|
Comprehensive Enterprise
Network Security Assessment
A white paper for enterprises in an Internet environment
Introduction
How secure is your company’s information? In this age of distributed computing and of client-server and Internet-enabled information access, computer security consistently rises to the top of most “important issues” lists.
To answer this question with certainty is difficult. There are no absolutes with security. An important first step for most corporations is a security policy that establishes acceptable behavior. The next, and more critical step, is to enforce that security policy and measure its effectiveness. A security policy is in tension with user convenience, creating forces that move security practices away from security policy. Additionally when new machines or applications are configured the security related issues are often overlooked. Therefore the gap between central policy and decentralized practice can be immense. These are significant tasks, as are identifying problems and taking corrective action on a constantly changing network. Many enterprises typically fall back on blind faith rather than wrestle with the fear of the unknown.
Sources of Risk
In order to assess your true security profile, you must first understand the sources of risk. The most infamous risk is embodied by the external hacker accessing a corporate information systems via the Internet. Traditionally these hackers view breaking into a system as mountain climbers view scaling a cliff, for them its the next great challenge. However, as ever increasing numbers of corporations interconnect their information systems successful break-ins become commercially rewarding. Practitioners of industrial espionage now view the computers on the Internet as valuable potential sources of information. Often these “professionals” masquerade as the traditional hacker to disguise their true purposes.
Although the threats from external attacks are real, they are not the principle source of risk. FBI statistics show that more than 60% of computer crimes originate inside the enterprise. These risks can take multiple forms. Unscrupulous employees may be searching for organizational advantages. A disgruntled employee may be co-opted by an industrial espionage agent. Increasingly corporations are turning to contractors for specialized skills or to absorb temporary increases in work-load. These contractors are often given access to the corporate information system and thus they can also present a risk to corporate information.
Lines of Defense for the Corporate Information System
Firewalls
Many enterprises erect a firewall as the first and often only line of defense for their information systems. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet. Many corporations assume that, once they have installed a firewall, they have reduced all their network security risks.
A firewall must be configured to allow or deny appropriate traffic. The configuration process can be highly susceptible to human error. In a dynamically changing environment, system managers routinely reconfigure firewalls without regard to security implications. Access control lists on a firewall can be numerous and confusing. You must be sure that the firewall has been set up correctly and that it is performing well.
Internal Defenses
Even when properly configured the firewall can only repel connection attempts that come through the firewall itself. This represents the logical equivalent of the Maginot line that defended France’s border with Germany before World War II. The forts and defenses of the Maginot line were impenetrable; however, an attack around the line through other neighboring countries completely circumvented the line. The attackers were able to easily move through the rest of the country because the French defense efforts had been focused on the Maginot line. A information attack can be mounted via modem on the internal network. If all of the enterprise’s defenses are focused on the firewall then an attack that circumvents firewall though a modem or an internally based attack will have free reign over the information systems.
Thus the security features of the internal computers must also be employed. The important balance between convenience for the users and security concerns must be considered. That is the computer systems must be allowed to be collaborative in nature with appropriate access to information and functions across systems. At the same time this access provides a wide open avenue for the industrial espionage attack.
Often the elements of the enterprise’s computer system must be updated to eliminate security risks introduced by bugs in operating systems and network service programs. If a bug creates a performance related problem then it is a “squeaky wheel” that will drive the upgrade. A functioning version of a program or service with the security bugs can be easily overlooked as an important item for upgrades. By the time a security related bug becomes the proverbial “squeaky wheel” - its too late.
Assessing IT Security
Security must be assessed from multiple viewpoints for the best over all picture. These perspectives range from the physical security of the machines to the configuration of the firewalls to the trustworthiness of workers. The history of industrial espionage has been in the physical world and thus numerous practices have been developed to handle the this portion of security assessment. The age of network based industrial espionage has a brief history and thus less developed security assessment practices.
The security profile of a network of machines can be assess from three principle vantage points.
Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halt the efforts of the casual hacker and industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the “blitzkrieg” attack around the firewall through a modem or other non-protected entryway. Finally evaluating security from the machines themselves will close vulnerabilities that could be exploited through a firewall or from other machines on the network. It also hardens the security of the machines, restricting the avenues of attack for the disgruntled worker or the co-opted contractor.
Assessment Strategies
The Ideal Strategy
The ideal assessment strategy begins with the individual machines before they are ever inter-connected. Each machine’s vulnerabilities are corrected, putting the network of machines off to a reasonable start. Next the network of computers are probed for security vulnerabilities. Typically the move from individual machines to an internetwork of interdependent machines creates a significant number of exploitable holes. Thus the network of computers is examined for security vulnerabilities. Finally the external network defenses, the firewall, are verified. In this final stage the last layer of defense - the first layer encountered by an information adversary - can be thoroughly checked. Problems are more easily isolated to the configurations and performance of the firewall connections themselves.
Pragmatist strategy
In real life the machines, the internetwork of computers and often the external connections to the Internet already exist. Additionally a significant number of vulnerabilities exist at each level of the enterprise’s information systems. Often the number of known vulnerabilities exceeds an organization’s capacity to implement corrective action. This imbalance between known vulnerabilities and corrective capacity is a chief contributor to the gap between an enterprise’s security policy and security practice. An enterprise in this position often does not care to learn of more security vulnerabilities, following a “what I don’t know won’t hurt me” philosophy.
The real danger in this situation is that the scarce resources available to implement corrective security policies are squandered on the most well know vulnerabilities instead of being allocated to the vulnerabilities with the greatest risk to the enterprise. Firms in this position should invest in knowledge so that their limited resources are optimally deployed. The first step in a resource investment decision to is fully understand the range of options available and then pick the portfolio of investments that presents the highest aggregate return. In security assessment the firms must first evaluate all the vulnerabilities from all perspectives: system, internal and external. Aggregating and prioritizing the list of vulnerabilities will then provide a guideline for investing in corrective action to improve the match between security practice and security policy.
Continuous Security Improvement
As individual vulnerabilities are corrected under any security improvement process these vulnerabilities should stay fixed. Thus the corrections must always to monitored. By monitoring these changes over time the firm can look for the root causes of frequently occurring vulnerabilities. Then the enterprise can move on to lower priority vulnerabilities.
By undertaking a strategy of consistently fixing vulnerabilities, monitoring them to make sure they stay fixed and analyzing the causes of recurring vulnerabilities the enterprise enters the mode of continuous security improvement. The feedback loop of a security assessment provides the information flow necessary to improve the security of the enterprise's information systems
SUCCESSFUL SECURITY ASSESSMENT PRACTICE
To be the successful the security audit must be thorough, it can not leave out possible vulnerabilities. It must also be repeatable to provide a consistent perspective on the firm's security practice. By its very nature a security assessment will initially increase the workload for an MIS department. These seemingly conflicting goals can be met through the use of a security audit tools that can provide thorough and repeatable process with an effective means of implementing corrective actions.
SAFEsuite(TM) - the comprehensive family of network security assessment tools designed to audit, monitor and respond to all aspects of your enterprise network security. Specifically designed to assess a variety of network devices, SAFEsuite tests for security vulnerabilities found and exploited in web sites, firewalls, operating systems and networked UNIX(R) and Windows NT(TM) hosts and workstations. It scans for the most comprehensive set of security vulnerabilities and provides you with the power and flexibility to assess all aspects of your network security policy. SAFEsuite also provides your system administrator with the added ability to monitor your networks in real time. With RealSecure, you can detect, alert and stop all unauthorized activity on your network.
WEB SECURITY SCANNER(TM)
Web Security Scanner tests the configuration of the Web server, evaluates the security of the underlying file system, searches for CGI scripts with known vulnerabilities and attempts to exploit custom CGI scripts.
Web Security Scanner traverses the HTML directory structure scanning for HTML links, Java, Java scripts and CGI links. Each link is followed in the HTML directory structure and any new links are added to the cached file. If the local link cannot be resolved it is noted for the user. Each subdirectory is checked to see if a GET request returns an index as expected or returns an entire directory listing. If the directory listing is returned, it is flagged as a vulnerability.
Web Security Scanner examines CGI scripts for the existence of the following potentially vulnerable executables:
These services are tested for possible exploits by Web Security Scanner and any vulnerabilities are reported.
Custom CGI scripts are also tested for holes that allow execution of unauthorized commands that could lead to compromise of the server.
The Web Security Scanner identifies the existence of Private HTML pages that are password protected. It then does a Bruteforce account and password check to identify easily guessed or default passwords. Any cracked passwords are identified as vulnerabilities.
The Web Security Scanner checks for versions of http servers that are known to be vulnerable such as NCSA 1.2 and 1.3.
FIREWALL SCANNER(TM)
Firewalls are an important component of network security, but many organizations assume that they are adequately protected because they employ a firewall. However, a firewall must be correctly configured to provide effective protection. Firewall Scanner has added a number of firewall security checks to the base Intranet Scanner tests, including source porting, source routing, SOCKs, TCP sequence prediction (IP spoofing), and Denial of Service Attacks.
Source Porting
Filter rules typically are based on source and destination port addresses. A TCP/IP-enabled machine has 65,535 possible virtual ports; some of them are defined for certain services; for example, e-mail is port 25. When one machine FTPs to another and wants to transfer a file back from the FTP server, typically the server opens source port 20 to connect to the FTP client and transfer data. Therefore, many firewalls allow source port 20 into a network. An intruder can modify telnet to make the connections come from source port 20, thereby penetrating the firewall. Firewall Scanner checks to see if source port 20 is allowed to connect to the network.
Source Routing
Source routing is an IP protocol option that allows you to define how packets are routed. When source routing is on, many firewall filter rules are often bypassed. Many router-based firewalls allow source-routed packets to pass. Many hosts have source routing built into the kernel and do not allow it to be turned off. Firewall Scanner assesses susceptibility to source-routed packets.
SOCKS
SOCKs is a library of proxy-application firewalls designed to allow certain services through and keep intruders out. The fundamental problem with SOCKs is the same as with many security tools: SOCKs is often misconfigured. Often the administrator establishes rules to allow certain services through the firewall, but the rules necessary for denying access to intruders are never implemented. Consequently, services seemingly work fine with the firewall, but the firewall's inability to keep intruders out is not recognized until an intruder breaks through. Even then, the cause of the problem may never be recognized. Firewall Scanner attempts to connect to important services through the SOCKs port, to see whether filter rules have been configured properly.
TCP Sequence Prediction
TCP sequence prediction, or IP spoofing - the technique that Kevin Mitnick used to break into many networks across the Internet - tries to trick a host that trusts another host. For example, if host A and host B are in a corporate network and host A is trusted by host B, then host A is allowed to log into host B based on this trust, without a password. An intruder who can make his host C look like host A will also be able to log into host B. Firewall Scanner determines a firewall's vulnerability to IP spoofing.
Direct RPC Scan
The portmapper is a service, such as NIS, that allows you to identify the ports on which the RPC (Remote Procedure Commands) reside. Many filter-based firewalls may block the portmapper on port 111. The RPC commands themselves remain in place on various machine ports. It usually is hard to determine where the services are if the portmapper is blocked. However, if an intruder scans directly for the RPC services, the intruder could bypass this type of security. Firewall Scanner scans directly for the RPC services to determine whether they are exploitable.
Stealth Scanning
In stealth scanning, an intruder does not attempt to establish a connection, but rather uses packets at a low level with the interface. These low level packets elicit different responses depending on whether or not a port is active. This technique allows TCP port scanning many times faster than a regular connect routine on UNIX and does not trigger alarms built into many SATAN detectors and tcp_wrappers. While many firewalls block particular packets that would establish a connection, Firewall Scanner's stealth scanning packets do not attempt to establish a connection; therefore, they can bypass firewall security and identify services running on an internal network.
Denial Of Service
A denial of service attempts to force the firewall into a failure condition, typically forcing a reboot of the machine. As an example, flooding a machine with sync packets or connections attempts can cause an overflow condition in buffers and log files. At this point the firewall can cease operation and close all connections, it can continue operations while stopping the logging operations or it can continue operations in a more open environment. Firewall Scanner has a battery of denial of service attacks to assess a firewall's durability.
Intranet ScannerÔ
Intranet Scanner assesses security from the TCP/IP services perspective. It learns your network and systematically probes each network device for security vulnerabilities. Network devices might include a UNIX host, a Microsoft NT/Windows 95 system, a router, a web server, and even an X terminal. Network security is only as strong as the weakest link. Administrators may try to protect only machines that hold sensitive information. Intruders know this and look for machines that might not be protected, such as infrequently used print or fax servers. Then, once in the network, an intruder can set up sniffers to capture sensitive data, such as passwords, going over the internal network. If the intruder is using a machine that is already part of the internal network, sniffing and trust relationships usually allow springboarding into access to sensitive machines. An administrator does not have time to identify the devices on the network that actually could be used as springboards. Intranet Scanner can quickly find these weak links and identify the vulnerable services.
Brute force Attacks
Many networked machines are shipped with default accounts that allow an administrator to gain immediate access to a machine and to configure it. If the administrator doesn't change the defaults, an intruder can use them to gain access to the network. When the administrator adds accounts to a machine, those accounts may get installed with an easy password. A brute force attack against a machine looks for common defaults and known accounts that might be vulnerable. If a default or login account becomes compromised, the services telnetd, ftpd, rsh, and rexec allow access to a machine. Intranet Scanner performs, through these services, brute force tests for default and vulnerable accounts.
Anonymous FTP
Anonymous FTP is a service that allows the easy transferring of files. The FTP server has many configuration issues. An improper configuration could allow unauthorized access to the rest of the machine. Intranet Scanner checks for these configuration flaws and determine whether the FTP site is vulnerable.
Networked File Systems
NFS allows many machines to have a virtual hard drive that operates over the network. If improperly configured, NFS may allow anyone to access this virtual hard drive. An intruder could then copy, modify, and possibly delete critical data from the NFS, and even gain full access to the machine. Intranet Scanner finds misconfigured NFS servers.
File Sharing
Windows NT and Windows 95 use a service called file sharing that allows for sharing files between networked computers. Unfortunately, many people do not realize that this may also allow access to their computers by anyone on the Internet. Intranet Scanner finds misconfigured file-shared machines and allow the administrator to take corrective action.
Rexd
Rexd, an old service from when UNIX was first being networked, was not developed with security in mind. It has little or no authentication to stop intruders from gaining access to a network. Intranet Scanner discovers this service. The administrator can then remove it from the machines on the network.
Rsh and Rlogin
Both Rlogin and Rsh vulnerabilities give an intruder instant access to the machine. The Rlogin vulnerability affects AIX and Linux machines. It allows anyone to rlogin as root without a password. An intruder issuing the command
rlogin hostname.com -l -froot sees the login banner and a shell. Intranet Scanner locates these vulnerable services and enable the administrator to take corrective action.X windows
Many users have xhost + in their configuration file. This permits access to the
X Display by anyone, anywhere. An intruder who can access the X Display can obtain keystrokes and remotely execute commands as the user running the
X Display. It is possible to configure the xhost to authorize only certain hosts, but even then any user from those remote hosts can use the X Display to compromise data. Intranet Scanner detects vulnerable X Displays.
System security ScannerÔ
System Security Scanner completes the computer network security assessment triangle by evaluating the security profile of individual hosts from the operating systems (OS) perspective. System Security Scanner checks for file ownership and permissions; OS configurations; Trojan Horse programs; and signs of a hacker's presence. System Scanner allows the administrator to automate the process of eliminating security vulnerabilities.
File ownership and permission tests
There are many potential vulnerability problems where the files are not owned by the proper accounts or the permission may not be set up correctly. There are two types of tests to check for:
Configuration and access file tests
Many system files can configure the machine insecurely and need to be checked. Users have certain files that allow access from certain services, these configurations should be checked against the security policy.
MD5 Signaturing
The best known method for checking if a file has the correct data content is through a md5 signature test. This digital signature is like a fingerprint. A database of fingerprints of good and bad programs can detect which files have been modified or which ones need to be upgraded to the latest version. There are three types of MD5 checksums tests to be considered:
Hacker specific testing
There are certain things that a hacker may do that can be detected. Checking if the machine is in promiscuous mode can detect whether a hacker is sniffing from that machine and catching passwords going across the network. There are also certain directories that hackers place files in that should be checked for odd files.
SSCWP1-97