Re: Advanced Network Infrastructure Assessment Questions....

[Pete Herzog <lists () isecom org>]

Hi Joe,

I know you're a smart security guy so I won't insult you with basic stuff 
you probably know but rather approach this as 3 possible tiers.

Depending on your assessment (what you're promising or selling) you may 
want to just make sure that the routers/firewalls are working as designed 
for egress/ingress filtering, depth and level of that filtering, packet 
manipulation type from that filtering, packet contents added or removed 
with the filtering, holding states properly if so configured, controls and 
handling for accepted protocols (here the TCP/UDP/ICMP trinity is merly the 
start), and controlled access granted appropriately and to the right 
vector.  And that's the unit itself.

Then there's the environment around the unit, its processes and controls 
where they interact with other channels and vectors like people, 
telecommunications, wireless, etc. and from the inside, outside, or direct 
access.

The third possibility is to test the systems themselves for vulnerabilities 
where the standard fare applies of validation of interactivity whether 
direct (interactive with the system) or indirect (system writes a log which 
is exploited). But that may not be something where you will find the 
average corporate customer buying. It all depends what you're doing or want 
to do.

Of course the first 2 tiers can be repackaged into a variety of partials 
audits for various compliance objectives.  Same chips, different colored 
bag, change flavoring powder to taste.

One way we have been approaching the means of increasing the depth of 
security tests is to use the 10 controls of the OSSTMM as a starting point. 
 It's an easy way of trying to find how and where that control is 
implemented in the security solution and what weaknesses it has.  That list 
is available under the security metrics (RAVs) portion of OSSTMM 2.2 at 
www.osstmm.org.  Here it is reprinted:

Controls
Controls are the 10 loss protection categories in two categories, Class A 
(interactive) and Class B (process).   The Class A categories are 
authentication, indemnification, subjugation, continuity, and resilience. 
The Class B categories are non-repudiation, confidentiality, privacy, 
integrity, and alarm.

Class A
  Authentication is the control of interaction requiring having both 
credentials and authorization where identification is required for 
obtaining both.
  Indemnification is the control over the value of assets by law and/or 
insurance to recoup the real and current value of the loss.
  Subjugation is the locally sourced control over the protection and 
restrictions of interactions by the asset responsible.
  Continuity is the control over processes to maintain access to assets in 
the events of corruption or failure.
  Resilience is the control over security mechanisms to provide protection 
to assets in the event of corruption or failure.

Class B
  Non-repudiation prevents the source from denying its role in any 
interactivity regardless whether or not access was obtained.
  Confidentiality is the control for assuring an asset displayed or 
exchanged between parties can be known outside of those parties.
  Privacy is the control for the method of how an asset displayed or 
exchanged between parties can be known outside of those parties.
  Integrity is the control of methods and assets from undisclosed changes.
  Alarm is the control of notification that OPSEC or any controls have 
failed, been compromised, or circumvented.

Sincerely,
-pete.


Joseph McCray wrote:
> I'm starting to do more and more network infrastructure assessment work
> (specifically auditing Routers/Switches/Firewalls/VPNs/etc), and I'm
> really looking to expand the scope of this service and make my audit as
> thorough as possible.
>
> Basically, the stuff that I'm hitting the hardest right now is SNMP,
> TFTP, NTP, VPN psk stuff, firewall leak testing, and of course weak
> passwords/clear text protocols for network management.
>
> My most commonly used tools right now are:
>
> * nmap (obviously)
> * nessus
> * onesixtyone (and other snmp tools)
> * cisco-torch
> * cge.pl 
> * ftester
> * ike-scan (and other scripts)
>
> Tools of interest for me are scapy and yersinia. Just really haven't sat
> down and learned them, but read about and have played with them a little
> (never on an audit though).
>
> I'm looking for other things that I may be forgetting/neglecting. I'm
> running into a lot more non-cisco gear so that is new for me (Extreme,
> Foundry, Juniper, etc). So I'm looking for good general information that
> will help me improve my audits in that area.
>
> I'm specifically looking for more links on auditing NAC solutions (a
> methodology that I could follow or at least point me in the right
> direction). More stuff like this:
>
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Presentation/bh-eu-07-dror-ppt-apr19.pdf
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Whitepaper/bh-eu-07-dror-WP.pdf
> ...and Ofir Arkin's research on the subject
> http://media.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh-dc-07-Arkin-ppt-up.pdf
>
> I'm also looking for people that are auditing things like 802.1x, and/or
> doing 802.1x implementations in a hybrid network infrastructure (i.e.
> Cisco, Extreme, Foundry, blah blah blah).
>
>
> Let me know guys...I could really use the help.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------