connected/local child or parent application. "ViaResponse" means that this application does not respond to connections, i.e. it is behaving like a client and the attacker need to wait for a session. "Attempt" means that this attack step is before the LocalConnectViaResponse (successful) attack step. |
| AttemptNetworkConnectViaResponse | NetworkConnect is, in contrast to LocalConnect, making contact with this application via a connected Network or ConnectionRule object. "ViaResponse" means that this application does not respond to connections, i.e. it is behaving like a client and the attacker need to wait for a session. "Attempt" means that this attack step is before the NetworkConnectViaResponse (successful) attack step. |
| AttemptReverseReach | ReverseReach ispresenting the probability of successfully achieveing a "call home" situation where the Application makes a call back to the Attacker, i.e. the Attacker's starting point in the model. "Attempt" means that this attack step is a prerequisite to the (hidden) ReverseReach attack step which in turn lead to SpecificAccess or FullAccess. |
| AttemptUseVulnerability | AttemptUseVulnerability is a prerequisite to succeeding with SpecificAccess or FullAcces via a vulnerability. |
| Authenticate | Gaining SpecificAccess or FullAccess via known, stolen or guessed Credentials. |
| DenialOfService | Denial of Service with respect to the RoutingFirewall Application itself and its related ConnectionRule objects. |
| Deny | Denial of Service with respect to the RoutingFirewall Application itself. |
| FullAccess | Succeeding with superuser access. |
| LocalConnect | LocalConnect is, in contrast to NetworkConnect, making contact with this application from a connected/local child or parent application. |
| Modify | Altering the Application. Depending on the vulnerability, or if a SoftwareProduct origin has been compromised, the Application might be possible to alter. E.g. adding your own payloads and change application behavior. |
| NetworkConnect | Making a connection to the application via network. (Via connected Netowrk or ConnectionRule objects allowing connectivity.) |
| NetworkConnectViaResponse | Making a connection to the application via network. (Via connected Netowrk or ConnectionRule objects allowing connectivity.) However, this case is for when the Application acts as as a client application and the attacker has to rely on user interaction or callback sessions being initiated. |
| Read | Reading the application code and data. |
| SpecificAccess | Gaining limited access to the application by using credentials. |
| SpecificAccessAuthenticate | Succeeding with convincing a user to help with a connection back to the attacker. Some vulnerabilities require user interaction. |
| UnsafeActivityByUser | Succeeding with convincing a user to help with a connection back to the attacker. Some vulnerabilities require user interaction. |
Defenses
| Defense name | Defense purpose |
|---|---|
| Disabled | Defines whether the Application exists or not. This is useful from a threat modeling perspective when information about application presence is not known. It can also be used to state that for instance "20% of the servers represented by this application has RDP enabled". It can also be used to represent services that are temporarily enabled, or enabled on schedule. |
| SypplyChainAuditing | Blocks a supply chain attack by stating that applications/updates/libraries are reviewed before being deployed. |
Updated about 1 year ago