Tuesday, December 1, 2009

How to write up Network Security ?

Most network security audit programs are written by people with risk or audit background and very little technical and operational experience. So there are a many risks and controls listed there which seem to make sense at first glance, but in fact always one of the below rules apply to them:
  • Every network will comply with controls
  • Controls cannot to be tested for effectiveness
I don’t believe that it’s possible to write good standard network security audit program, so I’m not going to try it here. I just want to show a few high risk items which are rarely asked for and covered by any control, but easy to test for effectiveness.

  • Rogue route injection - it’s hard to see routing protocol authentication in place. Such rogue routes could be easily (accidentally) learned by router from user/administrator workstation running GNS3/Dynamips or Zebra
  • Control Plan Security- router hardware architectures are vulnerable to DoS attacks, which cause failures in a network infrastructure by flooding it with worthless traffic.
  • Router Compliance Program – router and switches hardening standards are not in place or they are not verified on a regular basis (i.e. Cisco Works Compliance manager or Nipper). Does password comply with company security policy (routers are always forgotten)
  • DoS/worm mitigation – Networks are not ready to ‘black hole’ DoS traffic (or any suspicious traffic), but it could be easily done (in less than 1 sec) by implementing internal BGP
  • Network reconnaissance - Networks are open to reconnaissance penetration. Simple Sinkhole/Netflow in place will detect unusual traffic flows (i.e. destined to not existing subnet) and mitigate noisy reconnaissance.
  • Traffic inspection - only standard tcp ports (http or ftp) are inspected. Most of the time inspection of not standard ports is not performed on firewall , so if ftp is using port 2021 it will not be inspected by default
  • HSRP Hijacking– virtual gateways are not password protected and rogue gateway address can be injected by sending just one packet using packet crafting tools like ‘scapy’. VRRP and GLBP are also vulnerable.
  • Network ingress filtering RFC2827 (BCP38) – Spoofing attacks and preventing them. Too many perimeter routers accept traffic on outside interfaces with source addresses which are inside. I would expect Unicast Reverse Path Forwarding (uRPF) in place and at least private addresses filtered (RFC 1918)
  • DAI/DHCP snooping – Dynamic Arp Inspection and DHCP snooping are not implemented so it’s possible to redirect network traffic to workstation and sniff clear text passwords
To be continued ...

No comments: