From: Pete Herzog (lists@isecom.org)
Date: Sun Jul 01 2007 - 12:35:28 EDT
Hi Joe,
I know you're a smart security guy so I won't insult you with basic stuff
you probably know but rather approach this as 3 possible tiers.
Depending on your assessment (what you're promising or selling) you may
want to just make sure that the routers/firewalls are working as designed
for egress/ingress filtering, depth and level of that filtering, packet
manipulation type from that filtering, packet contents added or removed
with the filtering, holding states properly if so configured, controls and
handling for accepted protocols (here the TCP/UDP/ICMP trinity is merly the
start), and controlled access granted appropriately and to the right
vector. And that's the unit itself.
Then there's the environment around the unit, its processes and controls
where they interact with other channels and vectors like people,
telecommunications, wireless, etc. and from the inside, outside, or direct
access.
The third possibility is to test the systems themselves for vulnerabilities
where the standard fare applies of validation of interactivity whether
direct (interactive with the system) or indirect (system writes a log which
is exploited). But that may not be something where you will find the
average corporate customer buying. It all depends what you're doing or want
to do.
Of course the first 2 tiers can be repackaged into a variety of partials
audits for various compliance objectives. Same chips, different colored
bag, change flavoring powder to taste.
One way we have been approaching the means of increasing the depth of
security tests is to use the 10 controls of the OSSTMM as a starting point.
It's an easy way of trying to find how and where that control is
implemented in the security solution and what weaknesses it has. That list
is available under the security metrics (RAVs) portion of OSSTMM 2.2 at
www.osstmm.org. Here it is reprinted:
Controls
Controls are the 10 loss protection categories in two categories, Class A
(interactive) and Class B (process). The Class A categories are
authentication, indemnification, subjugation, continuity, and resilience.
The Class B categories are non-repudiation, confidentiality, privacy,
integrity, and alarm.
Class A
Authentication is the control of interaction requiring having both
credentials and authorization where identification is required for
obtaining both.
Indemnification is the control over the value of assets by law and/or
insurance to recoup the real and current value of the loss.
Subjugation is the locally sourced control over the protection and
restrictions of interactions by the asset responsible.
Continuity is the control over processes to maintain access to assets in
the events of corruption or failure.
Resilience is the control over security mechanisms to provide protection
to assets in the event of corruption or failure.
Class B
Non-repudiation prevents the source from denying its role in any
interactivity regardless whether or not access was obtained.
Confidentiality is the control for assuring an asset displayed or
exchanged between parties can be known outside of those parties.
Privacy is the control for the method of how an asset displayed or
exchanged between parties can be known outside of those parties.
Integrity is the control of methods and assets from undisclosed changes.
Alarm is the control of notification that OPSEC or any controls have
failed, been compromised, or circumvented.
Sincerely,
-pete.
Joseph McCray wrote:
> I'm starting to do more and more network infrastructure assessment work
> (specifically auditing Routers/Switches/Firewalls/VPNs/etc), and I'm
> really looking to expand the scope of this service and make my audit as
> thorough as possible.
>
> Basically, the stuff that I'm hitting the hardest right now is SNMP,
> TFTP, NTP, VPN psk stuff, firewall leak testing, and of course weak
> passwords/clear text protocols for network management.
>
> My most commonly used tools right now are:
>
> * nmap (obviously)
> * nessus
> * onesixtyone (and other snmp tools)
> * cisco-torch
> * cge.pl
> * ftester
> * ike-scan (and other scripts)
>
> Tools of interest for me are scapy and yersinia. Just really haven't sat
> down and learned them, but read about and have played with them a little
> (never on an audit though).
>
> I'm looking for other things that I may be forgetting/neglecting. I'm
> running into a lot more non-cisco gear so that is new for me (Extreme,
> Foundry, Juniper, etc). So I'm looking for good general information that
> will help me improve my audits in that area.
>
> I'm specifically looking for more links on auditing NAC solutions (a
> methodology that I could follow or at least point me in the right
> direction). More stuff like this:
>
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Presentation/bh-eu-07-dror-ppt-apr19.pdf
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Whitepaper/bh-eu-07-dror-WP.pdf
> ...and Ofir Arkin's research on the subject
> http://media.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh-dc-07-Arkin-ppt-up.pdf
>
> I'm also looking for people that are auditing things like 802.1x, and/or
> doing 802.1x implementations in a hybrid network infrastructure (i.e.
> Cisco, Extreme, Foundry, blah blah blah).
>
>
> Let me know guys...I could really use the help.
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT